Mahara

Need to lock down the view/viewblocks.json.php response more

Bug #1849395 reported by Robert Lyon on 2019-10-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mahara	Fix Released	High	Robert Lyon	Mahara 19.10.0

Bug Description

Currently it only checks if you can see the page

But if you give it block/artefact values you shouldn't see you get content back

We need to do the following checks
1) can user see the page? if so
2) is the block on the page? if so
3) can the user see the block content? (a peer might not be able to) if so
4) is the artefact part of the block?

Only then can we show the content in the modal

Robert Lyon (robertl-9) on 2019-10-22

Changed in mahara:
status:	New → Confirmed
importance:	Undecided → High
milestone:	none → 19.10.0

Revision history for this message

Robert Lyon (robertl-9) wrote on 2019-10-22:

To test - with current master

Log in as userA
1) Create a page with userA and put an image block on it and a peer block
2) Share it with userB as role 'peer'
3) View the page and click the 'Details' toggle
Copy the HTML code for the <a class="commentlink" ... </a> bit

Login as userB
1) Go to the page shared by userA
you should not see any way to view the image content
2) inspect page an insert somewhere the HTML snippet you got from before
3) in browser console type in
activateModalLinks();
and hit return
4) Click on link you added and you see the content in the modal

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2019-10-22: A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/10465

Robert Lyon (robertl-9) on 2019-10-22

Changed in mahara:
status:	Confirmed → In Progress
assignee:	nobody → Robert Lyon (robertl-9)

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2019-10-23: A change has been merged

Reviewed: https://reviews.mahara.org/10465
Committed: https://git.mahara.org/mahara/mahara/commit/9ef9014abf2da8bb4978ad223ec82ca6bad0022b
Submitter: Cecilia Vela Gurovic (<email address hidden>)
Branch: master

commit 9ef9014abf2da8bb4978ad223ec82ca6bad0022b
Author: Robert Lyon <email address hidden>
Date: Wed Oct 23 12:20:42 2019 +1300

Bug 1849395: Doublecheck details values for modal

Before displaying content

behatnotneeded

Change-Id: Ibdd0b33d543f65cf619fc5a061b6f81350d1d94a
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2019-10-23: A patch has been submitted for review

Patch for "19.10_STABLE" branch: https://reviews.mahara.org/10477

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2019-10-23: A change has been merged

Reviewed: https://reviews.mahara.org/10477
Committed: https://git.mahara.org/mahara/mahara/commit/49961c80bd209af7b728691b086a6e5b78e6f687
Submitter: Cecilia Vela Gurovic (<email address hidden>)
Branch: 19.10_STABLE

commit 49961c80bd209af7b728691b086a6e5b78e6f687
Author: Robert Lyon <email address hidden>
Date: Wed Oct 23 12:20:42 2019 +1300

Bug 1849395: Doublecheck details values for modal

Before displaying content

behatnotneeded

Change-Id: Ibdd0b33d543f65cf619fc5a061b6f81350d1d94a
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 9ef9014abf2da8bb4978ad223ec82ca6bad0022b)

Cecilia Vela Gurovic (ceciliavg) on 2019-10-24

Changed in mahara:
status:	In Progress → Fix Committed

Rebecca Blundell (rjb-dev) on 2019-10-31

Changed in mahara:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.