mahara-contributors team mailing list archive

[Stéphane <smlavoie@xxxxxxxxxxx>]

Public bug reported:

A user received a comment for an artefact that is not actually shared
publicly.

Looking into the problem, I've been able to replicate the issue. It goes
as such :

- Create a view
- Add a Tagged journal entries block with tag A
- save and share view with public
- Edit block and change the selected tag to tag B
- save

Journal entries with tag A are still accessible to the public even
though they are not being displayed on the view.

It's is imperative that deleted artefact from a view cannot be accessed.
It's clearly a breach of privacy.

We're using Mahara 15.04 .2 on Linux with MySQL

** Affects: mahara
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1521818

Title:
  accessing artefact through view without permission

Status in Mahara:
  New

Bug description:
  A user received a comment for an artefact that is not actually shared
  publicly.

  Looking into the problem, I've been able to replicate the issue. It
  goes as such :

  - Create a view
  - Add a Tagged journal entries block with tag A
  - save and share view with public
  - Edit block and change the selected tag to tag B
  - save

  Journal entries with tag A are still accessible to the public even
  though they are not being displayed on the view.

  It's is imperative that deleted artefact from a view cannot be
  accessed. It's clearly a breach of privacy.

  We're using Mahara 15.04 .2 on Linux with MySQL

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1521818/+subscriptions