mahara-contributors team mailing list archive

Thread
Date

[Bug 1607231] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1607231@xxxxxxxxxxxxxxxxxx>
Date: Mon, 01 Aug 2016 04:40:26 -0000
Reply-to: Bug 1607231 <1607231@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/6756
Committed: https://git.mahara.org/mahara/mahara/commit/d3261e3341b53a41c2966f834cb78780878e69ff
Submitter: Aaron Wells (aaronw@xxxxxxxxxxxxxxx)
Branch:    master

commit d3261e3341b53a41c2966f834cb78780878e69ff
Author: Ghada El-Zoghbi <ghada@xxxxxxxxxxxxxxx>
Date:   Thu Jul 28 17:34:28 2016 +1000

bug#1607231: Remove check if user is an admin of the institution when
updating a group.

behatnotneeded

Change-Id: I2eada9b65cc174900cdb6584c13905410c91c673

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1607231

Title:
  Access denied error when editing institution group as group admin

Status in Mahara:
  Fix Committed

Bug description:
  Mahara: 16.04.2
  DB: Postgres
  OS: Linux
  Browser: Firefox

  A user assigned the role of 'Admin' in a group is not able to update
  the group.

  This group was created via CSV upload and was assigned to an
  institution (i.e. institution1).

  The group admin user is able to enter the settings and make changes.
  When they click the 'Save group' button, they get an error:

  Access denied
  You do not have access to view this page.
  group_update: cannot update a group in this institution

  
  The check is on line 577 in htdocs/lib/group.php where it checks:

  * if (!empty($old->institution) && $old->institution != 'mahara') {

  This check was put in for bug:
  https://bugs.launchpad.net/mahara/+bug/1420590

  Which fixes an issue for groups that are in 'no institution'.

  What I don't understand is why it's checking - on line 581 - if a user
  can edit the institution that group belongs to:

  * if (!$USER->can_edit_institution($old->institution)) {

  
  Surely if a user is an admin of the group, they can update it - whether that group is associated with an institution or not. And, if the user can edit that institution or not.

  Shouldn't this check be if the user is an admin of the group - not
  institution?

  i.e. replace lines 577 to 584 with:

      global $USER;
      if (group_user_access($old->id, $USER->get('id'), true) != 'admin') {
          throw new AccessDeniedException("group_update: cannot update group");
      }

  
  Am I missing something?

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1607231/+subscriptions

References

[Bug 1607231] [NEW] Access denied error when editing institution group as group admin
From: Ghada El-Zoghbi, 2016-07-28