[Mahara-contributors] [Bug 1158625] Re: Make profile information not avaialble for public when not shared
** Changed in: mahara Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1158625 Title: Make profile information not avaialble for public when not shared Status in Mahara ePortfolio: Fix Released Status in Mahara 1.5 series: Fix Released Status in Mahara 1.6 series: Fix Released Status in Mahara 1.7 series: Fix Released Bug description: From at least Mahara 1.6 on, very basic information about a user (profile picture, name, institution) is made public when public pages are allowed. This information is displayed even when the user hasn't shared their portfolio with the public. This came about when changes were made to the logged-in user profile access. In the past (at least up to 1.4), you only saw the login screen when you tried to access a profile of a user but were not logged in. This should be the case again. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1158625/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1158625] Re: Make profile information not avaialble for public when not shared
** Changed in: mahara/1.5 Status: In Progress = Fix Committed ** Changed in: mahara/1.6 Status: In Progress = Fix Committed ** Changed in: mahara/1.7 Status: In Progress = Fix Committed -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1158625 Title: Make profile information not avaialble for public when not shared Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.5 series: Fix Committed Status in Mahara 1.6 series: Fix Committed Status in Mahara 1.7 series: Fix Committed Bug description: From at least Mahara 1.6 on, very basic information about a user (profile picture, name, institution) is made public when public pages are allowed. This information is displayed even when the user hasn't shared their portfolio with the public. This came about when changes were made to the logged-in user profile access. In the past (at least up to 1.4), you only saw the login screen when you tried to access a profile of a user but were not logged in. This should be the case again. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1158625/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1158625] Re: Make profile information not avaialble for public when not shared
** Changed in: mahara/1.5 Status: Fix Committed = Fix Released ** Changed in: mahara/1.6 Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1158625 Title: Make profile information not avaialble for public when not shared Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.5 series: Fix Released Status in Mahara 1.6 series: Fix Released Status in Mahara 1.7 series: Fix Committed Bug description: From at least Mahara 1.6 on, very basic information about a user (profile picture, name, institution) is made public when public pages are allowed. This information is displayed even when the user hasn't shared their portfolio with the public. This came about when changes were made to the logged-in user profile access. In the past (at least up to 1.4), you only saw the login screen when you tried to access a profile of a user but were not logged in. This should be the case again. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1158625/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1158625] Re: Make profile information not avaialble for public when not shared
** Changed in: mahara/1.7 Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1158625 Title: Make profile information not avaialble for public when not shared Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.5 series: Fix Released Status in Mahara 1.6 series: Fix Released Status in Mahara 1.7 series: Fix Released Bug description: From at least Mahara 1.6 on, very basic information about a user (profile picture, name, institution) is made public when public pages are allowed. This information is displayed even when the user hasn't shared their portfolio with the public. This came about when changes were made to the logged-in user profile access. In the past (at least up to 1.4), you only saw the login screen when you tried to access a profile of a user but were not logged in. This should be the case again. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1158625/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1158625] Re: Make profile information not avaialble for public when not shared
** Changed in: mahara Milestone: 1.8rc1 = 1.8.0 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1158625 Title: Make profile information not avaialble for public when not shared Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.5 series: In Progress Status in Mahara 1.6 series: In Progress Status in Mahara 1.7 series: In Progress Bug description: From at least Mahara 1.6 on, very basic information about a user (profile picture, name, institution) is made public when public pages are allowed. This information is displayed even when the user hasn't shared their portfolio with the public. This came about when changes were made to the logged-in user profile access. In the past (at least up to 1.4), you only saw the login screen when you tried to access a profile of a user but were not logged in. This should be the case again. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1158625/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1158625] Re: Make profile information not avaialble for public when not shared
Used git bisect to trace this to https://bugs.launchpad.net/mahara/+bug/807275 Restricted view for user profile. Gerrit patch https://reviews.mahara.org/#/c/448/ Although, I think the intent of that feature was that *logged-in* users should still seem some basic information about the user. I still think it's a good idea if *logged-out* users can't see anything. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1158625 Title: Make profile information not avaialble for public when not shared Status in Mahara ePortfolio: In Progress Status in Mahara 1.5 series: In Progress Status in Mahara 1.6 series: In Progress Status in Mahara 1.7 series: In Progress Bug description: From at least Mahara 1.6 on, very basic information about a user (profile picture, name, institution) is made public when public pages are allowed. This information is displayed even when the user hasn't shared their portfolio with the public. This came about when changes were made to the logged-in user profile access. In the past (at least up to 1.4), you only saw the login screen when you tried to access a profile of a user but were not logged in. This should be the case again. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1158625/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1158625] Re: Make profile information not avaialble for public when not shared
https://reviews.mahara.org/2418 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1158625 Title: Make profile information not avaialble for public when not shared Status in Mahara ePortfolio: In Progress Status in Mahara 1.5 series: In Progress Status in Mahara 1.6 series: In Progress Status in Mahara 1.7 series: In Progress Bug description: From at least Mahara 1.6 on, very basic information about a user (profile picture, name, institution) is made public when public pages are allowed. This information is displayed even when the user hasn't shared their portfolio with the public. This came about when changes were made to the logged-in user profile access. In the past (at least up to 1.4), you only saw the login screen when you tried to access a profile of a user but were not logged in. This should be the case again. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1158625/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1158625] Re: Make profile information not avaialble for public when not shared
** Changed in: mahara Status: In Progress = Fix Committed -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1158625 Title: Make profile information not avaialble for public when not shared Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.5 series: In Progress Status in Mahara 1.6 series: In Progress Status in Mahara 1.7 series: In Progress Bug description: From at least Mahara 1.6 on, very basic information about a user (profile picture, name, institution) is made public when public pages are allowed. This information is displayed even when the user hasn't shared their portfolio with the public. This came about when changes were made to the logged-in user profile access. In the past (at least up to 1.4), you only saw the login screen when you tried to access a profile of a user but were not logged in. This should be the case again. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1158625/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1158625] Re: Make profile information not avaialble for public when not shared
** Changed in: mahara/1.7 Assignee: (unassigned) = Aaron Wells (u-aaronw) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1158625 Title: Make profile information not avaialble for public when not shared Status in Mahara ePortfolio: In Progress Status in Mahara 1.5 series: In Progress Status in Mahara 1.6 series: In Progress Status in Mahara 1.7 series: In Progress Bug description: From at least Mahara 1.6 on, very basic information about a user (profile picture, name, institution) is made public when public pages are allowed. This information is displayed even when the user hasn't shared their portfolio with the public. This came about when changes were made to the logged-in user profile access. In the past (at least up to 1.4), you only saw the login screen when you tried to access a profile of a user but were not logged in. This should be the case again. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1158625/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1158625] Re: Make profile information not avaialble for public when not shared
** Tags added: bite-sized -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1158625 Title: Make profile information not avaialble for public when not shared Status in Mahara ePortfolio: In Progress Status in Mahara 1.5 series: In Progress Status in Mahara 1.6 series: In Progress Status in Mahara 1.7 series: In Progress Bug description: From at least Mahara 1.6 on, very basic information about a user (profile picture, name, institution) is made public when public pages are allowed. This information is displayed even when the user hasn't shared their portfolio with the public. This came about when changes were made to the logged-in user profile access. In the past (at least up to 1.4), you only saw the login screen when you tried to access a profile of a user but were not logged in. This should be the case again. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1158625/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1158625] Re: Make profile information not avaialble for public when not shared
** Changed in: mahara/1.7 Status: New = In Progress ** Changed in: mahara/1.7 Importance: Critical = High -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1158625 Title: Make profile information not avaialble for public when not shared Status in Mahara ePortfolio: In Progress Status in Mahara 1.5 series: In Progress Status in Mahara 1.6 series: In Progress Status in Mahara 1.7 series: In Progress Bug description: From at least Mahara 1.6 on, very basic information about a user (profile picture, name, institution) is made public when public pages are allowed. This information is displayed even when the user hasn't shared their portfolio with the public. This came about when changes were made to the logged-in user profile access. In the past (at least up to 1.4), you only saw the login screen when you tried to access a profile of a user but were not logged in. This should be the case again. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1158625/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1158625] Re: Make profile information not avaialble for public when not shared
** Changed in: mahara/1.5 Milestone: None = 1.5.12 ** Changed in: mahara/1.6 Milestone: None = 1.6.7 ** Changed in: mahara/1.7 Milestone: None = 1.7.3 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1158625 Title: Make profile information not avaialble for public when not shared Status in Mahara ePortfolio: In Progress Status in Mahara 1.5 series: In Progress Status in Mahara 1.6 series: In Progress Status in Mahara 1.7 series: In Progress Bug description: From at least Mahara 1.6 on, very basic information about a user (profile picture, name, institution) is made public when public pages are allowed. This information is displayed even when the user hasn't shared their portfolio with the public. This came about when changes were made to the logged-in user profile access. In the past (at least up to 1.4), you only saw the login screen when you tried to access a profile of a user but were not logged in. This should be the case again. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1158625/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1158625] Re: Make profile information not avaialble for public when not shared
In order to avoid a username enumeration vulnerability on this, we should make sure that the message you see when trying to access a profile page you don't have access to, is the same as the message you see when trying to access a profile page that doesn't exist. This is especially true when clean urls are in place. https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_ %28OWASP-AT-002%29 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1158625 Title: Make profile information not avaialble for public when not shared Status in Mahara ePortfolio: In Progress Status in Mahara 1.5 series: In Progress Status in Mahara 1.6 series: In Progress Status in Mahara 1.7 series: New Bug description: From at least Mahara 1.6 on, very basic information about a user (profile picture, name, institution) is made public when public pages are allowed. This information is displayed even when the user hasn't shared their portfolio with the public. This came about when changes were made to the logged-in user profile access. In the past (at least up to 1.4), you only saw the login screen when you tried to access a profile of a user but were not logged in. This should be the case again. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1158625/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1158625] Re: Make profile information not avaialble for public when not shared
** Tags added: security ** Changed in: mahara Milestone: 1.7.0 = 1.8.0 ** Changed in: mahara/1.7 Importance: Undecided = Critical -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1158625 Title: Make profile information not avaialble for public when not shared Status in Mahara ePortfolio: In Progress Status in Mahara 1.5 series: In Progress Status in Mahara 1.6 series: In Progress Status in Mahara 1.7 series: New Bug description: From at least Mahara 1.6 on, very basic information about a user (profile picture, name, institution) is made public when public pages are allowed. This information is displayed even when the user hasn't shared their portfolio with the public. This came about when changes were made to the logged-in user profile access. In the past (at least up to 1.4), you only saw the login screen when you tried to access a profile of a user but were not logged in. This should be the case again. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1158625/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1158625] Re: Make profile information not avaialble for public when not shared
** Changed in: mahara/1.5 Milestone: 1.6.4 = None ** Changed in: mahara/1.6 Milestone: 1.5.9 = None -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contrib members https://bugs.launchpad.net/bugs/1158625 Title: Make profile information not avaialble for public when not shared Status in Mahara ePortfolio: In Progress Status in Mahara 1.5 series: In Progress Status in Mahara 1.6 series: In Progress Status in Mahara 1.7 series: New Bug description: From at least Mahara 1.6 on, very basic information about a user (profile picture, name, institution) is made public when public pages are allowed. This information is displayed even when the user hasn't shared their portfolio with the public. This came about when changes were made to the logged-in user profile access. In the past (at least up to 1.4), you only saw the login screen when you tried to access a profile of a user but were not logged in. This should be the case again. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1158625/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
