mahara-contributors team mailing list archive

[Kristina Hoeppner <1897476@xxxxxxxxxxxxxxxxxx>]

*** This bug is a security vulnerability ***

Private security bug reported:

When a site's config is changed to allow for isolated institutions,
access rules are hidden from the 'Edit access' page, but they are not
removed until that form is saved. That shouldn't happen. The access
rules should be removed and nobody who is not on the remaining access
rule should have access to the portfolio. We can't rely on people saving
their 'Edit access' form to have isolation take effect on a site that
turns into an isolated institution site.

To replicate:

1. Set up a site without isolated institutions turned on and have
- 2 institutions
- 1 person in each institution who are not site admins
- Person A shares their portfolio with their institution and registered account holders.
2. Check that Person B from the other institution can see the page.
3. Turn on isolated institutions by adding the config.php setting $cfg->isolatedinstitutions = true;
4. Log in as Person B.
Expected result: You do not see the page from PersonA listed on your dashboard in the 'Latest changes I can view' block and you do not have access to the actual page.
Actual result: You can see the page.
5. Log in as Person A.
6. Go to 'Shared by me' and click the 'Edit access' icon.
Expected result: You only see the sharing rule for your institution.
Actual result: You only see the sharing rule for your institution but also the warning 'We have hidden 1 access rules due to isolated institutions being in effect. The hidden rules will be removed once the form is saved.'
7. Save the form.
8. Log in as Person B.
Expected and actual result: You do not see the page from PersonA listed on your dashboard in the 'Latest changes I can view' block and you do not have access to the actual page.

** Affects: mahara
     Importance: High
         Status: Confirmed

** Affects: mahara/19.04
     Importance: High
         Status: Confirmed

** Affects: mahara/19.10
     Importance: High
         Status: Confirmed

** Affects: mahara/20.04
     Importance: High
         Status: Confirmed

** Affects: mahara/20.10
     Importance: High
         Status: Confirmed

** Affects: mahara/21.04
     Importance: High
         Status: Confirmed


** Tags: privacy

** Also affects: mahara/20.04
   Importance: Undecided
       Status: New

** Also affects: mahara/21.04
   Importance: Undecided
       Status: New

** Also affects: mahara/19.10
   Importance: Undecided
       Status: New

** Also affects: mahara/20.10
   Importance: Undecided
       Status: New

** Changed in: mahara/21.04
       Status: New => Confirmed

** Changed in: mahara/20.10
       Status: New => Confirmed

** Changed in: mahara/20.04
       Status: New => Confirmed

** Changed in: mahara/19.10
       Status: New => Confirmed

** Information type changed from Public to Private Security

** Changed in: mahara/21.04
   Importance: Undecided => High

** Changed in: mahara/20.10
   Importance: Undecided => High

** Changed in: mahara/20.04
   Importance: Undecided => High

** Changed in: mahara/19.10
   Importance: Undecided => High

** Changed in: mahara/21.04
    Milestone: None => 21.04.0

** Changed in: mahara/20.10
    Milestone: None => 20.10rc2

** Changed in: mahara/20.04
    Milestone: None => 20.04.2

** Changed in: mahara/19.10
    Milestone: None => 19.10.5

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1897476

Title:
  Access rules still apply after 'Isolated institutions' is turned on

Status in Mahara:
  Confirmed
Status in Mahara 19.04 series:
  Confirmed
Status in Mahara 19.10 series:
  Confirmed
Status in Mahara 20.04 series:
  Confirmed
Status in Mahara 20.10 series:
  Confirmed
Status in Mahara 21.04 series:
  Confirmed

Bug description:
  When a site's config is changed to allow for isolated institutions,
  access rules are hidden from the 'Edit access' page, but they are not
  removed until that form is saved. That shouldn't happen. The access
  rules should be removed and nobody who is not on the remaining access
  rule should have access to the portfolio. We can't rely on people
  saving their 'Edit access' form to have isolation take effect on a
  site that turns into an isolated institution site.

  To replicate:

  1. Set up a site without isolated institutions turned on and have
  - 2 institutions
  - 1 person in each institution who are not site admins
  - Person A shares their portfolio with their institution and registered account holders.
  2. Check that Person B from the other institution can see the page.
  3. Turn on isolated institutions by adding the config.php setting $cfg->isolatedinstitutions = true;
  4. Log in as Person B.
  Expected result: You do not see the page from PersonA listed on your dashboard in the 'Latest changes I can view' block and you do not have access to the actual page.
  Actual result: You can see the page.
  5. Log in as Person A.
  6. Go to 'Shared by me' and click the 'Edit access' icon.
  Expected result: You only see the sharing rule for your institution.
  Actual result: You only see the sharing rule for your institution but also the warning 'We have hidden 1 access rules due to isolated institutions being in effect. The hidden rules will be removed once the form is saved.'
  7. Save the form.
  8. Log in as Person B.
  Expected and actual result: You do not see the page from PersonA listed on your dashboard in the 'Latest changes I can view' block and you do not have access to the actual page.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1897476/+subscriptions