** Changed in: mahara/1.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1429647
Title: Watchlist lets you watch and receive notifications about pages you don't have view access to Status in Mahara ePortfolio: Fix Released Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Fix Committed Status in Mahara 1.9 series: Fix Committed Status in Mahara 15.04 series: Fix Released Status in Mahara 15.10 series: Fix Committed Bug description: In analyzing watchlist bug 1429505 (pages stay on your watchlist even if you lose access to them) I noticed a couple of things in the code: 1. You apparently still can receive watchlist notifications about pages on your watchlist which you don't have access to. 2. There are no access control checks in togglewatchlist.json.php, so it is apparently possible to add a page to your watchlist even if you don't have access to it. Together, these bugs mean that a user could watch private pages, and receive notifications about changes to those pages. While these notifications would not contain the actual page content, they would contain the title of the page and the names of blocks and/or artefacts changed in the page. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1429647/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp