Hi Wen-Chang Chien, Thanks for reporting this issue! I've added your name to the list of security contributors to the Mahara project: https://wiki.mahara.org/wiki/Contributors#Mahara_code
Let me know if you'd like to have your Twitter handle or other website on there (or if you want to be removed from the page). Cheers, Aaron ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1460368 Title: Even if you disallow anonymous comments at the site level, you can still place anonymous comments on artefacts Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: Fix Committed Status in Mahara 1.9 series: Fix Committed Status in Mahara 15.04 series: Fix Committed Status in Mahara 15.10 series: Fix Committed Bug description: Anonymous comments function is enabled on artefact page of public share page that disallow anonymous comments. Here's how to replicate the specific bug: 0. Clean install of Mahara 1. Log in as admin 2. Got to Administration -> Configure site -> Ste options -> User Settings 3. Set [Anonymous comments] OFF 4. Go to Portfolio -> Create a new Page -> Store a picture on this page. 5. Edit this new page access -> Enable [Share with public] and [Allow comments]. 6. Log out. 7. Open this page as guest role. 8. Click one picture of this page. 9. [Anonymous comments] function is enabled on artefact page. I found the cause of this bug. In /artefact/artefact.php, Line 149 ================================================== if ($artefact->get('allowcomments')) $addfeedbackform = pieform(ArtefactTypeComment::add_comment_form(false, $artefact->get('approvecomments'))); $extrastylesheets[] = 'style/jquery.rating.css'; $javascript[] = 'jquery.rating'; } ================================================================== I suggest if ($artefact->get('allowcomments')) change to: if ($artefact->get('allowcomments') && ( $USER->is_logged_in() || (!$USER->is_logged_in() && get_config('anonymouscomments')))) { To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1460368/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp