[Mahara-contributors] [Bug 1201055] Re: Change lang string for updated comments when moderation is turned on
Hm, the problem here is that artefact::commit updates the mtime when you go in to update the permissions columns on the comment. And it's that mtime which gets displayed in the "last edited" thing. Should be soluble without too much difficulty, though, because the private/public and moderated/unmoderaed flags are in artefact_comment_comment, rather than in the artefact_table itself. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1201055 Title: Change lang string for updated comments when moderation is turned on Status in Mahara ePortfolio: Triaged Bug description: The "Updated on ..." phrase next to a comment when it has only been made public due to comment moderation is a bit confusing I think. When there is an update I expect it to be a textual update like in the forums. If it is important to have an indication when the comment was made public, I think it would be better to state "Date, made public: Date". To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1201055/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1201052] Re: Notification to anonymous user when comment was submitted
https://reviews.mahara.org/2367 ** Changed in: mahara Milestone: None => 1.8.0rc1 ** Changed in: mahara Status: Triaged => In Progress -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1201052 Title: Notification to anonymous user when comment was submitted Status in Mahara ePortfolio: In Progress Bug description: When an anonymous user, i.e. logged-out user, leaves a comment on a page, it is not visible when a) comment moderation is turned on or b) when the comment is private. Thus, the user does not know if his comment was actually submitted into the system. It would be good to have a message for the user stating that the comment was saved and either awaits moderation if moderation is turned on or that the owner of the page has been notified. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1201052/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 826649] Re: Add group shortnames to manually created groups
I agree, the group shortname could be automatically generated, from the group name. In fact, "group.name" in the database is 128 characters and guaranteed to be unique, by a uniqueness constraint. "group.shortname" is 255 characters (paradoxically, "shortname" is twice the size of "name"!), so we could easily just copy it across at the time of group creation. If a group with that shortname already existed (due to CSV uploads) we could use some kind of simple fix like adding a "2" to the end of it. Since group.shortname is so much longer than group.name, there's plenty of space to do that. It would also make sense to make the group shortname visible, at least to site/institution admins on the group search page. Perhaps via an extra column on that page. For that matter, you could even make this data visible, even configurable, from the group editing page. Just put it towards the bottom under "advanced". -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/826649 Title: Add group shortnames to manually created groups Status in Mahara ePortfolio: Confirmed Bug description: In Mahara 1.5 groups can be created via a CSV file and associated with an institution. Often, however, groups can be created manually, but a CSV upload of the members may be preferred. Thus, it would be good if manually created groups could also have a short name (that is also displayed to the admin) so that members can be added via CSV. This wishlist item needs a bit more thinking because the CSV feature allows institution admins to create groups that are associated with their institution (though it doesn't do anything with that information yet, I think) but not on a site level. Furthermore, if groups already exist, they would need to be assigned a short name. And then who can add members as they are not associated with an institution yet? Furthermore, the CSV upload is also only beneficial if users don't change their user names. An admin must be aware of that or his upload may not work most of the time. Thus, user names should be locked. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/826649/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203965] [NEW] Increase umber of characters in collection tabs
Public bug reported: The length of characters displayed in a collection's navigation tabs presently cuts of at 20 characters. This is often not sufficient to display longer, more discriptive titles of pages. Master, Ubuntu, Postgres, FF ** Affects: mahara Importance: Undecided Status: New -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1203965 Title: Increase umber of characters in collection tabs Status in Mahara ePortfolio: New Bug description: The length of characters displayed in a collection's navigation tabs presently cuts of at 20 characters. This is often not sufficient to display longer, more discriptive titles of pages. Master, Ubuntu, Postgres, FF To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203965/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1180194] Re: Changing the auth method requires info about remoteuser getting lost
Catching up on my code reviews, I noticed some problems in how the database API was used in this patch. I've added a newer patch of my own which corrects the problem: https://reviews.mahara.org/2366 ** Changed in: mahara Status: Fix Committed => In Progress -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1180194 Title: Changing the auth method requires info about remoteuser getting lost Status in Mahara ePortfolio: In Progress Status in Mahara 1.5 series: Fix Committed Status in Mahara 1.6 series: Fix Committed Status in Mahara 1.8 series: Fix Committed Bug description: When you change the auth method on /admin/users/bulk.php for users who have an external auth method, their remote username is deleted even if you change it to another external auth method. Thus, you'll need to redo the remote username from scratch. There should be a help button with info about what happens so admins aren't surprised when the remote username is suddenly missing. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1180194/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1191605] Re: blocktype/externalfeed/lib.php throws array_chunk errors
What $data was being passed in, that had count($data) > 0, but false===is_array($data) ? -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1191605 Title: blocktype/externalfeed/lib.php throws array_chunk errors Status in Mahara ePortfolio: Fix Committed Bug description: Errors thrown: [WAR] fc (blocktype/externalfeed/lib.php:79) array_chunk() expects parameter 1 to be array, string given [WAR] fc (blocktype/externalfeed/lib.php:83) Invalid argument supplied for foreach() Need to make sure the $data->content is not empty and is an array as that is what is wanted. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1191605/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203957] Re: reviews.mahara.org login screen lacks CSS styling
It looks like the page is including our custom header and footer HTML snippets, however. So, it's possible that we may be able to implement a workaround by putting some CSS code into those. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1203957 Title: reviews.mahara.org login screen lacks CSS styling Status in Mahara ePortfolio: Confirmed Bug description: Today I upgraded reviews.mahara.org to gerrit 2.6.1, in order to make use of the several improvements in gerrit from 2.5 to 2.6. However, it turns out there is one very visible, though purely cosmetic, regression from 2.5 to 2.6. The OpenID login, which used to be a "popup" much like the Mahara block editing popup, is now on its own page. And that page lacks proper CSS styling, so the background is plain white, the text is the browser default color and font, etc, and it otherwise looks broken. I've filed a bug with the gerrit developers: https://code.google.com/p/gerrit/issues/detail?id=2027 But I lack the Java expertise to try to fix the problem on my own right now. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203957/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203957] [NEW] reviews.mahara.org login screen lacks CSS styling
Public bug reported: Today I upgraded reviews.mahara.org to gerrit 2.6.1, in order to make use of the several improvements in gerrit from 2.5 to 2.6. However, it turns out there is one very visible, though purely cosmetic, regression from 2.5 to 2.6. The OpenID login, which used to be a "popup" much like the Mahara block editing popup, is now on its own page. And that page lacks proper CSS styling, so the background is plain white, the text is the browser default color and font, etc, and it otherwise looks broken. I've filed a bug with the gerrit developers: https://code.google.com/p/gerrit/issues/detail?id=2027 But I lack the Java expertise to try to fix the problem on my own right now. ** Affects: mahara Importance: Medium Status: Confirmed ** Tags: gerrit -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1203957 Title: reviews.mahara.org login screen lacks CSS styling Status in Mahara ePortfolio: Confirmed Bug description: Today I upgraded reviews.mahara.org to gerrit 2.6.1, in order to make use of the several improvements in gerrit from 2.5 to 2.6. However, it turns out there is one very visible, though purely cosmetic, regression from 2.5 to 2.6. The OpenID login, which used to be a "popup" much like the Mahara block editing popup, is now on its own page. And that page lacks proper CSS styling, so the background is plain white, the text is the browser default color and font, etc, and it otherwise looks broken. I've filed a bug with the gerrit developers: https://code.google.com/p/gerrit/issues/detail?id=2027 But I lack the Java expertise to try to fix the problem on my own right now. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203957/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203948] [NEW] some users unable to login and they have to click on forgot password for many times if they want to login because the password that they input never let them
Public bug reported: some users unable to login and they have to click on forgot password for many times if they want to login because the password that they input never let them login even they make it correctly. please help me what should i do to fix it thanks ** Affects: mahara Importance: Undecided Status: New -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1203948 Title: some users unable to login and they have to click on forgot password for many times if they want to login because the password that they input never let them login even they make it correctly Status in Mahara ePortfolio: New Bug description: some users unable to login and they have to click on forgot password for many times if they want to login because the password that they input never let them login even they make it correctly. please help me what should i do to fix it thanks To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203948/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1171310] Re: Can bypass comment moderation by editing a comment
** Changed in: mahara/1.5 Status: In Progress => Fix Committed ** Changed in: mahara/1.6 Status: In Progress => Fix Committed ** Changed in: mahara/1.7 Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1171310 Title: Can bypass comment moderation by editing a comment Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.5 series: Fix Committed Status in Mahara 1.6 series: Fix Committed Status in Mahara 1.7 series: Fix Committed Bug description: A user can make their comments on a page public, even if the page is set to require comment moderation, if they create the comment as a private comment and then change its status to public while editing it. To replicate: 1. Create a Page for User 1 2. Make the page accessible to the public, and activate comments & comment moderation for the page (this is all under the Sharing tab) 3. Log in as User 2 4. Place a comment on the Page, making sure to untick the "Make public" box so that the comment is private. 5. Click the "edit" icon next to the newly created comment. 6. On the edit page, tick the "Make public" box, and click Save. Expected result: The comment's status should be "This comment is private | You have requested that this comment be made public"; and it shouldn't become public until approved by User 1 Actual result: The comment becomes public immediately after you click Save on the Edit page. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1171310/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1171310] A change has been merged
Reviewed: https://reviews.mahara.org/2364 Committed: http://gitorious.org/mahara/mahara/commit/1b5babb00de1091568265797128b19aaf1a7c578 Submitter: Aaron Wells (aar...@catalyst.net.nz) Branch:1.6_STABLE commit 1b5babb00de1091568265797128b19aaf1a7c578 Author: Robert Lyon Date: Mon Apr 29 09:47:27 2013 +1200 Fix for bypassing moderation when making comment public (Bug #1171310) To get a private -> public comment moderated the system needs to check: * if the view has approvecomments set to 1 * if the submitter has checked the make public checkbox * if the submitter is not the owner of the view * if the view is a group view * if the approvecomments are set per view And update the comment table accordingly and now sends off notify message if needed. Removed some unneeded variable declarations Change-Id: I74d44f5dab6442c2cae11df1dc588bd753471f8e Signed-off-by: robertl -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1171310 Title: Can bypass comment moderation by editing a comment Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.5 series: Fix Committed Status in Mahara 1.6 series: Fix Committed Status in Mahara 1.7 series: Fix Committed Bug description: A user can make their comments on a page public, even if the page is set to require comment moderation, if they create the comment as a private comment and then change its status to public while editing it. To replicate: 1. Create a Page for User 1 2. Make the page accessible to the public, and activate comments & comment moderation for the page (this is all under the Sharing tab) 3. Log in as User 2 4. Place a comment on the Page, making sure to untick the "Make public" box so that the comment is private. 5. Click the "edit" icon next to the newly created comment. 6. On the edit page, tick the "Make public" box, and click Save. Expected result: The comment's status should be "This comment is private | You have requested that this comment be made public"; and it shouldn't become public until approved by User 1 Actual result: The comment becomes public immediately after you click Save on the Edit page. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1171310/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1171310] A change has been merged
Reviewed: https://reviews.mahara.org/2365 Committed: http://gitorious.org/mahara/mahara/commit/2ed992d331c733ab0bc96fdce1931fe6c5f30e1c Submitter: Aaron Wells (aar...@catalyst.net.nz) Branch:1.5_STABLE commit 2ed992d331c733ab0bc96fdce1931fe6c5f30e1c Author: Robert Lyon Date: Mon Apr 29 09:47:27 2013 +1200 Fix for bypassing moderation when making comment public (Bug #1171310) To get a private -> public comment moderated the system needs to check: * if the view has approvecomments set to 1 * if the submitter has checked the make public checkbox * if the submitter is not the owner of the view * if the view is a group view * if the approvecomments are set per view And update the comment table accordingly and now sends off notify message if needed. Removed some unneeded variable declarations Change-Id: I80dd51af5385fdd5daa2d6ae98bfad3e9dbbf255 Signed-off-by: robertl -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1171310 Title: Can bypass comment moderation by editing a comment Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.5 series: Fix Committed Status in Mahara 1.6 series: Fix Committed Status in Mahara 1.7 series: Fix Committed Bug description: A user can make their comments on a page public, even if the page is set to require comment moderation, if they create the comment as a private comment and then change its status to public while editing it. To replicate: 1. Create a Page for User 1 2. Make the page accessible to the public, and activate comments & comment moderation for the page (this is all under the Sharing tab) 3. Log in as User 2 4. Place a comment on the Page, making sure to untick the "Make public" box so that the comment is private. 5. Click the "edit" icon next to the newly created comment. 6. On the edit page, tick the "Make public" box, and click Save. Expected result: The comment's status should be "This comment is private | You have requested that this comment be made public"; and it shouldn't become public until approved by User 1 Actual result: The comment becomes public immediately after you click Save on the Edit page. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1171310/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1171310] A change has been merged
Reviewed: https://reviews.mahara.org/2363 Committed: http://gitorious.org/mahara/mahara/commit/e1c7c71abfb3ffba032b182f5edf3adbf45f52d6 Submitter: Aaron Wells (aar...@catalyst.net.nz) Branch:1.7_STABLE commit e1c7c71abfb3ffba032b182f5edf3adbf45f52d6 Author: Robert Lyon Date: Mon Apr 29 09:47:27 2013 +1200 Fix for bypassing moderation when making comment public (Bug #1171310) To get a private -> public comment moderated the system needs to check: * if the view has approvecomments set to 1 * if the submitter has checked the make public checkbox * if the submitter is not the owner of the view * if the view is a group view * if the approvecomments are set per view And update the comment table accordingly and now sends off notify message if needed. Removed some unneeded variable declarations Change-Id: Ic09fa551a37e8b26dcad3baa3790511e5354e090 Signed-off-by: robertl -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1171310 Title: Can bypass comment moderation by editing a comment Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.5 series: Fix Committed Status in Mahara 1.6 series: Fix Committed Status in Mahara 1.7 series: Fix Committed Bug description: A user can make their comments on a page public, even if the page is set to require comment moderation, if they create the comment as a private comment and then change its status to public while editing it. To replicate: 1. Create a Page for User 1 2. Make the page accessible to the public, and activate comments & comment moderation for the page (this is all under the Sharing tab) 3. Log in as User 2 4. Place a comment on the Page, making sure to untick the "Make public" box so that the comment is private. 5. Click the "edit" icon next to the newly created comment. 6. On the edit page, tick the "Make public" box, and click Save. Expected result: The comment's status should be "This comment is private | You have requested that this comment be made public"; and it shouldn't become public until approved by User 1 Actual result: The comment becomes public immediately after you click Save on the Edit page. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1171310/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1171310] Re: Can bypass comment moderation by editing a comment
Cherry-picked to current stable releases: 1.5: https://reviews.mahara.org/2365 1.6: https://reviews.mahara.org/2364 1.7: https://reviews.mahara.org/2363 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1171310 Title: Can bypass comment moderation by editing a comment Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.5 series: Fix Committed Status in Mahara 1.6 series: Fix Committed Status in Mahara 1.7 series: Fix Committed Bug description: A user can make their comments on a page public, even if the page is set to require comment moderation, if they create the comment as a private comment and then change its status to public while editing it. To replicate: 1. Create a Page for User 1 2. Make the page accessible to the public, and activate comments & comment moderation for the page (this is all under the Sharing tab) 3. Log in as User 2 4. Place a comment on the Page, making sure to untick the "Make public" box so that the comment is private. 5. Click the "edit" icon next to the newly created comment. 6. On the edit page, tick the "Make public" box, and click Save. Expected result: The comment's status should be "This comment is private | You have requested that this comment be made public"; and it shouldn't become public until approved by User 1 Actual result: The comment becomes public immediately after you click Save on the Edit page. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1171310/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1171310] Re: Can bypass comment moderation by editing a comment
** Changed in: mahara Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1171310 Title: Can bypass comment moderation by editing a comment Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.5 series: In Progress Status in Mahara 1.6 series: In Progress Status in Mahara 1.7 series: In Progress Bug description: A user can make their comments on a page public, even if the page is set to require comment moderation, if they create the comment as a private comment and then change its status to public while editing it. To replicate: 1. Create a Page for User 1 2. Make the page accessible to the public, and activate comments & comment moderation for the page (this is all under the Sharing tab) 3. Log in as User 2 4. Place a comment on the Page, making sure to untick the "Make public" box so that the comment is private. 5. Click the "edit" icon next to the newly created comment. 6. On the edit page, tick the "Make public" box, and click Save. Expected result: The comment's status should be "This comment is private | You have requested that this comment be made public"; and it shouldn't become public until approved by User 1 Actual result: The comment becomes public immediately after you click Save on the Edit page. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1171310/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203924] Re: Bruteforce user enumeration vuln in password reset screen
As for solutions, here are a few possible ones: A. Add a limit to the number of password reset attempts (or at least unsuccessful password reset attempts) that can come from a particular IP address every 5 minutes. (Much like the limit on login attempts per 5 minutes) B. Add a Captcha mechanism to the password reset page. This can't be the only solution, however, because it's not acceptable for some institutions' accessability standards. C. Provide exactly the same message to the user on a successful or unsuccessful password reset attempt. Something like "If you entered your username or password correctly, we will send you a password reset email." I don't like this approach because it's not very user friendly, however. I'm in favor of option A. I'm willing to accept patches for options B and C, but they'd have to be optional, able to be disabled by a config setting. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce user enumeration vuln in password reset screen Status in Mahara ePortfolio: Triaged Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203924] Re: Bruteforce user enumeration vuln in password reset screen
I'm considering this one a relatively low priority because: 1. It's bruteforce user enumeration, which means you already have to have some idea of which ones are present. 2. There's already a much more direct user enumeration attack available in Mahara: https://bugs.launchpad.net/mahara/+bug/1158625 3. Because Mahara is a social network, usernames are not particularly secret to begin with. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce user enumeration vuln in password reset screen Status in Mahara ePortfolio: Triaged Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203924] [NEW] Bruteforce user enumeration vuln in password reset screen
*** This bug is a security vulnerability *** Public security bug reported: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. ** Affects: mahara Importance: Medium Status: Triaged ** Tags: privacy security -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1203924 Title: Bruteforce user enumeration vuln in password reset screen Status in Mahara ePortfolio: Triaged Bug description: A user enumeration vulnerability means that an attacker can get a list of legal usernames and/or email addresses from the site. A "bruteforce" user enumeration vulnerability means that if they have a list of potential usernames and/or email addresses, they can verify whether or not each of them is registered with an account in the site. The Mahara password reset page is vulnerable to this. You can simply go in to https://mahara.org/forgotpass.php and enter username or email after username or email, and get a friendly response indicating whether each one is registered with a user in the site or not. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203924/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1158625] Re: Make profile information not avaialble for public when not shared
In order to avoid a username enumeration vulnerability on this, we should make sure that the message you see when trying to access a profile page you don't have access to, is the same as the message you see when trying to access a profile page that doesn't exist. This is especially true when clean urls are in place. https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_ %28OWASP-AT-002%29 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1158625 Title: Make profile information not avaialble for public when not shared Status in Mahara ePortfolio: In Progress Status in Mahara 1.5 series: In Progress Status in Mahara 1.6 series: In Progress Status in Mahara 1.7 series: New Bug description: From at least Mahara 1.6 on, very basic information about a user (profile picture, name, institution) is made public when public pages are allowed. This information is displayed even when the user hasn't shared their portfolio with the public. This came about when changes were made to the logged-in user profile access. In the past (at least up to 1.4), you only saw the login screen when you tried to access a profile of a user but were not logged in. This should be the case again. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1158625/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1203801] [NEW] Submitting pages from a group
Public bug reported: Hi Again, I have one more request for groups. It would be great if one could submit a page or collection from one group to another group. For example, I am setting up groups for departments. And these groups will act as a central repository from which faculty can create pages and collections for various uses within the department. I would like to allow faculty to create a collection for Self-Assessment that they could then submit to the Deans in the Department Review group. That way, the Deans could have access to all of the department collections without having to be a member of the the departmental group. I know departments could submit a secret url for review, but there would be no "hold" on the collection to prevent it from being changed during the review period. Any suggestions? Thank you! Marylena ** Affects: mahara Importance: Undecided Status: New -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1203801 Title: Submitting pages from a group Status in Mahara ePortfolio: New Bug description: Hi Again, I have one more request for groups. It would be great if one could submit a page or collection from one group to another group. For example, I am setting up groups for departments. And these groups will act as a central repository from which faculty can create pages and collections for various uses within the department. I would like to allow faculty to create a collection for Self-Assessment that they could then submit to the Deans in the Department Review group. That way, the Deans could have access to all of the department collections without having to be a member of the the departmental group. I know departments could submit a secret url for review, but there would be no "hold" on the collection to prevent it from being changed during the review period. Any suggestions? Thank you! Marylena To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1203801/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
