mahara-contributors team mailing list archive

Thread
Date

[Bug 1323162] Re: Add inline display of comments to activity stream

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
Date: Mon, 09 Jun 2014 21:27:37 -0000
Reply-to: Bug 1323162 <1323162@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

The link for show more comments can be hacked to fetch private data.

To test:

1 ) Create a page with User A - make sure it is private (not shared with anyone) and as user A add at least 6 feedbacks to the page.
2 ) Add feedback as 'home stream' in your notification settings
3 ) Now go and edit the 'Dashboard' page and add the activity stream block to the page. 
 - look at the source code to find what activityid is related to this. You should be able to find a string like this: id="commentsblock25" so in this case 25 is the id we want to know.

Now login as User B and do steps 1 - 3 again.

As User B edit the source with firebug and change the activityid number
in the 'Show older comments' link to be the one from user A and change
the id="commentsblockXX" to be the one from user A as well.

Click the link and it retrieves the comments for User A, so now User B
can see the comments on a page they have no valid access to.

It should return an error.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1323162

Title:
  Add inline display of comments to activity stream

Status in Mahara ePortfolio:
  New

Bug description:
  This patch will add a Show/Hide toggle which will show comments which
  belong to an activity's base object. For example, if a "New page
  access" activity is displayed in the activity stream, the Show
  comments button will expand a section to show the comments that are on
  that page.

  Only a subset of comments are shown, to prevent too much being
  displayed at once. Controls allow the user to show more.

  If the activity is a "comment" activity then the comments section will
  automatically be expanded.

  If a user wants to add a comment or delete a comment then they need to
  go to the activity's object's page and perform the action there. We
  may add a patch in the future which will allow users to add (and maybe
  delete) comments directly in the activity stream.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1323162/+subscriptions

References

[Bug 1323162] [NEW] Add inline display of comments to activity stream
From: Nathan Lewis, 2014-05-26