Seems that moderators can get admin's API keys?


(Tillmann Rendel) #1

I’m an admin on a discourse instance and created an API key. When I impersonated a moderator and then went to the admin page about my actual admin user, I could see the API key there. I expect that to be a security issue.

How much do I need to trust my moderators?


(Michael - DiscourseHosting.com) #2

I can confirm this issue. Seems to me that a moderator shouldn’t be able to access any API key.

I first suspected this to be an impersonation artefact, but when I create a moderator and log in to that account directly, I can see API keys for all users including admin as well.


(cpradio) #3

Unless it is assigned to their own username. :wink: (that is my only caveat)


(Jeff Atwood) #4

Probably an oversight, we should patch this up for moderators vs admins @eviltrout.


(Robin Ward) #5

I’ve made it so moderators can’t see the API keys:

https://github.com/discourse/discourse/commit/e8424bd54e4c7d1bff5f8c3f87f931648ee94020

Also backported fix to stable + beta branches.


(Jeff Atwood) #6