Tagged journal entries block granting access to all entries in the journal

Bug #1521818 reported by Stéphane on 2015-12-02
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mahara
High
Unassigned
15.04
High
Unassigned
15.10
High
Unassigned

Bug Description

A user received a comment for an artefact that is not actually shared publicly.

Looking into the problem, I've been able to replicate the issue. It goes as such :

1. Create a journal with two entries. Give one the tag "tag1" and the other the tag "tag2".
2. Create a view
3. Add a Tagged journal entries block with "tag1"
4. Save and share the view with the public.
5. Click in the tagged journal entries block to view the artefact detail page for the tag1 journal entry.
6. Copy the URL for the tag1 journal entry's page, and save this somewhere
7. Edit the tagged journal entry block and change it to "tag2" instead.
8. Log out
9. While logged out, view the URL for the tag1 journal entry

Expected result: Access denied

Actual result: You can view the tag1 journal entry. Indeed, you can navigate up and view the entire journal.

Journal entries with tag A are still accessible to the public even though they are not being displayed on the view.

It's is imperative that deleted artefact from a view cannot be accessed. It's clearly a breach of privacy.

We're using Mahara 15.04 .2 on Linux with MySQL

Aaron Wells (u-aaronw) on 2015-12-02
summary: - accessing artefact through view without permission
+ Tagged journal entries still accessible even after no longer being
+ displayed in block
information type: Public → Public Security
tags: added: blog privacy security
Aaron Wells (u-aaronw) on 2015-12-02
summary: - Tagged journal entries still accessible even after no longer being
- displayed in block
+ Tagged journal entries block granting access to all entries in the
+ journal
Aaron Wells (u-aaronw) wrote :

Hi Stephane,

Thanks for the bug report!

It appears that what's going on is that the "Tagged journal entries" block puts the artefact ID for the entire journal, into the "view_artefacts" table that we use for checking permissions. So if a journal contains even a single tagged journal entry that gets shown in that block, then they also get access to every other journal entry in that block, even the ones that don't have a matching tag. (Of course they have to know the URL for the journal

This is a bug in core, and I've verified that it's still present up through 16.04dev.

I think this *might* have been a decision that was done on purpose, because if you notice, the tagged journal entries block does have a live link to the journal itself, next to the title of the journal entry. Likewise, the journal artefact detail page also have a live link to the journal itself, with the full list of journal entries in it.

But I think I agree with you that it violates Mahara's normal privacy policy, which is that other people can't see any of your content unless you explicitly share it. I'll have to give some thought about what to do with those links, though. It would be a poor user experience if we display these friendly links, and then when you click on them you see "Access Denied" or the transient login page. Maybe we can add some logic that makes the journal entry title not-linked, unless you have access to the entire journal.

Cheers,
Aaron

Aaron Wells (u-aaronw) wrote :

Haha, I just noticed that the first paragraph of my previous comment was a little garbled there, because originally I'd thought you needed to know the exact URL of the journal and journal entries, and then I went to check on that and found those links I mentioned.

What it should probably say there is "So if a journal contains even a single tagged journal entry that matches that block, a user who can view the page can also view every entry in the journal." And then nothing about needing to know the URL for the journal.

Thinking about this more, I bet the reason it behaves like this is because the tagged journal entries block was originally derived from the "Recent journal entries" block. And for that block, it more or less makes sense that you gain access to the entire journal.

Aaron Wells (u-aaronw) wrote :

I'd marked this as "medium" priority initially, because I thought it was caused by records in view_artefact not getting deleted (which requires kind of a convoluted set of steps to reach).

But now that I see it's actually about providing a wider scope of visibility than necessary, I'm raising the priority to "High". Because there could be a case where, for instance, a user has tagged half their blog entries "public" and the other half "private", and uses this block to display the "public" ones.

Until we get the fix implemented, some possible workarounds are:

1. Organize your journal entries into multiple separate journals and use the "Recent posts" or "Journal" blocks to display them instead of "tagged posts".

2. Use the "unpublish" button to revert sensitive journal entries to "Draft" status so they won't be visible.

3. Display lists of tagged journal entries using multiple "Journal entry" blocks.

Cheers,
Aaron

description: updated
Aaron Wells (u-aaronw) wrote :

Hi Stephane,

I've spun off Bug 1521839 to talk about the same behavior in the recentposts block. If you have any thoughts about whether it should also grant access to the whole blog or not, please let me know over there. I'd be interested to hear what your users think about it.

Cheers,
Aaron

Reviewed: https://reviews.mahara.org/5814
Committed: https://git.mahara.org/mahara/mahara/commit/ada12dba53c2da3596cdf51708ea5d666b60546e
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit ada12dba53c2da3596cdf51708ea5d666b60546e
Author: Aaron Wells <email address hidden>
Date: Wed Dec 2 16:06:52 2015 +1300

"Tagged journal entries" block shouldn't grant access to whole journal

Bug 1521818. Making the "Tagged journal entries" block act more like
a collection of "Journal entry" blocks. So, it doesn't add the parent
blog to view_artefacts, only the specific blog entries that are
displayed in the block.

Also removing the title of the parent blog (and the link to it) from
the list of blog entries, like the "Journal entry" block, which
doesn't display the title of the containing journal.

Note the viewer may still have access to the whole blog, if the blog
is also shared on the same page via a "blog" or "recent journal entries"
block.

Change-Id: I33fc7e58b964c03bc8003f1de81a4bf58b6079b7

Mahara Bot (dev-mahara) wrote :

Patch for "15.04_STABLE" branch: https://reviews.mahara.org/6120

Reviewed: https://reviews.mahara.org/6116
Committed: https://git.mahara.org/mahara/mahara/commit/58149efe92b90cadc0bb6046008362ec6c683e18
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.10_STABLE

commit 58149efe92b90cadc0bb6046008362ec6c683e18
Author: Aaron Wells <email address hidden>
Date: Wed Dec 2 16:06:52 2015 +1300

"Tagged journal entries" block shouldn't grant access to whole journal

Bug 1521818. Making the "Tagged journal entries" block act more like
a collection of "Journal entry" blocks. So, it doesn't add the parent
blog to view_artefacts, only the specific blog entries that are
displayed in the block.

Also removing the title of the parent blog (and the link to it) from
the list of blog entries, like the "Journal entry" block, which
doesn't display the title of the containing journal.

Note the viewer may still have access to the whole blog, if the blog
is also shared on the same page via a "blog" or "recent journal entries"
block.

Change-Id: I33fc7e58b964c03bc8003f1de81a4bf58b6079b7
(cherry picked from commit ada12dba53c2da3596cdf51708ea5d666b60546e)

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6120
Committed: https://git.mahara.org/mahara/mahara/commit/39485b1d7e21b36d6041a37b9ae39ee92f2144cf
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit 39485b1d7e21b36d6041a37b9ae39ee92f2144cf
Author: Aaron Wells <email address hidden>
Date: Wed Dec 2 16:06:52 2015 +1300

"Tagged journal entries" block shouldn't grant access to whole journal

Bug 1521818. Making the "Tagged journal entries" block act more like
a collection of "Journal entry" blocks. So, it doesn't add the parent
blog to view_artefacts, only the specific blog entries that are
displayed in the block.

Also removing the title of the parent blog (and the link to it) from
the list of blog entries, like the "Journal entry" block, which
doesn't display the title of the containing journal.

Note the viewer may still have access to the whole blog, if the blog
is also shared on the same page via a "blog" or "recent journal entries"
block.

Change-Id: I33fc7e58b964c03bc8003f1de81a4bf58b6079b7
(cherry picked from commit ada12dba53c2da3596cdf51708ea5d666b60546e)

no longer affects: mahara/16.04
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers