Security bug in merge user?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2020
02:21 AM
In our test instance of Canvas I tested the following scenario.
I created an admin role with the only purpose to create users, the permissions for the role was:
- Users - manage login details (which enables merge users)
- SIS Data - read
- Users - add / remove students in courses
- Users - add / remove teachers, course designers, or TAs in courses
- Users - view list
- Users - view login IDs
- Users - view primary email address
I then set the new role on a test user and logged in as this user for testing and it worked as I wanted, I could create users and enrol them to courses, I could change passwords for ordinary users but not for users with a admin role.
But then I tested to merge users and found out that I could create a new user, merge the new user with a admin user. I could then log in as the new user and get the full permissions of the merged admin user.
I would consider this as a security bug, the merge should not be permitted.