[Mahara-contributors] [Bug 1521818] Re: Tagged journal entries block granting access to all entries in the journal

Mon, 07 Mar 2016 17:42:19 -0800 

** Changed in: mahara/15.10
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask 
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1521818

Title:
  Tagged journal entries block granting access to all entries in the
  journal

Status in Mahara:
  Fix Committed
Status in Mahara 15.04 series:
  In Progress
Status in Mahara 15.10 series:
  Fix Committed
Status in Mahara 16.04 series:
  Fix Committed

Bug description:
  A user received a comment for an artefact that is not actually shared
  publicly.

  Looking into the problem, I've been able to replicate the issue. It
  goes as such :

  1. Create a journal with two entries. Give one the tag "tag1" and the other 
the tag "tag2".
  2. Create a view
  3. Add a Tagged journal entries block with "tag1"
  4. Save and share the view with the public.
  5. Click in the tagged journal entries block to view the artefact detail page 
for the tag1 journal entry.
  6. Copy the URL for the tag1 journal entry's page, and save this somewhere
  7. Edit the tagged journal entry block and change it to "tag2" instead.
  8. Log out
  9. While logged out, view the URL for the tag1 journal entry

  Expected result: Access denied

  Actual result: You can view the tag1 journal entry. Indeed, you can
  navigate up and view the entire journal.

  Journal entries with tag A are still accessible to the public even
  though they are not being displayed on the view.

  It's is imperative that deleted artefact from a view cannot be
  accessed. It's clearly a breach of privacy.

  We're using Mahara 15.04 .2 on Linux with MySQL

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1521818/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to     : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help   : https://help.launchpad.net/ListHelp

Reply via email to