I'd marked this as "medium" priority initially, because I thought it was caused by records in view_artefact not getting deleted (which requires kind of a convoluted set of steps to reach).
But now that I see it's actually about providing a wider scope of visibility than necessary, I'm raising the priority to "High". Because there could be a case where, for instance, a user has tagged half their blog entries "public" and the other half "private", and uses this block to display the "public" ones. Until we get the fix implemented, some possible workarounds are: 1. Organize your journal entries into multiple separate journals and use the "Recent posts" or "Journal" blocks to display them instead of "tagged posts". 2. Use the "unpublish" button to revert sensitive journal entries to "Draft" status so they won't be visible. 3. Display lists of tagged journal entries using multiple "Journal entry" blocks. Cheers, Aaron ** Description changed: A user received a comment for an artefact that is not actually shared publicly. Looking into the problem, I've been able to replicate the issue. It goes as such : - - Create a view - - Add a Tagged journal entries block with tag A - - save and share view with public - - Edit block and change the selected tag to tag B - - save + 1. Create a journal with two entries. Give one the tag "tag1" and the other the tag "tag2". + 2. Create a view + 3. Add a Tagged journal entries block with "tag1" + 4. Save and share the view with the public. + 5. Click in the tagged journal entries block to view the artefact detail page for the tag1 journal entry. + 6. Copy the URL for the tag1 journal entry's page, and save this somewhere + 7. Edit the tagged journal entry block and change it to "tag2" instead. + 8. Log out + 9. While logged out, view the URL for the tag1 journal entry + + Expected result: Access denied + + Actual result: You can view the tag1 journal entry. Indeed, you can + navigate up and view the entire journal. Journal entries with tag A are still accessible to the public even though they are not being displayed on the view. It's is imperative that deleted artefact from a view cannot be accessed. It's clearly a breach of privacy. We're using Mahara 15.04 .2 on Linux with MySQL -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1521818 Title: Tagged journal entries block granting access to all entries in the journal Status in Mahara: Confirmed Status in Mahara 15.04 series: Confirmed Status in Mahara 15.10 series: Confirmed Status in Mahara 16.04 series: Confirmed Bug description: A user received a comment for an artefact that is not actually shared publicly. Looking into the problem, I've been able to replicate the issue. It goes as such : 1. Create a journal with two entries. Give one the tag "tag1" and the other the tag "tag2". 2. Create a view 3. Add a Tagged journal entries block with "tag1" 4. Save and share the view with the public. 5. Click in the tagged journal entries block to view the artefact detail page for the tag1 journal entry. 6. Copy the URL for the tag1 journal entry's page, and save this somewhere 7. Edit the tagged journal entry block and change it to "tag2" instead. 8. Log out 9. While logged out, view the URL for the tag1 journal entry Expected result: Access denied Actual result: You can view the tag1 journal entry. Indeed, you can navigate up and view the entire journal. Journal entries with tag A are still accessible to the public even though they are not being displayed on the view. It's is imperative that deleted artefact from a view cannot be accessed. It's clearly a breach of privacy. We're using Mahara 15.04 .2 on Linux with MySQL To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1521818/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
