mahara-contributors team mailing list archive
-
mahara-contributors team
-
Mailing list archive
-
Message #14740
[Bug 1034180] Re: A group member with no access rights to folder can still view it (if smart :D)
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-4432
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1034180
Title:
A group member with no access rights to folder can still view it (if
smart :D)
Status in Mahara ePortfolio:
Fix Released
Status in Mahara 1.5 series:
Fix Released
Status in Mahara 1.6 series:
Fix Released
Status in Mahara 1.7 series:
Fix Released
Bug description:
If i create a folder in group files area, open a tab as a normal
member, and then as group admin remove all rights to that folder for
members, then as the member, click on the folder. The contents of the
folder is then displayed (with the following warnings)
[WAR] 0a (artefact/lib.php:864) Undefined index: member
Call stack (most recent first):
log_message("Undefined index: member", 8, true, true, "/var/www/mahara-dev/htdocs/artefact/lib.php", 864) at /var/www/mahara-dev/htdocs/lib/errors.php:446
error(8, "Undefined index: member", "/var/www/mahara-dev/htdocs/artefact/lib.php", 864, array(size 2)) at /var/www/mahara-dev/htdocs/artefact/lib.php:864
ArtefactType->role_has_permission("member", "edit") at /var/www/mahara-dev/htdocs/auth/user.php:960
User->can_edit_artefact(object(ArtefactTypeFolder)) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:1221
pieform_element_filebrowser_edit_group_folder("1", "5") at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:1308
pieform_element_filebrowser_changefolder(object(Pieform), array(size 11), "5") at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:696
pieform_element_filebrowser_doupdate(object(Pieform), array(size 11)) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:362
pieform_element_filebrowser_get_value(object(Pieform), array(size 11)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:802
Pieform->get_value(array(size 11)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:1253
Pieform->get_submitted_values() at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:490
Pieform->__construct(array(size 12)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:161
Pieform::process(array(size 12)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:71
pieform(array(size 12)) at /var/www/mahara-dev/htdocs/artefact/file/groupfiles.php:49
[WAR] 0a (artefact/lib.php:864) Trying to get property of non-object
Call stack (most recent first):
log_message("Trying to get property of non-object", 8, true, true, "/var/www/mahara-dev/htdocs/artefact/lib.php", 864) at /var/www/mahara-dev/htdocs/lib/errors.php:446
error(8, "Trying to get property of non-object", "/var/www/mahara-dev/htdocs/artefact/lib.php", 864, array(size 2)) at /var/www/mahara-dev/htdocs/artefact/lib.php:864
ArtefactType->role_has_permission("member", "edit") at /var/www/mahara-dev/htdocs/auth/user.php:960
User->can_edit_artefact(object(ArtefactTypeFolder)) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:1221
pieform_element_filebrowser_edit_group_folder("1", "5") at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:1308
pieform_element_filebrowser_changefolder(object(Pieform), array(size 11), "5") at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:696
pieform_element_filebrowser_doupdate(object(Pieform), array(size 11)) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:362
pieform_element_filebrowser_get_value(object(Pieform), array(size 11)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:802
Pieform->get_value(array(size 11)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:1253
Pieform->get_submitted_values() at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:490
Pieform->__construct(array(size 12)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:161
Pieform::process(array(size 12)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:71
pieform(array(size 12)) at /var/www/mahara-dev/htdocs/artefact/file/groupfiles.php:49
On a refresh, the home folder is shown, and the folder is not
displayed, so can't click on it again.
Although, the member can still access the folder directly, by going to
the url /artefact/file/groupfiles.php?group=1&folder=5 (or whatever
id's), with the following warnings
[WAR] 81 (artefact/lib.php:864) Undefined index: member
Call stack (most recent first):
log_message("Undefined index: member", 8, true, true, "/var/www/mahara-dev/htdocs/artefact/lib.php", 864) at /var/www/mahara-dev/htdocs/lib/errors.php:446
error(8, "Undefined index: member", "/var/www/mahara-dev/htdocs/artefact/lib.php", 864, array(size 2)) at /var/www/mahara-dev/htdocs/artefact/lib.php:864
ArtefactType->role_has_permission("member", "edit") at /var/www/mahara-dev/htdocs/auth/user.php:960
User->can_edit_artefact(object(ArtefactTypeFolder)) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:1221
pieform_element_filebrowser_edit_group_folder("1", 5) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:126
pieform_element_filebrowser(object(Pieform), array(size 13)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:1378
Pieform->build_element_html(array(size 13)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:659
Pieform->build() at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:162
Pieform::process(array(size 12)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:71
pieform(array(size 12)) at /var/www/mahara-dev/htdocs/artefact/file/groupfiles.php:49
[WAR] 81 (artefact/lib.php:864) Trying to get property of non-object
Call stack (most recent first):
log_message("Trying to get property of non-object", 8, true, true, "/var/www/mahara-dev/htdocs/artefact/lib.php", 864) at /var/www/mahara-dev/htdocs/lib/errors.php:446
error(8, "Trying to get property of non-object", "/var/www/mahara-dev/htdocs/artefact/lib.php", 864, array(size 2)) at /var/www/mahara-dev/htdocs/artefact/lib.php:864
ArtefactType->role_has_permission("member", "edit") at /var/www/mahara-dev/htdocs/auth/user.php:960
User->can_edit_artefact(object(ArtefactTypeFolder)) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:1221
pieform_element_filebrowser_edit_group_folder("1", 5) at /var/www/mahara-dev/htdocs/artefact/file/form/elements/filebrowser.php:126
pieform_element_filebrowser(object(Pieform), array(size 13)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:1378
Pieform->build_element_html(array(size 13)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:659
Pieform->build() at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:162
Pieform::process(array(size 12)) at /var/www/mahara-dev/htdocs/lib/pieforms/pieform.php:71
pieform(array(size 12)) at /var/www/mahara-dev/htdocs/artefact/file/groupfiles.php:49
The second way of accessing also gives a box saying "You do not have permission to add content to this folder", while the first does not, and infact shows the upload file and create folder boxes (though you can't add files)
Both of these ways allow the user to access the files within the
folders, or by the url /artefact/file/download.php?file=14
This bug will have to probably change the way permissions work, and
backtrack through all the parent folders making sure the user has
access
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1034180/+subscriptions
