mahara-contributors team mailing list archive

Thread
Date

[Bug 1385564] Re: Secret URLs used on public computers leak access to later users of the same browser

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1385564@xxxxxxxxxxxxxxxxxx>
Date: Tue, 28 Oct 2014 22:10:54 -0000
Reply-to: Bug 1385564 <1385564@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

There is a way to keep the URL out of the browser history, as I
mentioned here:
https://bugs.launchpad.net/mahara/+bug/1385564/comments/5 .

You just have to do a 302-redirect to the page's real URL. But the
problem is that it'll also keep the secret URL out of the address bar,
and that will interfere with the user's ability to bookmark the URL, and
I think that's too much of an impact on usability.

For that matter, kicking the secret URL out of the browser history would
also have too negative an impact on usability. I know when I access
Google documents that are shared with me by URL, for instance, I usually
rely on my browser history (specifically, address-bar autocomplete) to
return to the document later. That wouldn't work if we eradicated the
secret URL from the browser history.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1385564

Title:
  Secret URLs used on public computers leak access to later users of the
  same browser

Status in Mahara ePortfolio:
  Confirmed

Bug description:
  If a user (or group) creates a private page and gives it a secret URL,
  and then the page is accessed by the secret URL on a public computer
  and the user doesn't close their browser window afterwards, other
  users will also be able to access that page by its normal url or its
  secret URL.

  This can defy user expectations of access rights.

  Eg
  1. group A admin creates a page and shares it only with the group, the page has the id=8
  2. group A admin create a secret url for the page, eg /view/view.php?t=nFlSjpVuUCawH6TxP7A3
  3. User 1, who is not in the group, goes to the page by its secret URL. (While using a computer at the library.)
  4. User 1 then logs out, but doesn't close their browser window.
  5. User 2 comes to the computer and goes to /view/view.php?id=8

  Expected result - User 2 can't access the page as they don't know the
  secret url

  Actual result - User 2 can access the page

  This is reported here:
  https://mahara.org/interaction/forum/topic.php?id=6520

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1385564/+subscriptions