** Visibility changed to: Public -- You received this bug notification because you are a member of Mahara Committers, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/772140
Title: Information disclosure in my friends pagination script Status in Mahara ePortfolio: In Progress Status in Mahara 1.3 series: Fix Released Bug description: There are three problems with this script: 1. It takes a block id, but doesn't check that the logged-in user is allowed to see the view that the block appears in. 2. It takes a user id, and doesn't check that the user id matches the id of the view owner. 3. It returns a list of friends with too much information; it should only return the html to replace the block content. Does not affect Mahara 1.2 (there was no friends block pagination). _______________________________________________ Mailing list: https://launchpad.net/~mahara-core Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-core More help : https://help.launchpad.net/ListHelp
