Public bug reported: Mahara: master DB: postgres OS: Linus Browser: Firefox
Unfortunately, with the fix for this bug: https://bugs.launchpad.net/mahara/+bug/1607231 Another bug was introduced. A non-admin role can edit the group if they know the URL and group id. The user can directly input the URL of the edit page and save the data: * http://my.mahara/group/edit.php?id=3 There is no check to make sure the user has admin role. ** Affects: mahara Importance: Undecided Assignee: Ghada El-Zoghbi (ghada-z) Status: New ** Changed in: mahara Assignee: (unassigned) => Ghada El-Zoghbi (ghada-z) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1609200 Title: Non-admin role users can edit group settings Status in Mahara: New Bug description: Mahara: master DB: postgres OS: Linus Browser: Firefox Unfortunately, with the fix for this bug: https://bugs.launchpad.net/mahara/+bug/1607231 Another bug was introduced. A non-admin role can edit the group if they know the URL and group id. The user can directly input the URL of the edit page and save the data: * http://my.mahara/group/edit.php?id=3 There is no check to make sure the user has admin role. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1609200/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
