Uploaded image for project: 'LAMS Development'
  1. LAMS Development
  2. LDEV-1978

Tool-specific learner and monitor pages have no permissions testing - direct access causes a security hole

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.2
    • Fix Version/s: 2.4
    • Component/s: General
    • Labels:
      None

      Description

      If you try to access a wiki's monitor page directly eg:

      /lams/tool/lawiki10/monitor.do?toolSessionID=2

      There is no permissions testing, the only testing occurs when opening monitor or learner through the home action. That means anyone can access any tool's learner or monitor page directly, regardless of their group membership - provided they know the url and the tool session id.

      We need to implement a tool-action security check for each access of the tool pages. There are a couple of approaches that we could take for this.

      - A call to the LAMS tool service from each tool's service
      - Some sort of wrapper for all tool actions that does the check
      - Store some kind of reference in the session which details the user's permissions for each lesson

      Any suggestions on how to tackle this are welcomed


        Activity

        Hide
        ernieg Ernie Ghiglione added a comment -
        Thanks Marcin
        Show
        ernieg Ernie Ghiglione added a comment - Thanks Marcin

          People

          • Assignee:
            marcin Marcin Cieslak
            Reporter:
            lfoxton Luke Foxton
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development