** Changed in: mahara/1.10
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1429647
Title:
Watchlist lets you watch and receive notifications about pages you
don't have view access to
Status in Mahara ePortfolio:
Fix Released
Status in Mahara 1.10 series:
Fix Released
Status in Mahara 1.8 series:
Fix Committed
Status in Mahara 1.9 series:
Fix Committed
Status in Mahara 15.04 series:
Fix Released
Status in Mahara 15.10 series:
Fix Committed
Bug description:
In analyzing watchlist bug 1429505 (pages stay on your watchlist even
if you lose access to them) I noticed a couple of things in the code:
1. You apparently still can receive watchlist notifications about
pages on your watchlist which you don't have access to.
2. There are no access control checks in togglewatchlist.json.php, so
it is apparently possible to add a page to your watchlist even if you
don't have access to it.
Together, these bugs mean that a user could watch private pages, and
receive notifications about changes to those pages. While these
notifications would not contain the actual page content, they would
contain the title of the page and the names of blocks and/or artefacts
changed in the page.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1429647/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
