mahara-contributors team mailing list archive

Thread
Date

[Bug 585310] Re: SecretURL prompting for a password

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Alan McNatty <585310@xxxxxxxxxxxxxxxxxx>
Date: Mon, 19 Jul 2010 07:07:39 -0000
Reply-to: Bug 585310 <585310@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

One to be reviewed with a wider audience.

Basically view/view.php allows access by checking viewid and taking into
consideration user and mnet tokens (consider also get_view_from_token)
as follows:

if (!can_view_view($viewid, null, $usertoken, $mnettoken)) {
    throw new AccessDeniedException(get_string('accessdenied', 'error'));
}

However when we try and render the actual resume object (a
ArtefactTypeResumeComposite which extends ArtefactTypeResume) we find
it's own render_self is a little bit broken (it is the only type that
checks access again for example). A simple fix is to remove this check
and hence the exception is not raised but it suggests that the class may
need general review.

diff --git a/htdocs/artefact/resume/lib.php b/htdocs/artefact/resume/lib.php
index ec07f41..89057c7 100644
--- a/htdocs/artefact/resume/lib.php
+++ b/htdocs/artefact/resume/lib.php
@@ -539,9 +539,10 @@ abstract class ArtefactTypeResumeComposite extends ArtefactTypeResume {
             ORDER BY ar.displayorder';
 
         if (!empty($options['viewid'])) { 
-            if (!can_view_view($options['viewid'])) {
-                throw new AccessDeniedException();
-            }
+            //if (!can_view_view($options['viewid'])) {
+            //AJM Should be ... if (!can_view_view($options['viewid'], null, $options['usertoken'], $options['mnettoken'])) {
+            //   throw new AccessDeniedException();
+            //}
             require_once('view.php');
             $v = new View($options['viewid']);
             $owner = $v->get('owner');


Note: it was useful to disable exception handling to find this bug.

diff --git a/htdocs/lib/errors.php b/htdocs/lib/errors.php
index c042804..91a9ab6 100644
--- a/htdocs/lib/errors.php
+++ b/htdocs/lib/errors.php
@@ -68,8 +68,7 @@ define('DEVMODE_UNPACKEDJS', 8);
 // Tell PHP about our error settings
 error_reporting(E_ALL);
 set_error_handler('error');
-set_exception_handler('exception');
-
+//set_exception_handler('exception');

-- 
SecretURL prompting for a password
https://bugs.launchpad.net/bugs/585310
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.

Status in Mahara ePortfolio: In Progress

Bug description:
If a View contains resumé information displayed in a box (Employment History, Education History, etc.), and is accessed exclusively via a SecretURL, then it asks for a password. Only the first time though, subsequent access doesn't ask for a password even if you don't enter one the first time.

Mahara 1.2.4
Ubuntu Linux 8.04
MySQL

References

[Bug 585310] [NEW] SecretURL prompting for a password
From: Gary Beldon, 2010-05-25