Seems that moderators can get admin's API keys?

I’m an admin on a discourse instance and created an API key. When I impersonated a moderator and then went to the admin page about my actual admin user, I could see the API key there. I expect that to be a security issue.

How much do I need to trust my moderators?

6 Likes

I can confirm this issue. Seems to me that a moderator shouldn’t be able to access any API key.

I first suspected this to be an impersonation artefact, but when I create a moderator and log in to that account directly, I can see API keys for all users including admin as well.

Unless it is assigned to their own username. :wink: (that is my only caveat)

Probably an oversight, we should patch this up for moderators vs admins @eviltrout.

4 Likes

I’ve made it so moderators can’t see the API keys:

https://github.com/discourse/discourse/commit/e8424bd54e4c7d1bff5f8c3f87f931648ee94020

Also backported fix to stable + beta branches.

8 Likes