]> git.mjollnir.org Git - moodle.git/commitdiff
projects / moodle.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8fdd4fa)
SECURITY FIX: This patch prevents teachers from logging in as admins or
authormoodler <moodler>
Fri, 14 Nov 2003 12:48:26 +0000 (12:48 +0000)
committermoodler <moodler>
Fri, 14 Nov 2003 12:48:26 +0000 (12:48 +0000)
               course creators!  I'll make an announcement to registered
               administrators.

course/loginas.php patch | blob | history
user/lib.php patch | blob | history
user/view.php patch | blob | history

diff --git a/course/loginas.php b/course/loginas.php
index 022de5f7737fab8586d6b046c7f945cabab5f993..24aa7fd828a3b0c0fe2fe4a056bb2f6e4b6e0b12 100644 (file)
--- a/course/loginas.php
+++ b/course/loginas.php
@@ -32,6 +32,10 @@
         error("This student is not in this course!");
     }
 
+    if (iscreator($user)) {
+        error("You can not login as this person!");
+    }
+
     // Login as this student and return to course home page.
 
     $teacher_name = "$USER->firstname $USER->lastname";
diff --git a/user/lib.php b/user/lib.php
index 2bbd422d41e3ccd6a580e6caf2edee7ff2c8c89c..2c376be0e69c722b748bab4248e2f7b30fc3669d 100644 (file)
--- a/user/lib.php
+++ b/user/lib.php
@@ -203,7 +203,7 @@ function print_user($user, $course, $string, $countries) {
     if (isteacher($course->id)) {
         $timemidnight = usergetmidnight(time());
         echo "<a href=\"../course/user.php?id=$course->id&user=$user->id\">$string->activity</a><br>";
-        if (isstudent($course->id, $user->id)) {
+        if (isstudent($course->id, $user->id) and !iscreator($user->id)) {  // Includes admins
             echo "<a href=\"../course/unenrol.php?id=$course->id&user=$user->id\">$string->unenrol</a><br />";
             echo "<a href=\"../course/loginas.php?id=$course->id&user=$user->id\">$string->loginas</a><br />";
         }
diff --git a/user/view.php b/user/view.php
index 42cb332b030cce6a563fd17e4204d033d117f4c7..732a2defe8d74db2d8b9ad5077144cfc32ad3dae 100644 (file)
--- a/user/view.php
+++ b/user/view.php
@@ -170,7 +170,7 @@
         echo "<input type=submit value=\"".get_string("activityreport")."\">";
         echo "</form></p></td>";
     }
-    if (isteacher($course->id) and ($USER->id != $user->id)) {
+    if (isteacher($course->id) and ($USER->id != $user->id) and !iscreator($user->id)) {
         echo "<td nowrap><p><form action=\"../course/loginas.php\" method=get>";
         echo "<input type=hidden name=id value=\"$course->id\">";
         echo "<input type=hidden name=user value=\"$user->id\">";
Unnamed repository; edit this file to name it for gitweb.