Seems that moderators can get admin's API keys?

Toxaris · October 2, 2015, 4:30pm

I’m an admin on a discourse instance and created an API key. When I impersonated a moderator and then went to the admin page about my actual admin user, I could see the API key there. I expect that to be a security issue.

How much do I need to trust my moderators?

michaeld · October 2, 2015, 6:09pm

I can confirm this issue. Seems to me that a moderator shouldn’t be able to access any API key.

I first suspected this to be an impersonation artefact, but when I create a moderator and log in to that account directly, I can see API keys for all users including admin as well.

cpradio · October 2, 2015, 6:10pm

Unless it is assigned to their own username. (that is my only caveat)

codinghorror · October 2, 2015, 6:48pm

Probably an oversight, we should patch this up for moderators vs admins @eviltrout.

eviltrout · October 14, 2015, 7:47pm

I’ve made it so moderators can’t see the API keys:

https://github.com/discourse/discourse/commit/e8424bd54e4c7d1bff5f8c3f87f931648ee94020

Also backported fix to stable + beta branches.

Topic		Replies	Views
How to get an API key dev rest-api	5	1456	April 10, 2022
API - Add User to moderator group feature	6	705	August 25, 2020
Access via Discourse API, key and/or user rejected dev rest-api	2	444	December 1, 2023
How i can manage roles for moderators and administrators? support	5	807	June 12, 2022
Can't generate multiple API keys? feature	17	2643	July 24, 2019

Seems that moderators can get admin's API keys?

Related Topics