Can bypass comment moderation by editing a comment

Bug #1171310 reported by Mahara Bot
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Robert Lyon
1.5
Fix Released
High
Robert Lyon
1.6
Fix Released
High
Robert Lyon
1.7
Fix Released
High
Robert Lyon

Bug Description

A user can make their comments on a page public, even if the page is set to require comment moderation, if they create the comment as a private comment and then change its status to public while editing it.

To replicate:

1. Create a Page for User 1
2. Make the page accessible to the public, and activate comments & comment moderation for the page (this is all under the Sharing tab)
3. Log in as User 2
4. Place a comment on the Page, making sure to untick the "Make public" box so that the comment is private.
5. Click the "edit" icon next to the newly created comment.
6. On the edit page, tick the "Make public" box, and click Save.

Expected result: The comment's status should be "This comment is private | You have requested that this comment be made public"; and it shouldn't become public until approved by User 1

Actual result: The comment becomes public immediately after you click Save on the Edit page.

Revision history for this message
Aaron Wells (u-aaronw) wrote :

Whoops, I was logged in as the "Mahara Bot" user doing some work on the Translations set up earlier today, and it looks like I forgot to log out before logging this bug. :)

Changed in mahara:
importance: Undecided → High
status: New → Triaged
milestone: none → 1.8.0
Revision history for this message
Aaron Wells (u-aaronw) wrote :

I also tested and verified that this happens with comments on Group Pages as well. It is not an issue for anonymous comments, however, because those can't be edited.

Revision history for this message
Robert Lyon (rlyon) wrote :

I have submitted a patch for this bug
https://reviews.mahara.org/#/c/2090/

Robert Lyon (robertl-9)
Changed in mahara:
assignee: nobody → Robert Lyon (robertl-9)
Robert Lyon (robertl-9)
Changed in mahara:
status: Triaged → In Progress
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

from Bob:
things you will need to test:

Portfolio page with comment moderation set in advanced option
Portfolio page with comment moderation set in per access rule

Group page with comment moderation set in advanced option
Group page with comment moderation set in per access rule

You will need to test with anonymous users, logged-in users, group
members, page owners etc.

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/2090
Committed: http://gitorious.org/mahara/mahara/commit/1fe0319b9c1f9b3135428cca94914c5c8b4e027d
Submitter: Aaron Wells (<email address hidden>)
Branch: master

commit 1fe0319b9c1f9b3135428cca94914c5c8b4e027d
Author: Robert Lyon <email address hidden>
Date: Mon Apr 29 09:47:27 2013 +1200

Fix for bypassing moderation when making comment public (Bug #1171310)

To get a private -> public comment moderated the system needs to check:
* if the view has approvecomments set to 1
* if the submitter has checked the make public checkbox
* if the submitter is not the owner of the view
* if the view is a group view
* if the approvecomments are set per view

And update the comment table accordingly and now sends off notify
message if needed.

Removed some unneeded variable declarations

Change-Id: I276c3d3fa67a99d9030d10a6172048c255e91b5b
Signed-off-by: robertl <email address hidden>

Aaron Wells (u-aaronw)
Changed in mahara:
status: In Progress → Fix Committed
Revision history for this message
Aaron Wells (u-aaronw) wrote :
Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/2365
Committed: http://gitorious.org/mahara/mahara/commit/2ed992d331c733ab0bc96fdce1931fe6c5f30e1c
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.5_STABLE

commit 2ed992d331c733ab0bc96fdce1931fe6c5f30e1c
Author: Robert Lyon <email address hidden>
Date: Mon Apr 29 09:47:27 2013 +1200

Fix for bypassing moderation when making comment public (Bug #1171310)

To get a private -> public comment moderated the system needs to check:
* if the view has approvecomments set to 1
* if the submitter has checked the make public checkbox
* if the submitter is not the owner of the view
* if the view is a group view
* if the approvecomments are set per view

And update the comment table accordingly and now sends off notify
message if needed.

Removed some unneeded variable declarations

Change-Id: I80dd51af5385fdd5daa2d6ae98bfad3e9dbbf255
Signed-off-by: robertl <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/2364
Committed: http://gitorious.org/mahara/mahara/commit/1b5babb00de1091568265797128b19aaf1a7c578
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.6_STABLE

commit 1b5babb00de1091568265797128b19aaf1a7c578
Author: Robert Lyon <email address hidden>
Date: Mon Apr 29 09:47:27 2013 +1200

Fix for bypassing moderation when making comment public (Bug #1171310)

To get a private -> public comment moderated the system needs to check:
* if the view has approvecomments set to 1
* if the submitter has checked the make public checkbox
* if the submitter is not the owner of the view
* if the view is a group view
* if the approvecomments are set per view

And update the comment table accordingly and now sends off notify
message if needed.

Removed some unneeded variable declarations

Change-Id: I74d44f5dab6442c2cae11df1dc588bd753471f8e
Signed-off-by: robertl <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/2363
Committed: http://gitorious.org/mahara/mahara/commit/e1c7c71abfb3ffba032b182f5edf3adbf45f52d6
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.7_STABLE

commit e1c7c71abfb3ffba032b182f5edf3adbf45f52d6
Author: Robert Lyon <email address hidden>
Date: Mon Apr 29 09:47:27 2013 +1200

Fix for bypassing moderation when making comment public (Bug #1171310)

To get a private -> public comment moderated the system needs to check:
* if the view has approvecomments set to 1
* if the submitter has checked the make public checkbox
* if the submitter is not the owner of the view
* if the view is a group view
* if the approvecomments are set per view

And update the comment table accordingly and now sends off notify
message if needed.

Removed some unneeded variable declarations

Change-Id: Ic09fa551a37e8b26dcad3baa3790511e5354e090
Signed-off-by: robertl <email address hidden>

Aaron Wells (u-aaronw)
Changed in mahara:
milestone: 1.8rc1 → 1.8.0
Aaron Wells (u-aaronw)
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers