There is a way to keep the URL out of the browser history, as I mentioned here: https://bugs.launchpad.net/mahara/+bug/1385564/comments/5 .
You just have to do a 302-redirect to the page's real URL. But the problem is that it'll also keep the secret URL out of the address bar, and that will interfere with the user's ability to bookmark the URL, and I think that's too much of an impact on usability. For that matter, kicking the secret URL out of the browser history would also have too negative an impact on usability. I know when I access Google documents that are shared with me by URL, for instance, I usually rely on my browser history (specifically, address-bar autocomplete) to return to the document later. That wouldn't work if we eradicated the secret URL from the browser history. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1385564 Title: Secret URLs used on public computers leak access to later users of the same browser Status in Mahara ePortfolio: Confirmed Bug description: If a user (or group) creates a private page and gives it a secret URL, and then the page is accessed by the secret URL on a public computer and the user doesn't close their browser window afterwards, other users will also be able to access that page by its normal url or its secret URL. This can defy user expectations of access rights. Eg 1. group A admin creates a page and shares it only with the group, the page has the id=8 2. group A admin create a secret url for the page, eg /view/view.php?t=nFlSjpVuUCawH6TxP7A3 3. User 1, who is not in the group, goes to the page by its secret URL. (While using a computer at the library.) 4. User 1 then logs out, but doesn't close their browser window. 5. User 2 comes to the computer and goes to /view/view.php?id=8 Expected result - User 2 can't access the page as they don't know the secret url Actual result - User 2 can access the page This is reported here: https://mahara.org/interaction/forum/topic.php?id=6520 To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1385564/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
