mahara-contributors team mailing list archive

Thread
Date

[Bug 1863043] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1863043@xxxxxxxxxxxxxxxxxx>
Date: Sat, 14 Mar 2020 21:57:23 -0000
Reply-to: Bug 1863043 <1863043@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/10759
Committed: https://git.mahara.org/mahara/mahara/commit/75a96408975052001eee7caa711fe8c005d34c85
Submitter: Robert Lyon (robertl@xxxxxxxxxxxxxxx)
Branch:    master

commit 75a96408975052001eee7caa711fe8c005d34c85
Author: Lisa Seeto <lisaseeto@xxxxxxxxxxxxxxx>
Date:   Fri Feb 14 14:12:43 2020 +1300

Bug 1857935: Display people from own
institution(s) first when searching for them during portfolio sharing

- added in check when searching users to display users in institutions first
- added in select2js datasource formating to get user dropdown categories
- limit the type of data returned in ajax calls to limit data risks (Bug 1863043)
- refactor json and tpl
- refactor sql, show institution display name

Change-Id: I478a4d9534bf1de820ca59d60ca7768685e36a96
Signed-off-by: Lisa Seeto <lisaseeto@xxxxxxxxxxxxxxx>

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1863043

Title:
  Don't display personal information beyond what is necessary in "Edit
  access" Ajax response

Status in Mahara:
  Fix Committed
Status in Mahara 18.10 series:
  Fix Released
Status in Mahara 19.04 series:
  Fix Released
Status in Mahara 19.10 series:
  Fix Released
Status in Mahara 20.04 series:
  Fix Committed

Bug description:
  When you are on view/access.php?id=[page ID] and open the network
  connections (you will need to reload the page to see traffic come
  through), you can see more information about an account holder than
  you should:

  1. Open the "Network" tab.
  2. Click on acces.json.php.
  3. Show the "Response" information.

  Username and other personal information is disclosed that should not
  be displayed is shown and thus can mean that information about other
  people can be leaked.

  When we compose a message in the inbox, that same sort of disclosure
  does not happen.  So, sendmessage.json.php handles things in a better
  way.

  We should only disclose as much information in the "Response" as we do
  in the select menu, i.e. use the normal display name function as some
  people may not want to share their first and last name. Things will be
  different depending on their role.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1863043/+subscriptions