Reviewed: https://reviews.mahara.org/2554 Committed: http://gitorious.org/mahara/mahara/commit/0b4952e063f50c001e4c2dfc5749f55258bff952 Submitter: Son Nguyen (son.ngu...@catalyst.net.nz) Branch: 1.5_STABLE
commit 0b4952e063f50c001e4c2dfc5749f55258bff952 Author: Hugh Davenport <h...@catalyst.net.nz> Date: Wed Aug 15 12:07:58 2012 +1200 Fix permissions of group area (Bug #1034180) A user should not be able to view/publish an artefact if - they don't have view/publish permission of that artefact - they don't have view permission of all parents of that artefact A user should not be able to edit an artefact if - they don't have edit permission of that artefact - they don't have edit permission of the immediate parent of that artefact - they don't have view permission of any parents below the immediate This is similar to the UNIX permissions, you shouldn't be able to view a directory unless all directories below have read (r) and executeable (x) bits set. The same for editing, you need write (w) permissions of the immediate parent, and rx for all parents. In Mahara, there are no executeable bits, but it can be assumed that view is basically the same as rw for container artefacts, and the same as r for non container artefacts. Change-Id: I4f84aca05dd08d02b05fbe084e4724f78c8681a0 Signed-off-by: Hugh Davenport <h...@catalyst.net.nz> -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1034180 Title: A group member with no access rights to folder can still view it (if smart :D) Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.5 series: Fix Committed Status in Mahara 1.6 series: Fix Committed Status in Mahara 1.7 series: Fix Committed Bug description: If i create a folder in group files area, open a tab as a normal member, and then as group admin remove all rights to that folder for members, then as the member, click on the folder. The contents of the folder is then displayed (with the following warnings) [WAR] 0a (artefact/lib.php:864) Undefined index: member Call stack (most recent first): log_message("Undefined index: member", 8, true, true, "/var/www/mahara-dev/htdocs/artefact/lib.php", 864) at /var/www/mahara-dev/htdocs/lib/errors.php:446 error(8, "Undefined index: member", "/var/www/mahara-dev/htdocs/artefact/lib.php", 864, array(size 2)) at /var/www/mahara-dev/htdocs/artefact/lib.php:864 ArtefactType->role_has_permission("member", "edit") at /var/www/mahara-dev/htdocs/auth/user.php:960 User->can_edit_artefact(object(ArtefactTypeFolder)) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:1221 pieform_element_filebrowser_edit_group_folder("1", "5") at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:1308 pieform_element_filebrowser_changefolder(object(Pieform), array(size 11), "5") at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:696 pieform_element_filebrowser_doupdate(object(Pieform), array(size 11)) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:362 pieform_element_filebrowser_get_value(object(Pieform), array(size 11)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:802 Pieform->get_value(array(size 11)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:1253 Pieform->get_submitted_values() at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:490 Pieform->__construct(array(size 12)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:161 Pieform::process(array(size 12)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:71 pieform(array(size 12)) at /var/www/mahara-dev/htdocs/artefact/file/groupfiles.php:49 [WAR] 0a (artefact/lib.php:864) Trying to get property of non-object Call stack (most recent first): log_message("Trying to get property of non-object", 8, true, true, "/var/www/mahara-dev/htdocs/artefact/lib.php", 864) at /var/www/mahara-dev/htdocs/lib/errors.php:446 error(8, "Trying to get property of non-object", "/var/www/mahara-dev/htdocs/artefact/lib.php", 864, array(size 2)) at /var/www/mahara-dev/htdocs/artefact/lib.php:864 ArtefactType->role_has_permission("member", "edit") at /var/www/mahara-dev/htdocs/auth/user.php:960 User->can_edit_artefact(object(ArtefactTypeFolder)) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:1221 pieform_element_filebrowser_edit_group_folder("1", "5") at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:1308 pieform_element_filebrowser_changefolder(object(Pieform), array(size 11), "5") at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:696 pieform_element_filebrowser_doupdate(object(Pieform), array(size 11)) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:362 pieform_element_filebrowser_get_value(object(Pieform), array(size 11)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:802 Pieform->get_value(array(size 11)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:1253 Pieform->get_submitted_values() at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:490 Pieform->__construct(array(size 12)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:161 Pieform::process(array(size 12)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:71 pieform(array(size 12)) at /var/www/mahara-dev/htdocs/artefact/file/groupfiles.php:49 On a refresh, the home folder is shown, and the folder is not displayed, so can't click on it again. Although, the member can still access the folder directly, by going to the url /artefact/file/groupfiles.php?group=1&folder=5 (or whatever id's), with the following warnings [WAR] 81 (artefact/lib.php:864) Undefined index: member Call stack (most recent first): log_message("Undefined index: member", 8, true, true, "/var/www/mahara-dev/htdocs/artefact/lib.php", 864) at /var/www/mahara-dev/htdocs/lib/errors.php:446 error(8, "Undefined index: member", "/var/www/mahara-dev/htdocs/artefact/lib.php", 864, array(size 2)) at /var/www/mahara-dev/htdocs/artefact/lib.php:864 ArtefactType->role_has_permission("member", "edit") at /var/www/mahara-dev/htdocs/auth/user.php:960 User->can_edit_artefact(object(ArtefactTypeFolder)) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:1221 pieform_element_filebrowser_edit_group_folder("1", 5) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:126 pieform_element_filebrowser(object(Pieform), array(size 13)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:1378 Pieform->build_element_html(array(size 13)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:659 Pieform->build() at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:162 Pieform::process(array(size 12)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:71 pieform(array(size 12)) at /var/www/mahara-dev/htdocs/artefact/file/groupfiles.php:49 [WAR] 81 (artefact/lib.php:864) Trying to get property of non-object Call stack (most recent first): log_message("Trying to get property of non-object", 8, true, true, "/var/www/mahara-dev/htdocs/artefact/lib.php", 864) at /var/www/mahara-dev/htdocs/lib/errors.php:446 error(8, "Trying to get property of non-object", "/var/www/mahara-dev/htdocs/artefact/lib.php", 864, array(size 2)) at /var/www/mahara-dev/htdocs/artefact/lib.php:864 ArtefactType->role_has_permission("member", "edit") at /var/www/mahara-dev/htdocs/auth/user.php:960 User->can_edit_artefact(object(ArtefactTypeFolder)) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:1221 pieform_element_filebrowser_edit_group_folder("1", 5) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:126 pieform_element_filebrowser(object(Pieform), array(size 13)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:1378 Pieform->build_element_html(array(size 13)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:659 Pieform->build() at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:162 Pieform::process(array(size 12)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:71 pieform(array(size 12)) at /var/www/mahara-dev/htdocs/artefact/file/groupfiles.php:49 The second way of accessing also gives a box saying "You do not have permission to add content to this folder", while the first does not, and infact shows the upload file and create folder boxes (though you can't add files) Both of these ways allow the user to access the files within the folders, or by the url /artefact/file/download.php?file=14 This bug will have to probably change the way permissions work, and backtrack through all the parent folders making sure the user has access To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1034180/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
