Reviewed: https://reviews.mahara.org/10759 Committed: https://git.mahara.org/mahara/mahara/commit/75a96408975052001eee7caa711fe8c005d34c85 Submitter: Robert Lyon ([email protected]) Branch: master
commit 75a96408975052001eee7caa711fe8c005d34c85 Author: Lisa Seeto <[email protected]> Date: Fri Feb 14 14:12:43 2020 +1300 Bug 1857935: Display people from own institution(s) first when searching for them during portfolio sharing - added in check when searching users to display users in institutions first - added in select2js datasource formating to get user dropdown categories - limit the type of data returned in ajax calls to limit data risks (Bug 1863043) - refactor json and tpl - refactor sql, show institution display name Change-Id: I478a4d9534bf1de820ca59d60ca7768685e36a96 Signed-off-by: Lisa Seeto <[email protected]> -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1863043 Title: Don't display personal information beyond what is necessary in "Edit access" Ajax response Status in Mahara: Fix Committed Status in Mahara 18.10 series: Fix Released Status in Mahara 19.04 series: Fix Released Status in Mahara 19.10 series: Fix Released Status in Mahara 20.04 series: Fix Committed Bug description: When you are on view/access.php?id=[page ID] and open the network connections (you will need to reload the page to see traffic come through), you can see more information about an account holder than you should: 1. Open the "Network" tab. 2. Click on acces.json.php. 3. Show the "Response" information. Username and other personal information is disclosed that should not be displayed is shown and thus can mean that information about other people can be leaked. When we compose a message in the inbox, that same sort of disclosure does not happen. So, sendmessage.json.php handles things in a better way. We should only disclose as much information in the "Response" as we do in the select menu, i.e. use the normal display name function as some people may not want to share their first and last name. Things will be different depending on their role. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1863043/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
