** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2017-1000135
-- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1348024 Title: users can stay logged into suspended institution Status in Mahara: Fix Released Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Fix Released Status in Mahara 1.9 series: Fix Released Status in Mahara 15.04 series: Fix Released Status in Mahara 15.10 series: Fix Released Bug description: If a user does not use their own institution's auth method then user only belonging to a suspended institution can still log in. Scenario: - Create an institution called 'testone' with the auth method internal mahara - Add a user to it (so that the user is only in this institution and no others) - Update the user auth method to be another internal one - suspend the institution - log out and then in as user - can get in because the auth method is paired to 'mahara' institution Another problem: Same as above but have the user using the institutions auth method - this time one gets a warning about the institution being suspended, which is good but also gets the top menu and is actually logged in/can navigate about. What needs to be done: 1) when an institution is suspended make sure all users that only belong to this institution have a valid usr.authinstance value and if they don't give them one. 2) when they are trying to log in to their suspended institution actually deny them properly. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1348024/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp