** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1863043
Title: Don't display personal information beyond what is necessary in "Edit access" Ajax response Status in Mahara: Fix Committed Status in Mahara 18.10 series: Fix Released Status in Mahara 19.04 series: Fix Released Status in Mahara 19.10 series: Fix Released Status in Mahara 20.04 series: Fix Committed Bug description: When you are on view/access.php?id=[page ID] and open the network connections (you will need to reload the page to see traffic come through), you can see more information about an account holder than you should: 1. Open the "Network" tab. 2. Click on acces.json.php. 3. Show the "Response" information. Username and other personal information is disclosed that should not be displayed is shown and thus can mean that information about other people can be leaked. When we compose a message in the inbox, that same sort of disclosure does not happen. So, sendmessage.json.php handles things in a better way. We should only disclose as much information in the "Response" as we do in the select menu, i.e. use the normal display name function as some people may not want to share their first and last name. Things will be different depending on their role. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1863043/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
