Activity log for bug #1609200
Date | Who | What changed | Old value | New value | Message |
---|---|---|---|---|---|
2016-08-03 01:53:41 | Ghada El-Zoghbi | bug | added bug | ||
2016-08-03 01:53:48 | Ghada El-Zoghbi | mahara: assignee | Ghada El-Zoghbi (ghada-z) | ||
2016-08-03 02:04:27 | Ghada El-Zoghbi | information type | Public | Private Security | |
2016-08-03 02:28:08 | Aaron Wells | description | Mahara: master DB: postgres OS: Linus Browser: Firefox Unfortunately, with the fix for this bug: https://bugs.launchpad.net/mahara/+bug/1607231 Another bug was introduced. A non-admin role can edit the group if they know the URL and group id. The user can directly input the URL of the edit page and save the data: * http://my.mahara/group/edit.php?id=3 There is no check to make sure the user has admin role. | Only the admin of a group should be able to change the group's settings (via group/edit.php). But any member of a group can view and edit the settings if they go to the URL directly: * http://my.mahara/group/edit.php?id=3 There is no check to make sure the user has admin role. To replicate: 1. Create a group as User 1. Note the group's id 2. Add User 2 to the group as a "member" (not an "admin") 3. Log in as User 2 4. Type in e.g. http://my.mahara/group/edit.php?id=X , where X is the group's ID Expected result: You get an error message saying "You can't edit this group" Actual result: You see the group config page, and you can make changes and they will be saved. | |
2016-08-03 02:28:25 | Aaron Wells | nominated for series | mahara/16.10 | ||
2016-08-03 02:28:25 | Aaron Wells | bug task added | mahara/16.10 | ||
2016-08-03 02:28:25 | Aaron Wells | nominated for series | mahara/16.04 | ||
2016-08-03 02:28:25 | Aaron Wells | bug task added | mahara/16.04 | ||
2016-08-03 02:28:25 | Aaron Wells | nominated for series | mahara/15.04 | ||
2016-08-03 02:28:25 | Aaron Wells | bug task added | mahara/15.04 | ||
2016-08-03 02:28:25 | Aaron Wells | nominated for series | mahara/15.10 | ||
2016-08-03 02:28:25 | Aaron Wells | bug task added | mahara/15.10 | ||
2016-08-03 02:28:36 | Aaron Wells | mahara/16.10: milestone | 16.10.0 | ||
2016-08-03 02:28:41 | Aaron Wells | mahara/16.04: milestone | 16.04.3 | ||
2016-08-03 02:28:45 | Aaron Wells | mahara/15.10: milestone | 15.10.5 | ||
2016-08-03 02:28:48 | Aaron Wells | mahara/15.04: milestone | 15.04.9 | ||
2016-08-03 02:29:35 | Aaron Wells | mahara/16.10: importance | Undecided | High | |
2016-08-03 02:29:38 | Aaron Wells | mahara/16.04: importance | Undecided | High | |
2016-08-03 02:29:41 | Aaron Wells | mahara/15.10: importance | Undecided | High | |
2016-08-03 02:29:44 | Aaron Wells | mahara/15.04: importance | Undecided | High | |
2016-08-03 02:29:48 | Aaron Wells | mahara/16.10: status | New | In Progress | |
2016-08-03 02:29:52 | Aaron Wells | mahara/16.04: status | New | In Progress | |
2016-08-03 02:29:54 | Aaron Wells | mahara/15.10: status | New | In Progress | |
2016-08-03 02:29:57 | Aaron Wells | mahara/15.04: status | New | In Progress | |
2016-08-08 02:34:00 | Robert Lyon | mahara/15.04: status | In Progress | Fix Committed | |
2016-08-08 02:34:03 | Robert Lyon | mahara/15.10: status | In Progress | Fix Committed | |
2016-08-08 02:34:05 | Robert Lyon | mahara/16.04: status | In Progress | Fix Committed | |
2016-08-08 02:34:07 | Robert Lyon | mahara/16.10: status | In Progress | Fix Committed | |
2016-08-08 02:34:42 | Robert Lyon | information type | Private Security | Public Security | |
2016-08-08 05:10:31 | Aaron Wells | mahara/15.10: status | Fix Committed | Fix Released | |
2016-08-08 05:10:33 | Robert Lyon | mahara/15.04: status | Fix Committed | Fix Released | |
2016-08-08 05:10:36 | Aaron Wells | mahara/16.04: status | Fix Committed | Fix Released | |
2016-10-21 02:29:35 | Robert Lyon | mahara/16.10: status | Fix Committed | Fix Released | |
2016-10-21 02:29:37 | Robert Lyon | mahara: milestone | 16.10.0 | ||
2016-10-21 02:29:40 | Robert Lyon | mahara: status | Fix Committed | Fix Released | |
2017-11-06 23:45:07 | Kristina Hoeppner | cve linked | 2017-1000156 |