mahara-contributors team mailing list archive

[Robert Lyon <1959146@xxxxxxxxxxxxxxxxxx>]

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1959146

Title:
  Private group, site, or institution portfolios can be accessed by the
  URL without logging in

Status in Mahara:
  Fix Committed
Status in Mahara 21.04 series:
  Fix Released
Status in Mahara 21.10 series:
  Fix Released
Status in Mahara 22.04 series:
  Fix Committed

Bug description:
  Portfolios should only be available to the selected people or groups
  of people who have been given access. This is the case for personal
  portfolios. However, a change introduced in Mahara 21.04 invalidated
  the permissions check for group, institution, and site portfolios.

  To replicate:

  Group:

  1. Create a private group with the setting 'Publicly viewable group' set to 'No'.
  2. Create a page within the group and copy the URL when the page is in 'Display' mode.
  3. Open a private browser window and go to the copied URL.

  Results:
  - Expected: The site redirects to the login page.
  - Actual: The private group page can be seen without logging in.

  
  Institution:

  1. Create an institution.
  2. Create an institution page and do not share it with anybody.
  3. Open a private browser window and go to the copied URL.

  Results:
  - Expected: The site redirects to the login page.
  - Actual: The institution page can be seen without logging in.

  
  Site:

  1. Create a site page and do not share it with anybody.
  2. Open a private browser window and go to the copied URL.

  Results:
  - Expected: The site redirects to the login page.
  - Actual: The site page can be seen without logging in.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1959146/+subscriptions