Need to lock down the view/viewblocks.json.php response more
Bug #1849395 reported by
Robert Lyon
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Robert Lyon |
Bug Description
Currently it only checks if you can see the page
But if you give it block/artefact values you shouldn't see you get content back
We need to do the following checks
1) can user see the page? if so
2) is the block on the page? if so
3) can the user see the block content? (a peer might not be able to) if so
4) is the artefact part of the block?
Only then can we show the content in the modal
Changed in mahara: | |
status: | New → Confirmed |
importance: | Undecided → High |
milestone: | none → 19.10.0 |
Changed in mahara: | |
status: | Confirmed → In Progress |
assignee: | nobody → Robert Lyon (robertl-9) |
Changed in mahara: | |
status: | In Progress → Fix Committed |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
To test - with current master
Log in as userA
1) Create a page with userA and put an image block on it and a peer block
2) Share it with userB as role 'peer'
3) View the page and click the 'Details' toggle
Copy the HTML code for the <a class="commentlink" ... </a> bit
Login as userB inks();
1) Go to the page shared by userA
you should not see any way to view the image content
2) inspect page an insert somewhere the HTML snippet you got from before
3) in browser console type in
activateModalL
and hit return
4) Click on link you added and you see the content in the modal