** Changed in: mahara/15.10 Status: Fix Committed => Fix Released
-- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1609200 Title: Non-admin role users can edit group settings Status in Mahara: Fix Committed Status in Mahara 15.04 series: Fix Released Status in Mahara 15.10 series: Fix Released Status in Mahara 16.04 series: Fix Released Status in Mahara 16.10 series: Fix Committed Bug description: Only the admin of a group should be able to change the group's settings (via group/edit.php). But any member of a group can view and edit the settings if they go to the URL directly: * http://my.mahara/group/edit.php?id=3 There is no check to make sure the user has admin role. To replicate: 1. Create a group as User 1. Note the group's id 2. Add User 2 to the group as a "member" (not an "admin") 3. Log in as User 2 4. Type in e.g. http://my.mahara/group/edit.php?id=X , where X is the group's ID Expected result: You get an error message saying "You can't edit this group" Actual result: You see the group config page, and you can make changes and they will be saved. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1609200/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp