watchlist notification email about a page that is not on a watchlist

Bug #1813947 reported by Tucker MacNeill on 2019-01-30

This bug report will be marked for expiration in 51 days if no further activity occurs. (find out why)

This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

Possible GDPR ramifications.

Student A received a notification that (Student B) Student A's Portfolio was updated. Student B does not own Student A's page. Is not attached to Student A's page, is not being shared with or two student A.

Student A's Portfolio is only shared with her tutors, not fellow students. Student B shouldn't have access (and doesn't from what I can see) to Student A's page at all. Let alone to setup a watchlist. When I logged in as Student B, there was no evidence that she had ever setup a watchlist at all.

Marhara Version: 18.04.1testing

Tucker MacNeill (tmacneill) wrote :
Robert Lyon (robertl-9) wrote :

Hi Tucker,

Can you check to see who actually owns the page the watchlist was generated for

Because if Student B titled their page with 'Student A' or copied a page off 'Student A' and didn't change the title then the title of the page could cause confusion as both users could have a page with the same title

Running the SQL command should help

 SELECT CONCAT(u.firstname, ' ', u.lastname) AS name, v.title, u.username FROM view v JOIN usr_watchlist_view uwv ON uwv.view = JOIN usr u ON = v.owner WHERE uwv.usr = ?

where ? needs to be the id of user doing the watching (eg Student A)

the username column should show who actually owns the page(s) being watched


Changed in mahara:
status: New → Incomplete
Tucker MacNeill (tmacneill) wrote :

Lecturer Q made a '[Template] Personal and Professional Development' page, which Student A and Student B both copied from. Lecturer Q retained access to copied templates. Students then shared their copied pages also with Tutor Group comprised of other tutors in the programme, so that they also had access to on-going portfolio development.

So, yes, both titles of the pages were similar, as the students were told to replace '[Template]' with their own names.

I called this a 'watchlist' bug, because neither student, nor the lecturer in question set up watchlists at all.

Neither Student A nor Student B had access to each other's pages, in order to even setup a watchlist in the first place. Therefore a 'watchlist notification' is pretty strange.

Robert Lyon (robertl-9) wrote :

There are 2 ways for a watchlist on a page to be set up

1) Explicitly clicking the 'Add page to watchlist' link under the page's '...' (3 dots) menu

2) By placing a comment on the page - the commenter is automatically added to the watchlist for the page

If the users did neither of these things then I'm not sure how they got onto the watchlist - unless someone altered the data in the database directly


To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers