Project

General

Profile

Bug #3938

Anonymous users is seen in courses

Added by Yannick Warnier over 9 years ago. Updated over 8 years ago.

Status:
Bug resolved
Priority:
Urgent
Assignee:
Yoselyn Castillo
Category:
-
Target version:
Start date:
28/09/2011
Due date:
% Done:

100%

Estimated time:
2.00 h
Spent time:
Complexity:
Challenging
SCRUM pts - complexity:
8

Description

Apparently the anonymous users is sometimes seen as "connected" in private courses. This represents a potential minor security risk but there is no detailed report so far.
If anybody spots any particular additional detail to bring to this report (as how to reproduce it), please do report it here!


Files

whoisonline.php (5.36 KB) whoisonline.php Yoselyn Castillo, 23/10/2012 03:21
whoisonline.php (5.43 KB) whoisonline.php Yoselyn Castillo, 25/10/2012 13:51

Associated revisions

Revision ab16fcaa (diff)
Added by Yoselyn Castillo over 8 years ago

Fixing who is online if course was set see #3938

History

#1

Updated by Olivier CORRE over 9 years ago

Seen two times this past week on two different occasions. I will not be able to report much on this one since i simply removed "Joe" from our system. Trying to access direct links to private courses or files seemed to be impossible when i tried. Might just be a users list bug.

#2

Updated by Julio Montoya over 9 years ago

  • % Done changed from 0 to 10

I think the problem is in the "api_protect_course_script()" function. I sent some changes to reject anonymous users

http://code.google.com/p/chamilo/source/detail?repo=classic&r=0fe3384bbf57cbd6d30a8ed7196ecf4f0a2c5ad6&url_prefix=p

#3

Updated by Yannick Warnier about 9 years ago

  • Target version changed from 1.9 Stable to 1.9.2
#4

Updated by Julio Montoya almost 9 years ago

  • Status changed from New to Needs more info
#5

Updated by Yannick Warnier almost 9 years ago

  • Target version changed from 1.9.2 to 1.9.4
#6

Updated by Yoselyn Castillo over 8 years ago

  • Status changed from Needs more info to Assigned
  • Assignee set to Yoselyn Castillo
#7

Updated by Yoselyn Castillo over 8 years ago

  • Status changed from Assigned to Needs more info

Well, i have made many tests since i caught the task. It is impossible to enter private courses as anonymous user, and i have no seen the anonymous user in the list of users connected. Maybe the bug is already solved.
when i tried to access course by url system doesn't allow my access.
However, i can see users online in specific course through url though i have not been logged. For example everybody can see who are connected in curso2 accessing this url: http://stable.chamilo.org/whoisonline.php?cidReq=CURSO2
Is that correct? Everyone should see users connected to specific course not only the platform?

#8

Updated by Yannick Warnier over 8 years ago

No, there should be a check... if the course access is antyhing else than public, then the whoisonline.php with a cidReq parameter should check that the user is logged in. Nice catch.

#9

Updated by Yoselyn Castillo over 8 years ago

  • Status changed from Needs more info to Assigned

Ok, i am going to check that...

#10

Updated by Yoselyn Castillo over 8 years ago

Upload this. I have used api_protect_course_script() function

#11

Updated by Julio Montoya over 8 years ago

  • Assignee changed from Julio Montoya to Yoselyn Castillo

Yoselyn Castillo wrote:

Upload this. I have used api_protect_course_script() function

That function protects course files (documents, exercises, etc).

The whoisonline page can be accesed by anonymous users, is not necessary to be in a course to see the whoisonline page too.

#12

Updated by Yoselyn Castillo over 8 years ago

yes you are right. Sorry...

#13

Updated by Yoselyn Castillo over 8 years ago

Upload this... This weekend i will try github, later i'll give you the results...

#14

Updated by Julio Montoya over 8 years ago

  • Status changed from Assigned to Needs more info
  • Assignee changed from Julio Montoya to Yoselyn Castillo

Hello Yoselyn, the file was sent.

It should be great if you can access and commit/push to github you can have your own repository there and propose pull requests.

#15

Updated by Yoselyn Castillo over 8 years ago

  • Status changed from Needs more info to Assigned

Testing..

#16

Updated by Yoselyn Castillo over 8 years ago

  • Assignee changed from Yoselyn Castillo to Yannick Warnier

Tested! Anonymous users can't see users on line in specific course if there is no allowed, but they can see users online in platform.
it could be tested trying to access:
http://stable.chamilo.org/whoisonline.php (allowed)
http://stable.chamilo.org/courses/STABLEOPEN/index.php?id_session=0 (not allowed)

But as i couldn't reproduce the initial bug i am not sure if i can close this task.
What do you think??

#17

Updated by Yannick Warnier over 8 years ago

  • Status changed from Assigned to Bug resolved
  • Assignee changed from Yannick Warnier to Yoselyn Castillo
  • % Done changed from 10 to 100

Closing. Olivier, feel free to re-open if you have proven cases of it failing on 1.9.4. Thanks to everyone.

Also available in: Atom PDF