** Changed in: mahara/15.04
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1609200
Title:
Non-admin role users can edit group settings
Status in Mahara:
Fix Committed
Status in Mahara 15.04 series:
Fix Released
Status in Mahara 15.10 series:
Fix Released
Status in Mahara 16.04 series:
Fix Released
Status in Mahara 16.10 series:
Fix Committed
Bug description:
Only the admin of a group should be able to change the group's
settings (via group/edit.php). But any member of a group can view and
edit the settings if they go to the URL directly:
* http://my.mahara/group/edit.php?id=3
There is no check to make sure the user has admin role.
To replicate:
1. Create a group as User 1. Note the group's id
2. Add User 2 to the group as a "member" (not an "admin")
3. Log in as User 2
4. Type in e.g. http://my.mahara/group/edit.php?id=X , where X is the group's
ID
Expected result: You get an error message saying "You can't edit this
group"
Actual result: You see the group config page, and you can make changes
and they will be saved.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1609200/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
