← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #36910

[Bug 1609200] [NEW] Non-admin role users can edit group settings

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Mahara: master
DB: postgres
OS: Linus
Browser: Firefox

Unfortunately, with the fix for this bug:
https://bugs.launchpad.net/mahara/+bug/1607231

Another bug was introduced.

A non-admin role can edit the group if they know the URL and group id.

The user can directly input the URL of the edit page and save the data:

* http://my.mahara/group/edit.php?id=3

There is no check to make sure the user has admin role.

** Affects: mahara
     Importance: Undecided
     Assignee: Ghada El-Zoghbi (ghada-z)
         Status: New

** Changed in: mahara
     Assignee: (unassigned) => Ghada El-Zoghbi (ghada-z)

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1609200

Title:
  Non-admin role users can edit group settings

Status in Mahara:
  New

Bug description:
  Mahara: master
  DB: postgres
  OS: Linus
  Browser: Firefox

  Unfortunately, with the fix for this bug:
  https://bugs.launchpad.net/mahara/+bug/1607231

  Another bug was introduced.

  A non-admin role can edit the group if they know the URL and group id.

  The user can directly input the URL of the edit page and save the
  data:

  * http://my.mahara/group/edit.php?id=3

  There is no check to make sure the user has admin role.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1609200/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next