Group member can't access their own group file

Bug #1267686 reported by Robert Lyon on 2014-01-10
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Robert Lyon
1.10
High
Unassigned
1.8
High
Unassigned
1.9
High
Unassigned
15.04
High
Robert Lyon

Bug Description

I have a group, 'Group1' that has some members

I log in as Member A, upload an image file to a group files and makes sure the role perms are all ticked for the file.

I then log out and log in as Member B and I can un-tick the member and tutor options for that file.
On saving I can't see the file, which is correct.

I then log out and in as Member A again. I can see the file listed in group files list but without the image icon and when I click on the filename I get Access denied message.

It will also stop me from being able to download the file when using a 'Files to download' block

Conversely, the image will display in a image gallery block even for other members, who are not allowed to view image file.

As Member A I can edit the file and re-tick the member role boxes to get proper access back - but is a bit of a pain if I have many files and another member has removed member role permissions.

CVE References

Robert Lyon (robertl-9) on 2014-01-22
Changed in mahara:
status: Confirmed → In Progress
assignee: nobody → Robert Lyon (robertl-9)
Aaron Wells (u-aaronw) on 2014-04-14
Changed in mahara:
milestone: 1.9.0 → 1.10.0
Robert Lyon (robertl-9) wrote :

Have abandoned previous draft patch as I feel this patch is better

https://reviews.mahara.org/#/c/3339/

Aaron Wells (u-aaronw) on 2014-10-20
Changed in mahara:
milestone: 1.10.0 → 1.10.1
Robert Lyon (robertl-9) on 2014-11-25
information type: Private Security → Public Security
Robert Lyon (robertl-9) on 2015-04-17
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers