mahara-contributors team mailing list archive

Thread
Date

[Bug 1460368] Re: Even if you disallow anonymous comments at the site level, you can still place anonymous comments on artefacts

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1460368@xxxxxxxxxxxxxxxxxx>
Date: Fri, 10 Jul 2015 01:06:32 -0000
Reply-to: Bug 1460368 <1460368@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi Wen-Chang Chien,

Thanks for reporting this issue! I've added your name to the list of
security contributors to the Mahara project:
https://wiki.mahara.org/wiki/Contributors#Mahara_code

Let me know if you'd like to have your Twitter handle or other website
on there (or if you want to be removed from the page).

Cheers,
Aaron

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1460368

Title:
  Even if you disallow anonymous comments at the site level, you can
  still place anonymous comments on artefacts

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.10 series:
  Fix Committed
Status in Mahara 1.9 series:
  Fix Committed
Status in Mahara 15.04 series:
  Fix Committed
Status in Mahara 15.10 series:
  Fix Committed

Bug description:
  Anonymous comments function is enabled on artefact page of public share page  that disallow anonymous comments. 
   
  Here's how to replicate the specific bug: 
   
  0. Clean install of Mahara
  1. Log in as admin
  2. Got to Administration -> Configure site -> Ste options -> User Settings
  3. Set [Anonymous comments] OFF
  4. Go to Portfolio -> Create a new Page -> Store a picture on this page.
  5. Edit this new page access -> Enable [Share with public] and [Allow comments].
  6. Log out.
  7. Open this page as guest role. 
  8. Click one picture of this page.
  9.  [Anonymous comments] function is enabled on artefact page. 
   
  I  found the cause of this bug. 
   
  In /artefact/artefact.php, Line 149
  ==================================================
  if ($artefact->get('allowcomments'))
      $addfeedbackform = pieform(ArtefactTypeComment::add_comment_form(false, $artefact->get('approvecomments')));
      $extrastylesheets[] = 'style/jquery.rating.css';
      $javascript[] = 'jquery.rating';
  }
  ==================================================================
   

  I suggest          
    
  if ($artefact->get('allowcomments'))
   
  change to:

  if ($artefact->get('allowcomments') && ( $USER->is_logged_in() ||
  (!$USER->is_logged_in() && get_config('anonymouscomments')))) {

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1460368/+subscriptions