mahara-contributors team mailing list archive
-
mahara-contributors team
-
Mailing list archive
-
Message #13866
[Bug 1034180] A change has been merged
Reviewed: https://reviews.mahara.org/2556
Committed: http://gitorious.org/mahara/mahara/commit/79a810210bfdf89a466876fdf8ac54354f73b73b
Submitter: Son Nguyen (son.nguyen@xxxxxxxxxxxxxxx)
Branch: 1.7_STABLE
commit 79a810210bfdf89a466876fdf8ac54354f73b73b
Author: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
Date: Wed Aug 15 12:07:58 2012 +1200
Fix permissions of group area (Bug #1034180)
A user should not be able to view/publish an artefact if
- they don't have view/publish permission of that artefact
- they don't have view permission of all parents of that artefact
A user should not be able to edit an artefact if
- they don't have edit permission of that artefact
- they don't have edit permission of the immediate parent of that artefact
- they don't have view permission of any parents below the immediate
This is similar to the UNIX permissions, you shouldn't be able to view
a directory unless all directories below have read (r) and executeable (x)
bits set. The same for editing, you need write (w) permissions of the
immediate parent, and rx for all parents.
In Mahara, there are no executeable bits, but it can be assumed
that view is basically the same as rw for container artefacts, and the same
as r for non container artefacts.
Change-Id: I4f84aca05dd08d02b05fbe084e4724f78c8681a0
Signed-off-by: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1034180
Title:
A group member with no access rights to folder can still view it (if
smart :D)
Status in Mahara ePortfolio:
Fix Committed
Status in Mahara 1.5 series:
Fix Committed
Status in Mahara 1.6 series:
Fix Committed
Status in Mahara 1.7 series:
Fix Committed
Bug description:
If i create a folder in group files area, open a tab as a normal
member, and then as group admin remove all rights to that folder for
members, then as the member, click on the folder. The contents of the
folder is then displayed (with the following warnings)
[WAR] 0a (artefact/lib.php:864) Undefined index: member
Call stack (most recent first):
log_message("Undefined index: member", 8, true, true, "/var/www/mahara-dev/htdocs/artefact/lib.php", 864) at /var/www/mahara-dev/htdocs/lib/errors.php:446
error(8, "Undefined index: member", "/var/www/mahara-dev/htdocs/artefact/lib.php", 864, array(size 2)) at /var/www/mahara-dev/htdocs/artefact/lib.php:864
ArtefactType->role_has_permission("member", "edit") at /var/www/mahara-dev/htdocs/auth/user.php:960
User->can_edit_artefact(object(ArtefactTypeFolder)) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:1221
pieform_element_filebrowser_edit_group_folder("1", "5") at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:1308
pieform_element_filebrowser_changefolder(object(Pieform), array(size 11), "5") at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:696
pieform_element_filebrowser_doupdate(object(Pieform), array(size 11)) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:362
pieform_element_filebrowser_get_value(object(Pieform), array(size 11)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:802
Pieform->get_value(array(size 11)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:1253
Pieform->get_submitted_values() at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:490
Pieform->__construct(array(size 12)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:161
Pieform::process(array(size 12)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:71
pieform(array(size 12)) at /var/www/mahara-dev/htdocs/artefact/file/groupfiles.php:49
[WAR] 0a (artefact/lib.php:864) Trying to get property of non-object
Call stack (most recent first):
log_message("Trying to get property of non-object", 8, true, true, "/var/www/mahara-dev/htdocs/artefact/lib.php", 864) at /var/www/mahara-dev/htdocs/lib/errors.php:446
error(8, "Trying to get property of non-object", "/var/www/mahara-dev/htdocs/artefact/lib.php", 864, array(size 2)) at /var/www/mahara-dev/htdocs/artefact/lib.php:864
ArtefactType->role_has_permission("member", "edit") at /var/www/mahara-dev/htdocs/auth/user.php:960
User->can_edit_artefact(object(ArtefactTypeFolder)) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:1221
pieform_element_filebrowser_edit_group_folder("1", "5") at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:1308
pieform_element_filebrowser_changefolder(object(Pieform), array(size 11), "5") at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:696
pieform_element_filebrowser_doupdate(object(Pieform), array(size 11)) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:362
pieform_element_filebrowser_get_value(object(Pieform), array(size 11)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:802
Pieform->get_value(array(size 11)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:1253
Pieform->get_submitted_values() at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:490
Pieform->__construct(array(size 12)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:161
Pieform::process(array(size 12)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:71
pieform(array(size 12)) at /var/www/mahara-dev/htdocs/artefact/file/groupfiles.php:49
On a refresh, the home folder is shown, and the folder is not
displayed, so can't click on it again.
Although, the member can still access the folder directly, by going to
the url /artefact/file/groupfiles.php?group=1&folder=5 (or whatever
id's), with the following warnings
[WAR] 81 (artefact/lib.php:864) Undefined index: member
Call stack (most recent first):
log_message("Undefined index: member", 8, true, true, "/var/www/mahara-dev/htdocs/artefact/lib.php", 864) at /var/www/mahara-dev/htdocs/lib/errors.php:446
error(8, "Undefined index: member", "/var/www/mahara-dev/htdocs/artefact/lib.php", 864, array(size 2)) at /var/www/mahara-dev/htdocs/artefact/lib.php:864
ArtefactType->role_has_permission("member", "edit") at /var/www/mahara-dev/htdocs/auth/user.php:960
User->can_edit_artefact(object(ArtefactTypeFolder)) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:1221
pieform_element_filebrowser_edit_group_folder("1", 5) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:126
pieform_element_filebrowser(object(Pieform), array(size 13)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:1378
Pieform->build_element_html(array(size 13)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:659
Pieform->build() at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:162
Pieform::process(array(size 12)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:71
pieform(array(size 12)) at /var/www/mahara-dev/htdocs/artefact/file/groupfiles.php:49
[WAR] 81 (artefact/lib.php:864) Trying to get property of non-object
Call stack (most recent first):
log_message("Trying to get property of non-object", 8, true, true, "/var/www/mahara-dev/htdocs/artefact/lib.php", 864) at /var/www/mahara-dev/htdocs/lib/errors.php:446
error(8, "Trying to get property of non-object", "/var/www/mahara-dev/htdocs/artefact/lib.php", 864, array(size 2)) at /var/www/mahara-dev/htdocs/artefact/lib.php:864
ArtefactType->role_has_permission("member", "edit") at /var/www/mahara-dev/htdocs/auth/user.php:960
User->can_edit_artefact(object(ArtefactTypeFolder)) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:1221
pieform_element_filebrowser_edit_group_folder("1", 5) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:126
pieform_element_filebrowser(object(Pieform), array(size 13)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:1378
Pieform->build_element_html(array(size 13)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:659
Pieform->build() at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:162
Pieform::process(array(size 12)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:71
pieform(array(size 12)) at /var/www/mahara-dev/htdocs/artefact/file/groupfiles.php:49
The second way of accessing also gives a box saying "You do not have permission to add content to this folder", while the first does not, and infact shows the upload file and create folder boxes (though you can't add files)
Both of these ways allow the user to access the files within the
folders, or by the url /artefact/file/download.php?file=14
This bug will have to probably change the way permissions work, and
backtrack through all the parent folders making sure the user has
access
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1034180/+subscriptions
