Non-admin role users can edit group settings

Bug #1609200 reported by Ghada El-Zoghbi on 2016-08-03
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Ghada El-Zoghbi
15.04
High
Unassigned
15.10
High
Unassigned
16.04
High
Unassigned
16.10
High
Ghada El-Zoghbi

Bug Description

Only the admin of a group should be able to change the group's settings (via group/edit.php). But any member of a group can view and edit the settings if they go to the URL directly:

* http://my.mahara/group/edit.php?id=3

There is no check to make sure the user has admin role.

To replicate:

1. Create a group as User 1. Note the group's id
2. Add User 2 to the group as a "member" (not an "admin")
3. Log in as User 2
4. Type in e.g. http://my.mahara/group/edit.php?id=X , where X is the group's ID

Expected result: You get an error message saying "You can't edit this group"

Actual result: You see the group config page, and you can make changes and they will be saved.

CVE References

Changed in mahara:
assignee: nobody → Ghada El-Zoghbi (ghada-z)
information type: Public → Private Security
Aaron Wells (u-aaronw) wrote :
description: updated

Reviewed: https://reviews.mahara.org/6808
Committed: https://git.mahara.org/mahara/mahara/commit/230e0bcf0d19f7489a85305d33ac88b39dbf19e1
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit 230e0bcf0d19f7489a85305d33ac88b39dbf19e1
Author: Aaron Wells <email address hidden>
Date: Wed Aug 3 14:23:08 2016 +1200

Bug 1609200: Limit group config to group's admins

behatnotneeded: Test to come later

Change-Id: Ibbb574c67d80e3fd6a139752590bdd602e822f88
(cherry picked from commit 47905d70a15798ef7cad3ed1b5c63bf530e1ef3c)

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6809
Committed: https://git.mahara.org/mahara/mahara/commit/7cd868125963731ecda8d2323984e6aea5430b22
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.10_STABLE

commit 7cd868125963731ecda8d2323984e6aea5430b22
Author: Aaron Wells <email address hidden>
Date: Wed Aug 3 14:23:08 2016 +1200

Bug 1609200: Limit group config to group's admins

behatnotneeded: Test to come later

Change-Id: Ibbb574c67d80e3fd6a139752590bdd602e822f88
(cherry picked from commit 47905d70a15798ef7cad3ed1b5c63bf530e1ef3c)

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6810
Committed: https://git.mahara.org/mahara/mahara/commit/3e6b80bc736b8c0b74dc3cfe315d1ee7d023ee26
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit 3e6b80bc736b8c0b74dc3cfe315d1ee7d023ee26
Author: Aaron Wells <email address hidden>
Date: Wed Aug 3 14:23:08 2016 +1200

Bug 1609200: Limit group config to group's admins

behatnotneeded: Test to come later

Change-Id: Ibbb574c67d80e3fd6a139752590bdd602e822f88
(cherry picked from commit 47905d70a15798ef7cad3ed1b5c63bf530e1ef3c)

Robert Lyon (robertl-9) on 2016-08-08
information type: Private Security → Public Security
Robert Lyon (robertl-9) on 2016-10-21
Changed in mahara:
milestone: 16.10.0 → none
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers