Group member can't access their own group file
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Robert Lyon | ||
1.10 |
Fix Released
|
High
|
Unassigned | ||
1.8 |
Fix Released
|
High
|
Unassigned | ||
1.9 |
Fix Released
|
High
|
Unassigned | ||
15.04 |
Fix Released
|
High
|
Robert Lyon |
Bug Description
I have a group, 'Group1' that has some members
I log in as Member A, upload an image file to a group files and makes sure the role perms are all ticked for the file.
I then log out and log in as Member B and I can un-tick the member and tutor options for that file.
On saving I can't see the file, which is correct.
I then log out and in as Member A again. I can see the file listed in group files list but without the image icon and when I click on the filename I get Access denied message.
It will also stop me from being able to download the file when using a 'Files to download' block
Conversely, the image will display in a image gallery block even for other members, who are not allowed to view image file.
As Member A I can edit the file and re-tick the member role boxes to get proper access back - but is a bit of a pain if I have many files and another member has removed member role permissions.
CVE References
Changed in mahara: | |
status: | Confirmed → In Progress |
assignee: | nobody → Robert Lyon (robertl-9) |
Changed in mahara: | |
milestone: | 1.9.0 → 1.10.0 |
Changed in mahara: | |
milestone: | 1.10.0 → 1.10.1 |
information type: | Private Security → Public Security |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
Have abandoned previous draft patch as I feel this patch is better
https:/ /reviews. mahara. org/#/c/ 3339/