Non-admin role users can edit group settings
Bug #1609200 reported by
Ghada El-Zoghbi
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Ghada El-Zoghbi | ||
15.04 |
Fix Released
|
High
|
Unassigned | ||
15.10 |
Fix Released
|
High
|
Unassigned | ||
16.04 |
Fix Released
|
High
|
Unassigned | ||
16.10 |
Fix Released
|
High
|
Ghada El-Zoghbi |
Bug Description
Only the admin of a group should be able to change the group's settings (via group/edit.php). But any member of a group can view and edit the settings if they go to the URL directly:
* http://
There is no check to make sure the user has admin role.
To replicate:
1. Create a group as User 1. Note the group's id
2. Add User 2 to the group as a "member" (not an "admin")
3. Log in as User 2
4. Type in e.g. http://
Expected result: You get an error message saying "You can't edit this group"
Actual result: You see the group config page, and you can make changes and they will be saved.
CVE References
Changed in mahara: | |
assignee: | nobody → Ghada El-Zoghbi (ghada-z) |
information type: | Public → Private Security |
information type: | Private Security → Public Security |
Changed in mahara: | |
milestone: | 16.10.0 → none |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Patch: https:/ /reviews. mahara. org/#/c/ 6788/