watchlist notification email about a page that is not on a watchlist
Bug #1813947 reported by
Tucker MacNeill
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Expired
|
Undecided
|
Unassigned |
Bug Description
Possible GDPR ramifications.
Student A received a notification that (Student B) Student A's Portfolio was updated. Student B does not own Student A's page. Is not attached to Student A's page, is not being shared with or two student A.
Student A's Portfolio is only shared with her tutors, not fellow students. Student B shouldn't have access (and doesn't from what I can see) to Student A's page at all. Let alone to setup a watchlist. When I logged in as Student B, there was no evidence that she had ever setup a watchlist at all.
Marhara Version: 18.04.1testing
To post a comment you must log in.
Hi Tucker,
Can you check to see who actually owns the page the watchlist was generated for
Because if Student B titled their page with 'Student A' or copied a page off 'Student A' and didn't change the title then the title of the page could cause confusion as both users could have a page with the same title
Running the SQL command should help
SELECT CONCAT(u.firstname, ' ', u.lastname) AS name, v.title, u.username FROM view v JOIN usr_watchlist_view uwv ON uwv.view = v.id JOIN usr u ON u.id = v.owner WHERE uwv.usr = ?
where ? needs to be the id of user doing the watching (eg Student A)
the username column should show who actually owns the page(s) being watched
Cheers
Robert