Mahara

Bug #1609200
Activity log

Activity log for bug #1609200

Date	Who	What changed	Old value	New value	Message
2016-08-03 01:53:41	Ghada El-Zoghbi	bug			added bug
2016-08-03 01:53:48	Ghada El-Zoghbi	mahara: assignee		Ghada El-Zoghbi (ghada-z)
2016-08-03 02:04:27	Ghada El-Zoghbi	information type	Public	Private Security
2016-08-03 02:28:08	Aaron Wells	description	Mahara: master DB: postgres OS: Linus Browser: Firefox Unfortunately, with the fix for this bug: https://bugs.launchpad.net/mahara/+bug/1607231 Another bug was introduced. A non-admin role can edit the group if they know the URL and group id. The user can directly input the URL of the edit page and save the data: * http://my.mahara/group/edit.php?id=3 There is no check to make sure the user has admin role.	Only the admin of a group should be able to change the group's settings (via group/edit.php). But any member of a group can view and edit the settings if they go to the URL directly: * http://my.mahara/group/edit.php?id=3 There is no check to make sure the user has admin role. To replicate: 1. Create a group as User 1. Note the group's id 2. Add User 2 to the group as a "member" (not an "admin") 3. Log in as User 2 4. Type in e.g. http://my.mahara/group/edit.php?id=X , where X is the group's ID Expected result: You get an error message saying "You can't edit this group" Actual result: You see the group config page, and you can make changes and they will be saved.
2016-08-03 02:28:25	Aaron Wells	nominated for series		mahara/16.10
2016-08-03 02:28:25	Aaron Wells	bug task added		mahara/16.10
2016-08-03 02:28:25	Aaron Wells	nominated for series		mahara/16.04
2016-08-03 02:28:25	Aaron Wells	bug task added		mahara/16.04
2016-08-03 02:28:25	Aaron Wells	nominated for series		mahara/15.04
2016-08-03 02:28:25	Aaron Wells	bug task added		mahara/15.04
2016-08-03 02:28:25	Aaron Wells	nominated for series		mahara/15.10
2016-08-03 02:28:25	Aaron Wells	bug task added		mahara/15.10
2016-08-03 02:28:36	Aaron Wells	mahara/16.10: milestone		16.10.0
2016-08-03 02:28:41	Aaron Wells	mahara/16.04: milestone		16.04.3
2016-08-03 02:28:45	Aaron Wells	mahara/15.10: milestone		15.10.5
2016-08-03 02:28:48	Aaron Wells	mahara/15.04: milestone		15.04.9
2016-08-03 02:29:35	Aaron Wells	mahara/16.10: importance	Undecided	High
2016-08-03 02:29:38	Aaron Wells	mahara/16.04: importance	Undecided	High
2016-08-03 02:29:41	Aaron Wells	mahara/15.10: importance	Undecided	High
2016-08-03 02:29:44	Aaron Wells	mahara/15.04: importance	Undecided	High
2016-08-03 02:29:48	Aaron Wells	mahara/16.10: status	New	In Progress
2016-08-03 02:29:52	Aaron Wells	mahara/16.04: status	New	In Progress
2016-08-03 02:29:54	Aaron Wells	mahara/15.10: status	New	In Progress
2016-08-03 02:29:57	Aaron Wells	mahara/15.04: status	New	In Progress
2016-08-08 02:34:00	Robert Lyon	mahara/15.04: status	In Progress	Fix Committed
2016-08-08 02:34:03	Robert Lyon	mahara/15.10: status	In Progress	Fix Committed
2016-08-08 02:34:05	Robert Lyon	mahara/16.04: status	In Progress	Fix Committed
2016-08-08 02:34:07	Robert Lyon	mahara/16.10: status	In Progress	Fix Committed
2016-08-08 02:34:42	Robert Lyon	information type	Private Security	Public Security
2016-08-08 05:10:31	Aaron Wells	mahara/15.10: status	Fix Committed	Fix Released
2016-08-08 05:10:33	Robert Lyon	mahara/15.04: status	Fix Committed	Fix Released
2016-08-08 05:10:36	Aaron Wells	mahara/16.04: status	Fix Committed	Fix Released
2016-10-21 02:29:35	Robert Lyon	mahara/16.10: status	Fix Committed	Fix Released
2016-10-21 02:29:37	Robert Lyon	mahara: milestone	16.10.0
2016-10-21 02:29:40	Robert Lyon	mahara: status	Fix Committed	Fix Released
2017-11-06 23:45:07	Kristina Hoeppner	cve linked		2017-1000156