Even if you disallow anonymous comments at the site level, you can still place anonymous comments on artefacts
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Robert Lyon | ||
1.10 |
Fix Released
|
Medium
|
Unassigned | ||
1.9 |
Fix Released
|
Medium
|
Unassigned | ||
15.04 |
Fix Released
|
Medium
|
Unassigned | ||
15.10 |
Fix Released
|
Medium
|
Robert Lyon |
Bug Description
Anonymous comments function is enabled on artefact page of public share page that disallow anonymous comments.
Here's how to replicate the specific bug:
0. Clean install of Mahara
1. Log in as admin
2. Got to Administration -> Configure site -> Ste options -> User Settings
3. Set [Anonymous comments] OFF
4. Go to Portfolio -> Create a new Page -> Store a picture on this page.
5. Edit this new page access -> Enable [Share with public] and [Allow comments].
6. Log out.
7. Open this page as guest role.
8. Click one picture of this page.
9. [Anonymous comments] function is enabled on artefact page.
I found the cause of this bug.
In /artefact/
=======
if ($artefact-
$addfeedbac
$extrastyle
$javascript[] = 'jquery.rating';
}
=======
I suggest
if ($artefact-
change to:
if ($artefact-
CVE References
Changed in mahara: | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Robert Lyon (robertl-9) |
milestone: | none → 15.10.0 |
https:/ /reviews. mahara. org/#/c/ 4814/