Reviewed: https://reviews.mahara.org/6693 Committed: https://git.mahara.org/mahara/mahara/commit/d6399ee68eddf53a46bb046f77656bb4fb3044b8 Submitter: Robert Lyon (robe...@catalyst.net.nz) Branch: 15.10_STABLE
commit d6399ee68eddf53a46bb046f77656bb4fb3044b8 Author: Robert Lyon <robe...@catalyst.net.nz> Date: Fri Jul 8 11:02:22 2016 +1200 Bug 1234615: Check that resized image files are viewable by user When exporting via Html export process - if not then ignore the file To test: 1) Add an image block/file to a page and set a width value 2) Go into db block_instance table and change the artefactid to an image that is owned by another user 3) Reload the page - you should see the image block but not the attached image 4) Export the page as HTML, either as full or standalone Before patch - you will end up with image file in the files/extra/ directory After patch - you should not get the image in the files/extra/ directory and you should get an info warning 'Unable to copy artefact file ***' on export page. behatnotneeded Change-Id: Iaeb9404b3329c4eb3eac59354801b598f7cd5ba8 Signed-off-by: Robert Lyon <robe...@catalyst.net.nz> -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1234615 Title: Not checking artefact permissions before exporting Status in Mahara: Fix Committed Status in Mahara 1.10 series: Won't Fix Status in Mahara 1.9 series: Won't Fix Status in Mahara 15.04 series: Fix Committed Status in Mahara 15.10 series: Fix Committed Status in Mahara 16.04 series: Fix Committed Status in Mahara 16.10 series: Fix Committed Bug description: In https://bugs.launchpad.net/bugs/1211758 , the reporter mentioned that in addition to embedding other users' artefacts in your pages, you could export them to view their full content: #3: Export function allows arbitrary file download Using the technique above you can get a 1024x1024 'thumbnail' of any users arbitrary file. Simply use the export function on a page like the one above where other users images are embedded. Make sure the embedded images max-size is set to 1024 and it will appear within /files/extra. There is an obvious fix for this issue, of checking $USER->can_publish_artefac()t or $USER->can_view_artefact() on each artefact before exporting it. But when Robert tested this fix, he found that it was too resource-intensive (as part of the already resource-intensive export process) for it to work while exporting an average-sized portfolio. Since fixing the embedding of other users' data mitigates the risk from this issue and was easier to accomplish, I've released that fix and spun this one off into a separate bug to fix when we're able. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1234615/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
