Group member can't access their own group file
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mahara |
Fix Released
|
High
|
Robert Lyon | ||
| 1.10 |
Fix Released
|
High
|
Unassigned | ||
| 1.8 |
Fix Released
|
High
|
Unassigned | ||
| 1.9 |
Fix Released
|
High
|
Unassigned | ||
| 15.04 |
Fix Released
|
High
|
Robert Lyon | ||
Bug Description
I have a group, 'Group1' that has some members
I log in as Member A, upload an image file to a group files and makes sure the role perms are all ticked for the file.
I then log out and log in as Member B and I can un-tick the member and tutor options for that file.
On saving I can't see the file, which is correct.
I then log out and in as Member A again. I can see the file listed in group files list but without the image icon and when I click on the filename I get Access denied message.
It will also stop me from being able to download the file when using a 'Files to download' block
Conversely, the image will display in a image gallery block even for other members, who are not allowed to view image file.
As Member A I can edit the file and re-tick the member role boxes to get proper access back - but is a bit of a pain if I have many files and another member has removed member role permissions.
CVE References
| Changed in mahara: | |
| status: | Confirmed → In Progress |
| assignee: | nobody → Robert Lyon (robertl-9) |
| Changed in mahara: | |
| milestone: | 1.9.0 → 1.10.0 |
| Robert Lyon (robertl-9) wrote | #1 |
| Changed in mahara: | |
| milestone: | 1.10.0 → 1.10.1 |
| information type: | Private Security → Public Security |
| Changed in mahara: | |
| status: | Fix Committed → Fix Released |
Have abandoned previous draft patch as I feel this patch is better
https:/