Comment 0 for bug 1521818

Revision history for this message
Stéphane (smlavoie) wrote : accessing artefact through view without permission

A user received a comment for an artefact that is not actually shared publicly.

Looking into the problem, I've been able to replicate the issue. It goes as such :

- Create a view
- Add a Tagged journal entries block with tag A
- save and share view with public
- Edit block and change the selected tag to tag B
- save

Journal entries with tag A are still accessible to the public even though they are not being displayed on the view.

It's is imperative that deleted artefact from a view cannot be accessed. It's clearly a breach of privacy.

We're using Mahara 15.04 .2 on Linux with MySQL