mahara-contributors team mailing list archive

Thread
Date

[Bug 1521818] Re: Tagged journal entries block granting access to all entries in the journal

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1521818@xxxxxxxxxxxxxxxxxx>
Date: Wed, 02 Dec 2015 01:54:41 -0000
Reply-to: Bug 1521818 <1521818@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Haha, I just noticed that the first paragraph of my previous comment was
a little garbled there, because originally I'd thought you needed to
know the exact URL of the journal and journal entries, and then I went
to check on that and found those links I mentioned.

What it should probably say there is "So if a journal contains even a
single tagged journal entry that matches that block, a user who can view
the page can also view every entry in the journal." And then nothing
about needing to know the URL for the journal.

Thinking about this more, I bet the reason it behaves like this is
because the tagged journal entries block was originally derived from the
"Recent journal entries" block. And for that block, it more or less
makes sense that you gain access to the entire journal.

** Changed in: mahara/15.04
Importance: Medium => High

** Changed in: mahara/15.10
Importance: Medium => High

** Changed in: mahara/16.04
Importance: Medium => High

** Changed in: mahara/15.04
Status: New => Confirmed

** Changed in: mahara/15.10
Status: New => Confirmed

** Changed in: mahara/16.04
Status: New => Confirmed

--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1521818

Title:
Tagged journal entries block granting access to all entries in the
journal

Status in Mahara:
Confirmed
Status in Mahara 15.04 series:
Confirmed
Status in Mahara 15.10 series:
Confirmed
Status in Mahara 16.04 series:
Confirmed

Bug description:
A user received a comment for an artefact that is not actually shared
publicly.

Looking into the problem, I've been able to replicate the issue. It
goes as such :

1. Create a journal with two entries. Give one the tag "tag1" and the other the tag "tag2".
2. Create a view
3. Add a Tagged journal entries block with "tag1"
4. Save and share the view with the public.
5. Click in the tagged journal entries block to view the artefact detail page for the tag1 journal entry.
6. Copy the URL for the tag1 journal entry's page, and save this somewhere
7. Edit the tagged journal entry block and change it to "tag2" instead.
8. Log out
9. While logged out, view the URL for the tag1 journal entry

Expected result: Access denied

Actual result: You can view the tag1 journal entry. Indeed, you can
navigate up and view the entire journal.

Journal entries with tag A are still accessible to the public even
though they are not being displayed on the view.

It's is imperative that deleted artefact from a view cannot be
accessed. It's clearly a breach of privacy.

We're using Mahara 15.04 .2 on Linux with MySQL

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1521818/+subscriptions

References

[Bug 1521818] [NEW] accessing artefact through view without permission
From: Stéphane, 2015-12-02