← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #31874

[Bug 1521818] Re: Tagged journal entries still accessible even after no longer being displayed in block

  Thread PreviousDate PreviousThread Next 
** Summary changed:

- accessing artefact through view without permission
+ Tagged journal entries still accessible even after no longer being displayed in block

** Information type changed from Public to Public Security

** Also affects: mahara/15.10
   Importance: Undecided
       Status: New

** Also affects: mahara/15.04
   Importance: Undecided
       Status: New

** Also affects: mahara/16.04
   Importance: Undecided
       Status: New

** Changed in: mahara/15.04
    Milestone: None => 15.04.6

** Changed in: mahara/15.04
   Importance: Undecided => Medium

** Changed in: mahara/15.10
   Importance: Undecided => Medium

** Changed in: mahara/16.04
   Importance: Undecided => Medium

** Tags added: blog privacy security

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1521818

Title:
  Tagged journal entries still accessible even after no longer being
  displayed in block

Status in Mahara:
  New
Status in Mahara 15.04 series:
  New
Status in Mahara 15.10 series:
  New
Status in Mahara 16.04 series:
  New

Bug description:
  A user received a comment for an artefact that is not actually shared
  publicly.

  Looking into the problem, I've been able to replicate the issue. It
  goes as such :

  - Create a view
  - Add a Tagged journal entries block with tag A
  - save and share view with public
  - Edit block and change the selected tag to tag B
  - save

  Journal entries with tag A are still accessible to the public even
  though they are not being displayed on the view.

  It's is imperative that deleted artefact from a view cannot be
  accessed. It's clearly a breach of privacy.

  We're using Mahara 15.04 .2 on Linux with MySQL

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1521818/+subscriptions

References

  Thread PreviousDate PreviousThread Next