New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 604536 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Not on Chrome anymore
Closed: Apr 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Reauthenticate a user when user tries to access Supervised User Dashboard

Project Member Reported by jainabhi...@chromium.org, Apr 18 2016

Issue description

Version: M50
OS: Windows 10

What steps will reproduce the problem?
(1) Navigate to chrome://settings
(2) Add a Supervised user
(3) On Chrome, Click on 'user' on taskbar, and then click on 'Switch person'
(4) Switch to supervisor account and navigate to chrome://settings
(5) Click on Supervised User Dashboard
(6) On Supervised user dashboard make changes and save

What is the expected output?
Supervised user should not be allowed to access supervised user dashboard to make these changes.

chrome.com/manage should ask for a password before allowing user to view / edit info just like account and payment related google sites.

What do you see instead?
Supervised user can make changes on dashboard if Supervisor account is already logged into chrome.

Use Case : I feel should be treated as a security issue.
If a Supervised account want to change to Permissions all he/she has to do is switch to Supervisor profile make changes and switch back to Supervised profile. So there is no way of preventing supervised account from overriding these security settings.
 

Comment 1 by fi...@chromium.org, Apr 19 2016

Labels: Needs-Feedback
I can't reproduce. Step #4 also sounds weird. If you are using the profile of the supervised user, there shouldn't be a link to the supervised user dashboard.
And even if there would be one, the user has to sign in to a Google account first in order to open it. But supervised users don't have dedicated Google accounts.
Can you please re-test and verify the repro steps? A screencast would also help then. Thanks a lot!

Comment 2 by bauerb@chromium.org, Apr 19 2016

Note that step (3) is switching to a different user, presumably the custodian. The best thing to do here would be to close the custodian profile with "Exit and childlock" from the user button.

Comment 3 by pam@chromium.org, May 5 2016

Yes, the Supervised User shouldn't be able to switch to the custodian's profile at all, and this is done by signing the custodian out with "Exit and childlock". jainabishek, could you verify that that menu item appears and works properly?
I don't see 'Exit and Child Lock' on Windows machine.
Please see attached screenshot from a user.

We have some users reporting this in Google Feedback as well as Product Forums
https://productforums.google.com/forum/?utm_medium=email&utm_source=footer#!msg/chrome/cRY0Fr9Pkyo/XgPbI-7qAwAJ

Also, https://chrome.com/manage contains sensitive settings about an account and just like https://www.google.com/settings/dashboard, this page should ask for a password even if user is signed in (or has valid sign in cookies)

I *feel this is sensitive privacy issue and impacts EDU and Enterprise customers as well.
Problem01.png
6.2 KB View Download
Cc: bauerb@chromium.org pam@chromium.org fi...@chromium.org
Labels: -Needs-Feedback
Is it possible to get some help on this bug ?
If this is not relevant anymore, please feel free to close it.

Comment 6 by pam@chromium.org, May 12 2016

Cc: rogerta@chromium.org nepper@chromium.org
Owner: mlerman@chromium.org
Status: Assigned (was: Untriaged)
Is vaeit.com a hosted (Google Apps for your Domain) domain? Unfortunately, "Exit and Childlock" doesn't work for those, so it's not shown. In that case, your best remaining option is to sign out of the custodian profile ("Disconnect your Google Account" in the Settings, not just closing the profile).

mlerman, you have a comment dating from 2014 about supporting profile lock for hosted domains. Any thoughts here?
https://chromium.googlesource.com/chromium/src.git/+/master/chrome/browser/profiles/profile_window.cc#385

Cc: -bauerb@chromium.org mlerman@chromium.org anthonyvd@chromium.org
Owner: bauerb@chromium.org
There are certain technical challenges involved in permitting child lock with hosted domains. Specifically, it's a SAML domain, then we have no access to the password. 

There are various workarounds, such as identifying the subset of hosted domains which are SAML domains or implementing a different user flow for these users, but this hasn't been prioritized.
Looks like vaeit.com is a Apps account.

While I totally agree to tons of challenges in cleanly resolving this bug, but will it be possible to expire cookies on chrome.com/manage and prompt anyone to enter their password anytime they want to access the page ?

Given this page is an account management page, request is to make it more inline with accounts.google.com (if possible)

User base is not just Chrome Consumers but nearly all of EDU and Enterprise customers
Status: WontFix (was: Assigned)
supervised users got deprecated.

Sign in to add a comment