[Mahara-contributors] [Bug 772140] Re: Information disclosure in my friends pagination script
** Changed in: mahara Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/772140 Title: Information disclosure in my friends pagination script Status in Mahara ePortfolio: Fix Released Status in Mahara 1.3 series: Fix Released Bug description: There are three problems with this script: 1. It takes a block id, but doesn't check that the logged-in user is allowed to see the view that the block appears in. 2. It takes a user id, and doesn't check that the user id matches the id of the view owner. 3. It returns a list of friends with too much information; it should only return the html to replace the block content. Does not affect Mahara 1.2 (there was no friends block pagination). To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/772140/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 772140] Re: Information disclosure in my friends pagination script
** Changed in: mahara Status: In Progress = Fix Committed -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/772140 Title: Information disclosure in my friends pagination script Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.3 series: Fix Released Bug description: There are three problems with this script: 1. It takes a block id, but doesn't check that the logged-in user is allowed to see the view that the block appears in. 2. It takes a user id, and doesn't check that the user id matches the id of the view owner. 3. It returns a list of friends with too much information; it should only return the html to replace the block content. Does not affect Mahara 1.2 (there was no friends block pagination). ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
