[Mahara-contributors] [Bug 1580399] Re: Users can login to suspended institutions via external auth under some circumstances

Sun, 10 Jul 2016 21:02:21 -0700 

** Information type changed from Private Security to Public Security

** Changed in: mahara/15.04
       Status: In Progress => Fix Committed

** Changed in: mahara
       Status: In Progress => Fix Committed

** Changed in: mahara/15.10
       Status: In Progress => Fix Committed

** Changed in: mahara/16.04
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask 
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1580399

Title:
  Users can login to suspended institutions via external auth under some
  circumstances

Status in Mahara:
  Fix Committed
Status in Mahara 15.04 series:
  Fix Committed
Status in Mahara 15.10 series:
  Fix Committed
Status in Mahara 16.04 series:
  Fix Committed

Bug description:
  The problem is this:

  The code that checks if the user's authinstance is from a suspended
  institution, is in LiveUser->login(). This is the method used by the
  username/password login box.

  But if you login with an auth method that doesn't use the login box,
  say SAML, XMLRPC, Shibboleth, you don't hit that check.

  
  We need to move the check into the "ensure_user_account_is_active()" method 
in auth/lib.php which is already called at the start of 
LiveUser->authenticate() so we should update that to make sure it checks that 
their auth institution isn't suspended and (maybe) remove the redundant code 
from LiveUser->login()

  
  See also https://bugs.launchpad.net/mahara/+bug/903534 for some more 
information about this issue
  That bug report is public but I'll mark this as private as it mentions the 
attack vector

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1580399/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~mahara-contributors
More help   : https://help.launchpad.net/ListHelp

Reply via email to