Non-group members can still see portfolio submission option in group
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Confirmed
|
Medium
|
Unassigned |
Bug Description
Group settings are set to:
• Open: NO
• Controlled: YES
• Request: NO
• Publicly viewable group: NO
• Hide group: YES
• Hide membership: YES
• Hide members from members: NO
If a user figures out the unique URL that points to a group, they are able to see the group homepage. It displays the general group info (including who the admin is) and if the submission option is turned on, they can also see the “submit a page or collection to this group” option (see screenshot). If they try to submit to the group, it says access denied.
Ideally, if a group is (1) closed, (2) users cannot request membership and (3) “hidden”, when a user who is not a member tries to view the group, the page should say “Access Denied”.
Changed in mahara: | |
status: | New → Incomplete |
Changed in mahara: | |
status: | Incomplete → Confirmed |
importance: | Undecided → Medium |
I could replicate this as well.
I think there are a few things here that we'll keep separate.
1. When you are not a member of the group and submissions are allowed, you shouldn't have the possibility to submit a group only to end up on "Access denied". Only people who are allowed to submit portfolios to a group should see that option.
This is the bug here.
2. When a group is hidden from non-group members, non-group members should not be able to access the group homepage and any other parts of a group even if they reach them via the direct URL and only receive "Access denied".
This is a wishlist item. Currently, the "hide" functionality only hides the group on "Find groups". The wishlist item is at bug #1724409.