[Building Sakai] User Became Administrator Problem

[Jon Higham]

We have just had a case of a user being given administrator rights over
our whole system. We are using 2.4.x.

 

He logged in as normal, as shown in the logs below. After adding a web
content tool to a site using Site Info->Edit Tools, the user noticed
that he had a longer list than normal in the "more sites" pull down and
was able to enter the Administrator Workspace and Administrator's My
Workspace.

 

Has this happened to anyone, or can anyone suggest where to look in the
code? I've not been able to recreate the error and it only appears to
has lasted that user's particular session.  The user hasn't access to
the Become User tool, which should have logged any change of user
anyway.

 

Jon Higham

IT Systems

University of Hull

 

 

DEBUG: authenticateUser(): user chsnay not in table, querying Kerberos
(2009-04-07 10:13:55,528
TP-Processor3_org.sakaiproject.component.kerberos.user.KerberosUserDirec
toryProvider)

DEBUG: authenticateKerberos(chsnay, pw): Kerberos auth success
(2009-04-07 10:13:56,471
TP-Processor3_org.sakaiproject.component.kerberos.user.KerberosUserDirec
toryProvider)

DEBUG: authenticateUser(): putting authenticated user (chsnay) in table
for caching (2009-04-07 10:13:56,471
TP-Processor3_org.sakaiproject.component.kerberos.user.KerberosUserDirec
toryProvider)

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20090407/3cbefb3f/attachment.html 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: not available
Url: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20090407/3cbefb3f/attachment.pl