Mahara

Users can delete submitted page through URL

Bug #1425306 reported by Yuliya Bozhko
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Medium
Yuliya Bozhko
Mahara 15.04.0
1.10
Fix Released
Medium
Robert Lyon
Mahara 1.10.3
1.8
Fix Released
Medium
Robert Lyon
Mahara 1.8.7
1.9
Fix Released
Medium
Robert Lyon
Mahara 1.9.5

Bug Description

To reproduce:

- Create a page
- Submit it to a group
- Check that there is no 'Delete' button on 'Pages' web-page for this page
- Find out page ID (through page view URL)
- Go to YOURSITE/view/delete.php?id=XXX where XXX is page ID
- See that you can easily delete a page

CVE References

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/4320

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/4320
Committed: http://gitorious.org/mahara/mahara/commit/ab152be2eb77f2c07a6cbe48ef650802132d28d2
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit ab152be2eb77f2c07a6cbe48ef650802132d28d2
Author: Yuliya Bozhko <email address hidden>
Date: Wed Feb 25 11:44:54 2015 +1300

Make sure submitted page cannot be deleted via URL (Bug #1425306)

Change-Id: I4536536d254d9dc85c9eb8405bd6ab61c0ae26e9
Signed-off-by: Yuliya Bozhko <email address hidden>

Robert Lyon (robertl-9)
Changed in mahara:
status: Confirmed → Fix Committed
milestone: none → 15.04.0
importance: Undecided → Medium
Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "1.8_STABLE" branch: https://reviews.mahara.org/4321

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/4322

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "1.10_STABLE" branch: https://reviews.mahara.org/4323

Aaron Wells (u-aaronw)
information type: Public → Public Security
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/4321
Committed: http://gitorious.org/mahara/mahara/commit/7319e7442d431894460db9e9f904a5ed92c00568
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.8_STABLE

commit 7319e7442d431894460db9e9f904a5ed92c00568
Author: Yuliya Bozhko <email address hidden>
Date: Wed Feb 25 11:44:54 2015 +1300

Make sure submitted page cannot be deleted via URL (Bug #1425306)

Change-Id: I4536536d254d9dc85c9eb8405bd6ab61c0ae26e9
Signed-off-by: Yuliya Bozhko <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/4322
Committed: http://gitorious.org/mahara/mahara/commit/371490ae0714fce3a09bca46b73a5ee3c4415150
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.9_STABLE

commit 371490ae0714fce3a09bca46b73a5ee3c4415150
Author: Yuliya Bozhko <email address hidden>
Date: Wed Feb 25 11:44:54 2015 +1300

Make sure submitted page cannot be deleted via URL (Bug #1425306)

Change-Id: I4536536d254d9dc85c9eb8405bd6ab61c0ae26e9
Signed-off-by: Yuliya Bozhko <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/4323
Committed: http://gitorious.org/mahara/mahara/commit/555f20f2e9fe8406e62117e56f8eeb3ef5478c92
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.10_STABLE

commit 555f20f2e9fe8406e62117e56f8eeb3ef5478c92
Author: Yuliya Bozhko <email address hidden>
Date: Wed Feb 25 11:44:54 2015 +1300

Make sure submitted page cannot be deleted via URL (Bug #1425306)

Change-Id: I4536536d254d9dc85c9eb8405bd6ab61c0ae26e9
Signed-off-by: Yuliya Bozhko <email address hidden>

Robert Lyon (robertl-9)
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.