Hi Stephane, Thanks for the bug report!
It appears that what's going on is that the "Tagged journal entries" block puts the artefact ID for the entire journal, into the "view_artefacts" table that we use for checking permissions. So if a journal contains even a single tagged journal entry that gets shown in that block, then they also get access to every other journal entry in that block, even the ones that don't have a matching tag. (Of course they have to know the URL for the journal This is a bug in core, and I've verified that it's still present up through 16.04dev. I think this *might* have been a decision that was done on purpose, because if you notice, the tagged journal entries block does have a live link to the journal itself, next to the title of the journal entry. Likewise, the journal artefact detail page also have a live link to the journal itself, with the full list of journal entries in it. But I think I agree with you that it violates Mahara's normal privacy policy, which is that other people can't see any of your content unless you explicitly share it. I'll have to give some thought about what to do with those links, though. It would be a poor user experience if we display these friendly links, and then when you click on them you see "Access Denied" or the transient login page. Maybe we can add some logic that makes the journal entry title not-linked, unless you have access to the entire journal. Cheers, Aaron -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1521818 Title: Tagged journal entries block granting access to all entries in the journal Status in Mahara: Confirmed Status in Mahara 15.04 series: Confirmed Status in Mahara 15.10 series: Confirmed Status in Mahara 16.04 series: Confirmed Bug description: A user received a comment for an artefact that is not actually shared publicly. Looking into the problem, I've been able to replicate the issue. It goes as such : 1. Create a journal with two entries. Give one the tag "tag1" and the other the tag "tag2". 2. Create a view 3. Add a Tagged journal entries block with "tag1" 4. Save and share the view with the public. 5. Click in the tagged journal entries block to view the artefact detail page for the tag1 journal entry. 6. Copy the URL for the tag1 journal entry's page, and save this somewhere 7. Edit the tagged journal entry block and change it to "tag2" instead. 8. Log out 9. While logged out, view the URL for the tag1 journal entry Expected result: Access denied Actual result: You can view the tag1 journal entry. Indeed, you can navigate up and view the entire journal. Journal entries with tag A are still accessible to the public even though they are not being displayed on the view. It's is imperative that deleted artefact from a view cannot be accessed. It's clearly a breach of privacy. We're using Mahara 15.04 .2 on Linux with MySQL To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1521818/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
