Hiding a shared list doesn't hide it

Bug #1406332 reported by Terran McCanna on 2014-12-29
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

I thought I'd added this before in a prior version but I cannot find it now - my apologies if it's duplicated. I've confirmed that it's still a bug in 2.7.

If you "share" a list and then distribute the URL, then go back and "hide" the list, anyone who still has the URL can still open the list. In other words, 'hide' doesn't hide the list at all, just hides the URL link from the patron's account. Ideally, when someone tried to open the list through a browser, the script would check the show/hide flag and inform the user that the list is unavailable.

Jeff Godin (jgodin) wrote :

[Being conservative and marking this as Security while we evaluate the bug report.]

Doing some light testing on this on a 2.5 system, I believe it's a caching issue.

Share a list, view the HTML link in another (not-logged-in) browser instance, and you'll see the expected: list title, description, contents, item notes (if any).

Unshare that list, and reload the page in the test (not-logged-in) browser, and the list title and description and item notes are no longer present, but you see the records that are in the list.

Almost opposite issue: Attempt to view a list that isn't shared, then share the list. In your test browser you will now receive an error that includes the list name, but there are no contents displayed.

In both of the above cases, the issue resolves itself after a few minutes. It might be a memcached cache entry timing out.

I'll take a further look.

Thanks, Terran!

information type: Public → Private Security
Terran McCanna (tmccanna) wrote :

I think you're absolutely right, Jeff!

Now that you mention it, I have a very vague memory of coming to a caching conclusion before on this issue, and that's probably why I couldn't find my previous bug report - because I hadn't created one! #blush#

Galen Charlton (gmc) on 2015-03-18
information type: Private Security → Public Security
Terran McCanna (tmccanna) wrote :

I'm going to go ahead and cancel this report since it is simply caching.

Changed in evergreen:
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers