"Recent journal entries" block grants access to the entire journal

Bug #1521839 reported by Aaron Wells on 2015-12-02
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mahara
Undecided
Unassigned
16.04
Undecided
Unassigned

Bug Description

In the follow-up to bug 1521818 ("Tagged journal entries" block grants access to the entire journal) I noticed that the "Recent journal entries" block has the same behavior. That is, if you select a journal to display its recent entries in this block, people who can view the page will be able to view and navigate to all the journal entries in the journal, not just the ones that are displayed.

To replicate:

1. Create a journal with 10 entries
2. Create a page with a "Recent journal entries" block
3. Set the block to display the most recent 5 journal entries

You will notice that you can navigate to a list of all the journal entries in the journal, by clicking on the journal's title in the rendered block. Or by navigating into the artefact detail page for one of the journal entries, and clicking on the journal title there.

Now, this is kind of a gray area, because I'm not sure whether this is the correct behavior or not. On the one hand, you are selecting the journal as a whole, so perhaps it makes sense you'd be able to navigate through all of it. On the other hand, there may be an expectation by users that once a journal entry has "aged" off of the list, that it will no longer be accessible. Although I have a hard time imagining the use-case for that.

What do you guys think?

If we do want to change this behavior, it's a pretty easy fix, almost exactly the same as what we did for Bug 1521818: 1) alter the "get_artefacts" method of PluginBlocktypeTaggedposts; 2) remove the part from "recentposts.tpl" where it displays the link to the parent blog.

Aaron Wells (u-aaronw) on 2015-12-02
tags: added: blog privacy recentposts

I think recent journal entries displays the recent journal entries from a journal to which you have access. Therefore, you should have access to the full journal as you can only see so many items in the list before they fall off.

no longer affects: mahara/15.04
no longer affects: mahara/15.10
Launchpad Janitor (janitor) wrote :

[Expired for Mahara because there has been no activity for 60 days.]

Changed in mahara:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers