Activity log for bug #1609200

Date Who What changed Old value New value Message
2016-08-03 01:53:41 Ghada El-Zoghbi bug added bug
2016-08-03 01:53:48 Ghada El-Zoghbi mahara: assignee Ghada El-Zoghbi (ghada-z)
2016-08-03 02:04:27 Ghada El-Zoghbi information type Public Private Security
2016-08-03 02:28:08 Aaron Wells description Mahara: master DB: postgres OS: Linus Browser: Firefox Unfortunately, with the fix for this bug: https://bugs.launchpad.net/mahara/+bug/1607231 Another bug was introduced. A non-admin role can edit the group if they know the URL and group id. The user can directly input the URL of the edit page and save the data: * http://my.mahara/group/edit.php?id=3 There is no check to make sure the user has admin role. Only the admin of a group should be able to change the group's settings (via group/edit.php). But any member of a group can view and edit the settings if they go to the URL directly: * http://my.mahara/group/edit.php?id=3 There is no check to make sure the user has admin role. To replicate: 1. Create a group as User 1. Note the group's id 2. Add User 2 to the group as a "member" (not an "admin") 3. Log in as User 2 4. Type in e.g. http://my.mahara/group/edit.php?id=X , where X is the group's ID Expected result: You get an error message saying "You can't edit this group" Actual result: You see the group config page, and you can make changes and they will be saved.
2016-08-03 02:28:25 Aaron Wells nominated for series mahara/16.10
2016-08-03 02:28:25 Aaron Wells bug task added mahara/16.10
2016-08-03 02:28:25 Aaron Wells nominated for series mahara/16.04
2016-08-03 02:28:25 Aaron Wells bug task added mahara/16.04
2016-08-03 02:28:25 Aaron Wells nominated for series mahara/15.04
2016-08-03 02:28:25 Aaron Wells bug task added mahara/15.04
2016-08-03 02:28:25 Aaron Wells nominated for series mahara/15.10
2016-08-03 02:28:25 Aaron Wells bug task added mahara/15.10
2016-08-03 02:28:36 Aaron Wells mahara/16.10: milestone 16.10.0
2016-08-03 02:28:41 Aaron Wells mahara/16.04: milestone 16.04.3
2016-08-03 02:28:45 Aaron Wells mahara/15.10: milestone 15.10.5
2016-08-03 02:28:48 Aaron Wells mahara/15.04: milestone 15.04.9
2016-08-03 02:29:35 Aaron Wells mahara/16.10: importance Undecided High
2016-08-03 02:29:38 Aaron Wells mahara/16.04: importance Undecided High
2016-08-03 02:29:41 Aaron Wells mahara/15.10: importance Undecided High
2016-08-03 02:29:44 Aaron Wells mahara/15.04: importance Undecided High
2016-08-03 02:29:48 Aaron Wells mahara/16.10: status New In Progress
2016-08-03 02:29:52 Aaron Wells mahara/16.04: status New In Progress
2016-08-03 02:29:54 Aaron Wells mahara/15.10: status New In Progress
2016-08-03 02:29:57 Aaron Wells mahara/15.04: status New In Progress
2016-08-08 02:34:00 Robert Lyon mahara/15.04: status In Progress Fix Committed
2016-08-08 02:34:03 Robert Lyon mahara/15.10: status In Progress Fix Committed
2016-08-08 02:34:05 Robert Lyon mahara/16.04: status In Progress Fix Committed
2016-08-08 02:34:07 Robert Lyon mahara/16.10: status In Progress Fix Committed
2016-08-08 02:34:42 Robert Lyon information type Private Security Public Security
2016-08-08 05:10:31 Aaron Wells mahara/15.10: status Fix Committed Fix Released
2016-08-08 05:10:33 Robert Lyon mahara/15.04: status Fix Committed Fix Released
2016-08-08 05:10:36 Aaron Wells mahara/16.04: status Fix Committed Fix Released
2016-10-21 02:29:35 Robert Lyon mahara/16.10: status Fix Committed Fix Released
2016-10-21 02:29:37 Robert Lyon mahara: milestone 16.10.0
2016-10-21 02:29:40 Robert Lyon mahara: status Fix Committed Fix Released
2017-11-06 23:45:07 Kristina Hoeppner cve linked 2017-1000156