From 6a7585f25977a7917119c7e4c0e6641740186c21 Mon Sep 17 00:00:00 2001 From: moodler Date: Fri, 14 Nov 2003 12:48:26 +0000 Subject: [PATCH] SECURITY FIX: This patch prevents teachers from logging in as admins or course creators! I'll make an announcement to registered administrators. --- course/loginas.php | 4 ++++ user/lib.php | 2 +- user/view.php | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/course/loginas.php b/course/loginas.php index 022de5f773..24aa7fd828 100644 --- a/course/loginas.php +++ b/course/loginas.php @@ -32,6 +32,10 @@ error("This student is not in this course!"); } + if (iscreator($user)) { + error("You can not login as this person!"); + } + // Login as this student and return to course home page. $teacher_name = "$USER->firstname $USER->lastname"; diff --git a/user/lib.php b/user/lib.php index 2bbd422d41..2c376be0e6 100644 --- a/user/lib.php +++ b/user/lib.php @@ -203,7 +203,7 @@ function print_user($user, $course, $string, $countries) { if (isteacher($course->id)) { $timemidnight = usergetmidnight(time()); echo "id&user=$user->id\">$string->activity
"; - if (isstudent($course->id, $user->id)) { + if (isstudent($course->id, $user->id) and !iscreator($user->id)) { // Includes admins echo "id&user=$user->id\">$string->unenrol
"; echo "id&user=$user->id\">$string->loginas
"; } diff --git a/user/view.php b/user/view.php index 42cb332b03..732a2defe8 100644 --- a/user/view.php +++ b/user/view.php @@ -170,7 +170,7 @@ echo ""; echo "

"; } - if (isteacher($course->id) and ($USER->id != $user->id)) { + if (isteacher($course->id) and ($USER->id != $user->id) and !iscreator($user->id)) { echo "

"; echo "id\">"; echo "id\">"; -- 2.39.5