General developer forum

My post is not directly relevant to the issue reported here which I agree is a serious one and should be fixed. But because it's related, I wanted to mention a couple of other things relating to our experience at the OU that might be of interest to people who are interested in the security implications of this feature.

We have disabled the loginas feature in our Moodle installation partly for this reason - actually didn't know it had 'stealth mode' but we knew logging wasn't sufficient.

It's easy to disable by setting the capability so that nobody can do it - except admin of course, admin can do anything but hopefully you trust the admin.

Our policy is that when staff are using a 'log in as' type feature, they must only have 'read only' access (for example, if they log in as a student and they go to a forum, they should see all the forum posts that the student can see, but they cannot actually make a new post while logged in as that user). Obviously Moodle loginas feature doesn't do this.

For now we implemented a custom feature instead that automatically creates 'example student' user in each course and using a custom user interface in a block, lets you log in as that student only (using a new capability, not the standard loginas one). We did this without making core changes.

At some point (probably in the Moodle 2.3 development timescale) we have to make loginas a particular student in 'read-only' mode possible on our system (presumably a block on all capabilities marked as 'write' in the read/write option).

I'd been assuming we would also do this using our own custom code somehow, but if anyone else is interested in a 'read-only' option for loginas, let me know here and I'll think about whether it can be done as a core feature.

--sam