learningequality
It is possible to hijack an account which was created via OSUser
Observed behavior
Using the new get_os_user feature in kolibri.plugins.app.utils.interface, it is possible to create a desktop Kolibri app which automatically signs in as a Kolibri user that is associated with an OS user. When this happens, Kolibri creates a regular user account, and with a correct authentication token, Kolibri signs in to the user account automatically when the user is using the app.
However, if a different user chooses this account from the sign in screen, that user is asked to create a new password for the account:
Instead, if an account is associated with an OSUser and has no password, Kolibri should require a valid authentication token.
User-facing consequences
This affects desktop Kolibri apps deployed on multi-user systems, such as kolibri-gnome on Endless OS. That app is the only one which meets that definition, and its Kolibri 0.16 update is not yet released. This issue is a blocker for doing so.
Context
- Kolibri version: Kolibri 0.16.1
- Operating system: Fedora Linux
- Browser: learningequality/kolibri-installer-gnome#99
