Reviewed: https://reviews.mahara.org/2654 Committed: http://gitorious.org/mahara/mahara/commit/712e62abf67dc98449b4effc0a34516add340069 Submitter: Son Nguyen ([email protected]) Branch: 1.7_STABLE
commit 712e62abf67dc98449b4effc0a34516add340069 Author: Aaron Wells <[email protected]> Date: Tue Oct 8 12:53:31 2013 +1300 Image Gallery: Make sure the user has access to the selected folder Bug 1236636 Change-Id: I69deb64a5113806ec89145c1213f6a1d10038d78 Signed-off-by: Aaron Wells <[email protected]> -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1236636 Title: Can attach other users' Folders to your Image Gallery block Status in Mahara ePortfolio: Fix Released Status in Mahara 1.5 series: Fix Committed Status in Mahara 1.6 series: Fix Committed Status in Mahara 1.7 series: Fix Committed Bug description: Here's one we missed in Bug 1211758. You can manipulate the HTTP request data when selecting the Folder for an Image Gallery (aka "slideshow") block, to attach other users' folders. Because you lack permission to view the images, you wind up with a slideshow of "broken image" placeholders. But as was mentioned in 1211758, you can still access the images by exploiting the lack of verification when you export. I tested the Folder block, and was not able to replicate this weakness there. So it appears to be limited to Image Gallery. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1236636/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
