mahara-contributors team mailing list archive
-
mahara-contributors team
-
Mailing list archive
-
Message #36910
[Bug 1609200] [NEW] Non-admin role users can edit group settings
Public bug reported:
Mahara: master
DB: postgres
OS: Linus
Browser: Firefox
Unfortunately, with the fix for this bug:
https://bugs.launchpad.net/mahara/+bug/1607231
Another bug was introduced.
A non-admin role can edit the group if they know the URL and group id.
The user can directly input the URL of the edit page and save the data:
* http://my.mahara/group/edit.php?id=3
There is no check to make sure the user has admin role.
** Affects: mahara
Importance: Undecided
Assignee: Ghada El-Zoghbi (ghada-z)
Status: New
** Changed in: mahara
Assignee: (unassigned) => Ghada El-Zoghbi (ghada-z)
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1609200
Title:
Non-admin role users can edit group settings
Status in Mahara:
New
Bug description:
Mahara: master
DB: postgres
OS: Linus
Browser: Firefox
Unfortunately, with the fix for this bug:
https://bugs.launchpad.net/mahara/+bug/1607231
Another bug was introduced.
A non-admin role can edit the group if they know the URL and group id.
The user can directly input the URL of the edit page and save the
data:
* http://my.mahara/group/edit.php?id=3
There is no check to make sure the user has admin role.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1609200/+subscriptions
Follow ups