Reauthenticate a user when user tries to access Supervised User Dashboard |
|||||
Issue descriptionVersion: M50 OS: Windows 10 What steps will reproduce the problem? (1) Navigate to chrome://settings (2) Add a Supervised user (3) On Chrome, Click on 'user' on taskbar, and then click on 'Switch person' (4) Switch to supervisor account and navigate to chrome://settings (5) Click on Supervised User Dashboard (6) On Supervised user dashboard make changes and save What is the expected output? Supervised user should not be allowed to access supervised user dashboard to make these changes. chrome.com/manage should ask for a password before allowing user to view / edit info just like account and payment related google sites. What do you see instead? Supervised user can make changes on dashboard if Supervisor account is already logged into chrome. Use Case : I feel should be treated as a security issue. If a Supervised account want to change to Permissions all he/she has to do is switch to Supervisor profile make changes and switch back to Supervised profile. So there is no way of preventing supervised account from overriding these security settings.
,
Apr 19 2016
Note that step (3) is switching to a different user, presumably the custodian. The best thing to do here would be to close the custodian profile with "Exit and childlock" from the user button.
,
May 5 2016
Yes, the Supervised User shouldn't be able to switch to the custodian's profile at all, and this is done by signing the custodian out with "Exit and childlock". jainabishek, could you verify that that menu item appears and works properly?
,
May 5 2016
I don't see 'Exit and Child Lock' on Windows machine. Please see attached screenshot from a user. We have some users reporting this in Google Feedback as well as Product Forums https://productforums.google.com/forum/?utm_medium=email&utm_source=footer#!msg/chrome/cRY0Fr9Pkyo/XgPbI-7qAwAJ Also, https://chrome.com/manage contains sensitive settings about an account and just like https://www.google.com/settings/dashboard, this page should ask for a password even if user is signed in (or has valid sign in cookies) I *feel this is sensitive privacy issue and impacts EDU and Enterprise customers as well.
,
May 8 2016
Is it possible to get some help on this bug ? If this is not relevant anymore, please feel free to close it.
,
May 12 2016
Is vaeit.com a hosted (Google Apps for your Domain) domain? Unfortunately, "Exit and Childlock" doesn't work for those, so it's not shown. In that case, your best remaining option is to sign out of the custodian profile ("Disconnect your Google Account" in the Settings, not just closing the profile). mlerman, you have a comment dating from 2014 about supporting profile lock for hosted domains. Any thoughts here? https://chromium.googlesource.com/chromium/src.git/+/master/chrome/browser/profiles/profile_window.cc#385
,
May 13 2016
There are certain technical challenges involved in permitting child lock with hosted domains. Specifically, it's a SAML domain, then we have no access to the password. There are various workarounds, such as identifying the subset of hosted domains which are SAML domains or implementing a different user flow for these users, but this hasn't been prioritized.
,
May 16 2016
Looks like vaeit.com is a Apps account. While I totally agree to tons of challenges in cleanly resolving this bug, but will it be possible to expire cookies on chrome.com/manage and prompt anyone to enter their password anytime they want to access the page ? Given this page is an account management page, request is to make it more inline with accounts.google.com (if possible) User base is not just Chrome Consumers but nearly all of EDU and Enterprise customers
,
Apr 16 2018
supervised users got deprecated. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by fi...@chromium.org
, Apr 19 2016