Reviewed: https://reviews.mahara.org/6120 Committed: https://git.mahara.org/mahara/mahara/commit/39485b1d7e21b36d6041a37b9ae39ee92f2144cf Submitter: Robert Lyon ([email protected]) Branch: 15.04_STABLE
commit 39485b1d7e21b36d6041a37b9ae39ee92f2144cf Author: Aaron Wells <[email protected]> Date: Wed Dec 2 16:06:52 2015 +1300 "Tagged journal entries" block shouldn't grant access to whole journal Bug 1521818. Making the "Tagged journal entries" block act more like a collection of "Journal entry" blocks. So, it doesn't add the parent blog to view_artefacts, only the specific blog entries that are displayed in the block. Also removing the title of the parent blog (and the link to it) from the list of blog entries, like the "Journal entry" block, which doesn't display the title of the containing journal. Note the viewer may still have access to the whole blog, if the blog is also shared on the same page via a "blog" or "recent journal entries" block. Change-Id: I33fc7e58b964c03bc8003f1de81a4bf58b6079b7 (cherry picked from commit ada12dba53c2da3596cdf51708ea5d666b60546e) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1521818 Title: Tagged journal entries block granting access to all entries in the journal Status in Mahara: Fix Committed Status in Mahara 15.04 series: Fix Committed Status in Mahara 15.10 series: Fix Committed Status in Mahara 16.04 series: Fix Committed Bug description: A user received a comment for an artefact that is not actually shared publicly. Looking into the problem, I've been able to replicate the issue. It goes as such : 1. Create a journal with two entries. Give one the tag "tag1" and the other the tag "tag2". 2. Create a view 3. Add a Tagged journal entries block with "tag1" 4. Save and share the view with the public. 5. Click in the tagged journal entries block to view the artefact detail page for the tag1 journal entry. 6. Copy the URL for the tag1 journal entry's page, and save this somewhere 7. Edit the tagged journal entry block and change it to "tag2" instead. 8. Log out 9. While logged out, view the URL for the tag1 journal entry Expected result: Access denied Actual result: You can view the tag1 journal entry. Indeed, you can navigate up and view the entire journal. Journal entries with tag A are still accessible to the public even though they are not being displayed on the view. It's is imperative that deleted artefact from a view cannot be accessed. It's clearly a breach of privacy. We're using Mahara 15.04 .2 on Linux with MySQL To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1521818/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
