a user with student privilege change another user's password

a user with student privilege change another user's password

by esty wexler -
Number of replies: 1

Hi,

Ineed some help,
I looking at the DB, 
And I see something interesting and trying to understand what command can cause it.

Looking at table logstore_standard_log I see event \core\event\user_password_updated

where the userid is a student and relateduserid is not the same user id,
Trying to figure out how this is possible? 

Even if the student didn't change the password how can he try to do it?

If it helps in other I get "forgottenreset"


This is the SQL query:

select * from logstore_standard_log WHERE eventname like '%password%' AND relateduserid != userid;


Thanks a lot.




Average of ratings: -
In reply to esty wexler

Re: a user with student privilege change another user's password

by Mathew Gancarz -
Picture of Core developers

Hi Esty, curious about this I ran the query on our own logstore also and found similar records. Looking deeper into this, I think this is simply when the user is first created their password gets set. We use an external database for authentication, and the first time a user logs in (their account was created in a separate system), the first few entries are:

\core\event\user_password_updated
\core\event\user_created
\core\event\user_enrolment_created

The userid at that point is '0' and the relateduserid is the id of the just created user. The first entry also has the forgottenreset string in 'other'.

If you query WHERE relateduserid = ##### of the one you are seeing, is it the very first logstore event for that user?

Average of ratings: -