Watchlist lets you watch and receive notifications about pages you don't have view access to
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Unassigned | ||
1.10 |
Fix Released
|
Medium
|
Unassigned | ||
1.8 |
Fix Released
|
Medium
|
Unassigned | ||
1.9 |
Fix Released
|
Medium
|
Unassigned | ||
15.04 |
Fix Released
|
Medium
|
Unassigned | ||
15.10 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
In analyzing watchlist bug 1429505 (pages stay on your watchlist even if you lose access to them) I noticed a couple of things in the code:
1. You apparently still can receive watchlist notifications about pages on your watchlist which you don't have access to.
2. There are no access control checks in togglewatchlist
Together, these bugs mean that a user could watch private pages, and receive notifications about changes to those pages. While these notifications would not contain the actual page content, they would contain the title of the page and the names of blocks and/or artefacts changed in the page.
CVE References
information type: | Private Security → Public Security |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
tags: | added: behat behat-needed |
This bug report is based mostly on looking at the code. I still have to actually run some tests to determine whether the code behaves as I think it does...