Seems that moderators can get admin's API keys?

(Tillmann Rendel) #1

I’m an admin on a discourse instance and created an API key. When I impersonated a moderator and then went to the admin page about my actual admin user, I could see the API key there. I expect that to be a security issue.

How much do I need to trust my moderators?

(Michael - #2

I can confirm this issue. Seems to me that a moderator shouldn’t be able to access any API key.

I first suspected this to be an impersonation artefact, but when I create a moderator and log in to that account directly, I can see API keys for all users including admin as well.

(cpradio) #3

Unless it is assigned to their own username. :wink: (that is my only caveat)

(Jeff Atwood) #4

Probably an oversight, we should patch this up for moderators vs admins @eviltrout.

(Robin Ward) #5

I’ve made it so moderators can’t see the API keys:

Also backported fix to stable + beta branches.

(Jeff Atwood) #6