** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: mahara-contributors https://bugs.launchpad.net/bugs/1952808
Title: Able to see name of another account holder's folder Status in Mahara: Fix Committed Status in Mahara 20.10 series: Fix Released Status in Mahara 21.04 series: Fix Released Status in Mahara 21.10 series: Fix Released Status in Mahara 22.04 series: Fix Committed Bug description: Problem when passing in folder id to a 'Files' page - we can see the name of a folder that we don't own Testing steps: 1) Create a site with at least two accounts, personA and personB 2) Log in as personA and go to Create -> Files (artefact/file/index.php) page 3) Create a folder, say 'SubFolder', hover mouse over folder to find the ID of the folder, eg '&folder=123'. Make a note of the value and then click into that folder 4) Upload a file to the folder 5) Reload the page and you should be in the home directory of the Files area 6) Change the URL and add to the end the folder id (eg artefact/file/index.php?folder=123) and reload - you should now see that the page loads with you in the folder you created 7) Log out 8) Log in as personB and go to Create -> Files (artefact/file/index.php) page 9) Change the URL and add to the end the folder id (eg artefact/file/index.php?folder=123) and reload Expected: As you are not the folder owner you should not go to that folder Actual: The name of the other person's folder displays on the screen (plus errors in dev mode) As this is an escalation of privilege I'll make it a security bug To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1952808/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
