mahara-contributors team mailing list archive

Thread
Date

[Bug 1609200] Re: Non-admin role users can edit group settings

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1609200@xxxxxxxxxxxxxxxxxx>
Date: Mon, 08 Aug 2016 05:10:36 -0000
Reply-to: Bug 1609200 <1609200@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: mahara/16.04
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1609200

Title:
  Non-admin role users can edit group settings

Status in Mahara:
  Fix Committed
Status in Mahara 15.04 series:
  Fix Released
Status in Mahara 15.10 series:
  Fix Released
Status in Mahara 16.04 series:
  Fix Released
Status in Mahara 16.10 series:
  Fix Committed

Bug description:
  Only the admin of a group should be able to change the group's
  settings (via group/edit.php). But any member of a group can view and
  edit the settings if they go to the URL directly:

  * http://my.mahara/group/edit.php?id=3

  There is no check to make sure the user has admin role.

  To replicate:

  1. Create a group as User 1. Note the group's id
  2. Add User 2 to the group as a "member" (not an "admin")
  3. Log in as User 2
  4. Type in e.g. http://my.mahara/group/edit.php?id=X , where X is the group's ID

  Expected result: You get an error message saying "You can't edit this
  group"

  Actual result: You see the group config page, and you can make changes
  and they will be saved.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1609200/+subscriptions

References

[Bug 1609200] [NEW] Non-admin role users can edit group settings
From: Ghada El-Zoghbi, 2016-08-03