Even if you disallow anonymous comments at the site level, you can still place anonymous comments on artefacts

Bug #1460368 reported by Wen-Chang Chien(簡文章)
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Medium
Robert Lyon
1.10
Fix Released
Medium
Unassigned
1.9
Fix Released
Medium
Unassigned
15.04
Fix Released
Medium
Unassigned
15.10
Fix Released
Medium
Robert Lyon

Bug Description

Anonymous comments function is enabled on artefact page of public share page that disallow anonymous comments.

Here's how to replicate the specific bug:

0. Clean install of Mahara
1. Log in as admin
2. Got to Administration -> Configure site -> Ste options -> User Settings
3. Set [Anonymous comments] OFF
4. Go to Portfolio -> Create a new Page -> Store a picture on this page.
5. Edit this new page access -> Enable [Share with public] and [Allow comments].
6. Log out.
7. Open this page as guest role.
8. Click one picture of this page.
9. [Anonymous comments] function is enabled on artefact page.

I found the cause of this bug.

In /artefact/artefact.php, Line 149
==================================================
if ($artefact->get('allowcomments'))
    $addfeedbackform = pieform(ArtefactTypeComment::add_comment_form(false, $artefact->get('approvecomments')));
    $extrastylesheets[] = 'style/jquery.rating.css';
    $javascript[] = 'jquery.rating';
}
==================================================================

I suggest

if ($artefact->get('allowcomments'))

change to:

if ($artefact->get('allowcomments') && ( $USER->is_logged_in() || (!$USER->is_logged_in() && get_config('anonymouscomments')))) {

Tags: feedback

CVE References

Robert Lyon (robertl-9)
Changed in mahara:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Robert Lyon (robertl-9)
milestone: none → 15.10.0
Revision history for this message
Robert Lyon (robertl-9) wrote :
Revision history for this message
Aaron Wells (u-aaronw) wrote :

This bug is also present in Mahara 1.9, 1.10, and 15.04. (And probably earlier.)

Patch for 1.9: https://reviews.mahara.org/4908
Patch for 1.10: https://reviews.mahara.org/4909
Patch for 15.04: https://reviews.mahara.org/#/c/4907

tags: added: feedback
summary: - Anonymous comments function is enabled on artefact page of public share
- page that disallow anonymous comments.
+ Even if you disallow anonymous comments at the site level, you can still
+ place anonymous comments on artefacts
Revision history for this message
Aaron Wells (u-aaronw) wrote :

Hi Wen-Chang Chien,

Thanks for reporting this issue! I've added your name to the list of security contributors to the Mahara project: https://wiki.mahara.org/wiki/Contributors#Mahara_code

Let me know if you'd like to have your Twitter handle or other website on there (or if you want to be removed from the page).

Cheers,
Aaron

information type: Private Security → Public Security
Revision history for this message
Aaron Wells (u-aaronw) wrote :

Downgrading the severity on this one from "High" to "Medium", because the artefact owner still has to make their page public and allow comments.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.