← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #36771

[Bug 1607231] [NEW] Access denied error when editing institution group as group admin

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Mahara: 16.04.2
DB: Postgres
OS: Linux
Browser: Firefox

A user assigned the role of 'Admin' in a group is not able to update the
group.

This group was created via CSV upload and was assigned to an institution
(i.e. institution1).

The group admin user is able to enter the settings and make changes.
When they click the 'Save group' button, they get an error:

Access denied
You do not have access to view this page.
group_update: cannot update a group in this institution


The check is on line 577 in htdocs/lib/group.php where it checks:

* if (!empty($old->institution) && $old->institution != 'mahara') {

This check was put in for bug:
https://bugs.launchpad.net/mahara/+bug/1420590

Which fixes an issue for groups that are in 'no institution'.

What I don't understand is why it's checking - on line 581 - if a user
can edit the institution that group belongs to:

* if (!$USER->can_edit_institution($old->institution)) {


Surely if a user is an admin of the group, they can update it - whether that group is associated with an institution or not. And, if the user can edit that institution or not.

Shouldn't this check be if the user is an admin of the group - not
institution?

i.e. replace lines 577 to 584 with:

    global $USER;
    if (group_user_access($old->id, $USER->get('id'), true) != 'admin') {
        throw new AccessDeniedException("group_update: cannot update group");
    }


Am I missing something?

** Affects: mahara
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1607231

Title:
  Access denied error when editing institution group as group admin

Status in Mahara:
  New

Bug description:
  Mahara: 16.04.2
  DB: Postgres
  OS: Linux
  Browser: Firefox

  A user assigned the role of 'Admin' in a group is not able to update
  the group.

  This group was created via CSV upload and was assigned to an
  institution (i.e. institution1).

  The group admin user is able to enter the settings and make changes.
  When they click the 'Save group' button, they get an error:

  Access denied
  You do not have access to view this page.
  group_update: cannot update a group in this institution

  
  The check is on line 577 in htdocs/lib/group.php where it checks:

  * if (!empty($old->institution) && $old->institution != 'mahara') {

  This check was put in for bug:
  https://bugs.launchpad.net/mahara/+bug/1420590

  Which fixes an issue for groups that are in 'no institution'.

  What I don't understand is why it's checking - on line 581 - if a user
  can edit the institution that group belongs to:

  * if (!$USER->can_edit_institution($old->institution)) {

  
  Surely if a user is an admin of the group, they can update it - whether that group is associated with an institution or not. And, if the user can edit that institution or not.

  Shouldn't this check be if the user is an admin of the group - not
  institution?

  i.e. replace lines 577 to 584 with:

      global $USER;
      if (group_user_access($old->id, $USER->get('id'), true) != 'admin') {
          throw new AccessDeniedException("group_update: cannot update group");
      }

  
  Am I missing something?

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1607231/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next