Reviewed: https://reviews.mahara.org/2653 Committed: http://gitorious.org/mahara/mahara/commit/092cb5856c0471d79e576e59c83b228c652bce2a Submitter: Son Nguyen ([email protected]) Branch: 1.6_STABLE
commit 092cb5856c0471d79e576e59c83b228c652bce2a Author: Aaron Wells <[email protected]> Date: Tue Oct 8 12:53:31 2013 +1300 Image Gallery: Make sure the user has access to the selected folder Bug 1236636 Change-Id: I69deb64a5113806ec89145c1213f6a1d10038d78 Signed-off-by: Aaron Wells <[email protected]> -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1236636 Title: Can attach other users' Folders to your Image Gallery block Status in Mahara ePortfolio: Fix Released Status in Mahara 1.5 series: Fix Committed Status in Mahara 1.6 series: Fix Committed Status in Mahara 1.7 series: Fix Committed Bug description: Here's one we missed in Bug 1211758. You can manipulate the HTTP request data when selecting the Folder for an Image Gallery (aka "slideshow") block, to attach other users' folders. Because you lack permission to view the images, you wind up with a slideshow of "broken image" placeholders. But as was mentioned in 1211758, you can still access the images by exploiting the lack of verification when you export. I tested the Folder block, and was not able to replicate this weakness there. So it appears to be limited to Image Gallery. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1236636/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
