"Recent journal entries" block grants access to the entire journal
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Expired
|
Undecided
|
Unassigned | ||
16.04 |
Invalid
|
Undecided
|
Unassigned |
Bug Description
In the follow-up to bug 1521818 ("Tagged journal entries" block grants access to the entire journal) I noticed that the "Recent journal entries" block has the same behavior. That is, if you select a journal to display its recent entries in this block, people who can view the page will be able to view and navigate to all the journal entries in the journal, not just the ones that are displayed.
To replicate:
1. Create a journal with 10 entries
2. Create a page with a "Recent journal entries" block
3. Set the block to display the most recent 5 journal entries
You will notice that you can navigate to a list of all the journal entries in the journal, by clicking on the journal's title in the rendered block. Or by navigating into the artefact detail page for one of the journal entries, and clicking on the journal title there.
Now, this is kind of a gray area, because I'm not sure whether this is the correct behavior or not. On the one hand, you are selecting the journal as a whole, so perhaps it makes sense you'd be able to navigate through all of it. On the other hand, there may be an expectation by users that once a journal entry has "aged" off of the list, that it will no longer be accessible. Although I have a hard time imagining the use-case for that.
What do you guys think?
If we do want to change this behavior, it's a pretty easy fix, almost exactly the same as what we did for Bug 1521818: 1) alter the "get_artefacts" method of PluginBlocktype
tags: | added: blog privacy recentposts |
I think recent journal entries displays the recent journal entries from a journal to which you have access. Therefore, you should have access to the full journal as you can only see so many items in the list before they fall off.