mahara-contributors team mailing list archive

[Mahara Bot <1385564@xxxxxxxxxxxxxxxxxx>]

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/4035

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1385564

Title:
  Secret URLs used on public computers leak access to later users of the
  same browser

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.10 series:
  Fix Committed
Status in Mahara 1.8 series:
  Fix Committed
Status in Mahara 1.9 series:
  Fix Committed

Bug description:
  If a user (or group) creates a private page and gives it a secret URL,
  and then the page is accessed by the secret URL on a public computer
  and the user doesn't close their browser window afterwards, other
  users will also be able to access that page by its normal url or its
  secret URL.

  This can defy user expectations of access rights.

  Eg
  1. group A admin creates a page and shares it only with the group, the page has the id=8
  2. group A admin create a secret url for the page, eg /view/view.php?t=nFlSjpVuUCawH6TxP7A3
  3. User 1, who is not in the group, goes to the page by its secret URL. (While using a computer at the library.)
  4. User 1 then logs out, but doesn't close their browser window.
  5. User 2 comes to the computer and goes to /view/view.php?id=8

  Expected result - User 2 can't access the page as they don't know the
  secret url

  Actual result - User 2 can access the page

  This is reported here:
  https://mahara.org/interaction/forum/topic.php?id=6520

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1385564/+subscriptions