** Changed in: mahara
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/772140
Title:
Information disclosure in my friends pagination script
Status in Mahara ePortfolio:
Fix Released
Status in Mahara 1.3 series:
Fix Released
Bug description:
There are three problems with this script:
1. It takes a block id, but doesn't check that the logged-in user is allowed
to see the view that the block appears in.
2. It takes a user id, and doesn't check that the user id matches the id of
the view owner.
3. It returns a list of friends with too much information; it should only
return the html to replace the block content.
Does not affect Mahara 1.2 (there was no friends block pagination).
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/772140/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
