** Changed in: mahara/15.10
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask 
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1609200

Title:
  Non-admin role users can edit group settings

Status in Mahara:
  Fix Committed
Status in Mahara 15.04 series:
  Fix Released
Status in Mahara 15.10 series:
  Fix Released
Status in Mahara 16.04 series:
  Fix Released
Status in Mahara 16.10 series:
  Fix Committed

Bug description:
  Only the admin of a group should be able to change the group's
  settings (via group/edit.php). But any member of a group can view and
  edit the settings if they go to the URL directly:

  * http://my.mahara/group/edit.php?id=3

  There is no check to make sure the user has admin role.

  To replicate:

  1. Create a group as User 1. Note the group's id
  2. Add User 2 to the group as a "member" (not an "admin")
  3. Log in as User 2
  4. Type in e.g. http://my.mahara/group/edit.php?id=X , where X is the group's 
ID

  Expected result: You get an error message saying "You can't edit this
  group"

  Actual result: You see the group config page, and you can make changes
  and they will be saved.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1609200/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to     : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help   : https://help.launchpad.net/ListHelp

Reply via email to