** Changed in: mahara/18.10 Status: Fix Committed => Fix Released
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1817221 Title: A site admin can access Mahara 'root' user and break the site Status in Mahara: Fix Released Status in Mahara 17.10 series: Fix Released Status in Mahara 18.04 series: Fix Released Status in Mahara 18.10 series: Fix Released Status in Mahara 19.04 series: Fix Released Bug description: A site admin can break the site by suspending the 'root' user To replicate: 1) Login in as a site admin 2) Go to Administration -> Users -> User search (admin/users/search.php) 3) Click on the 'username' link of any user 4) Change the url and make the id= part equal to 0 (eg admin/users/edit.php?id=0) You now can see information for the hidden 'root' user 5) Suspend the user 6) Logout 7) Login again and you get something like Mahara: Site unavailable Something in the way you're interacting with Mahara is causing an error. Details if any, follow: Your account has been suspended as of 2019-02-22 10:56:34.<br />The reason for your suspension is: Bad mojo Things to fix: 1) Not allow anyone see the the mahara 'root' user via the admin/users/edit.php page 2) Make sure systems that suspend a user, eg rejecting consent to privacy statement can't suspend 'root' user To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1817221/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp