Showing results for 
Search instead for 
Did you mean: 
Surveyor II

Security bug in merge user?

In our test instance of Canvas I tested the following scenario.

I created an admin role with the only purpose to create users, the permissions for the role was:

  • Users - manage login details (which enables merge users)
  • SIS Data - read
  • Users - add / remove students in courses
  • Users - add / remove teachers, course designers, or TAs in courses
  • Users - view list
  • Users - view login IDs
  • Users - view primary email address

I then set the new role on a test user and logged in as this user for testing and it worked as I wanted, I could create users and enrol them to courses, I could change passwords for ordinary users but not for users with a admin role.

But then I tested to merge users and found out that I could create a new user, merge the new user with a admin user. I could then log in as the new user and get the full permissions of the merged admin user.

I would consider this as a security bug, the merge should not be permitted.

0 Kudos
0 Replies