MDL-23911 login as session can be only terminated by logout, this should improve...

diff --git a/course/loginas.php b/course/loginas.php
index dae43eb..d189b57 100644 (file)
--- a/course/loginas.php
+++ b/course/loginas.php
@@ -4,24 +4,25 @@
 require_once('../config.php');
 require_once('lib.php');
 
-/// Reset user back to their real self if needed
-$return = optional_param('return', 0, PARAM_BOOL);   // return to the page we came from
+$id = optional_param('id', SITEID, PARAM_INT);   // course id
 
+/// Reset user back to their real self if needed, for security reasons you need to log out and log in again
 if (session_is_loggedinas()) {
     require_sesskey();
-    session_unloginas();
+    require_logout();
 
-    if ($return and isset($_SERVER["HTTP_REFERER"])) { // That's all we wanted to do, so let's go back
-        redirect($_SERVER["HTTP_REFERER"]);
+    if ($id and $id != SITEID) {
+        $SESSION->wantsurl = "$CFG->wwwroot/course/view.php?id=".$id;
     } else {
-        redirect($CFG->wwwroot);
+        $SESSION->wantsurl = "$CFG->wwwroot/";
     }
+
+    redirect(get_login_url());
 }
 
 ///-------------------------------------
 /// We are trying to log in as this user in the first place
 
-$id     = optional_param('id', SITEID, PARAM_INT);   // course id
 $userid = required_param('user', PARAM_INT);         // login as this user
 
 $url = new moodle_url('/course/loginas.php', array('user'=>$userid, 'sesskey'=>sesskey()));

diff --git a/lib/outputrenderers.php b/lib/outputrenderers.php
index e27e4c5..a5d0757 100644 (file)
--- a/lib/outputrenderers.php
+++ b/lib/outputrenderers.php
@@ -399,7 +399,7 @@ class core_renderer extends renderer_base {
         if (session_is_loggedinas()) {
             $realuser = session_get_realuser();
             $fullname = fullname($realuser, true);
-            $realuserinfo = " [<a href=\"$CFG->wwwroot/course/loginas.php?id=$course->id&amp;return=1&amp;sesskey=".sesskey()."\">$fullname</a>] ";
+            $realuserinfo = " [<a href=\"$CFG->wwwroot/course/loginas.php?id=$course->id&amp;sesskey=".sesskey()."\">$fullname</a>] ";
         } else {
             $realuserinfo = '';
         }
@@ -568,6 +568,10 @@ class core_renderer extends renderer_base {
     public function header() {
         global $USER, $CFG;
 
+        if (session_is_loggedinas()) {
+            $this->page->add_body_class('userloggedinas');
+        }
+
         $this->page->set_state(moodle_page::STATE_PRINTING_HEADER);
 
         // Find the appropriate page layout file, based on $this->page->pagelayout.

diff --git a/lib/sessionlib.php b/lib/sessionlib.php
index 6444a91..0be10c0 100644 (file)
--- a/lib/sessionlib.php
+++ b/lib/sessionlib.php
@@ -918,22 +918,6 @@ function session_loginas($userid, $context) {
     session_set_user($user);
 }
 
-/**
- * Terminate login-as session
- * @return void
- */
-function session_unloginas() {
-    if (!session_is_loggedinas()) {
-        return;
-    }
-
-    $_SESSION['SESSION'] = $_SESSION['REALSESSION'];
-    unset($_SESSION['REALSESSION']);
-
-    $_SESSION['USER'] = $_SESSION['REALUSER'];
-    unset($_SESSION['REALUSER']);
-}
-
 /**
  * Sets up current user and course environment (lang, etc.) in cron.
  * Do not use outside of cron script!