Mahara

watchlist notification email about a page that is not on a watchlist

Bug #1813947 reported by Tucker MacNeill
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Expired
Undecided
Unassigned

Bug Description

Possible GDPR ramifications.

Student A received a notification that (Student B) Student A's Portfolio was updated. Student B does not own Student A's page. Is not attached to Student A's page, is not being shared with or two student A.

Student A's Portfolio is only shared with her tutors, not fellow students. Student B shouldn't have access (and doesn't from what I can see) to Student A's page at all. Let alone to setup a watchlist. When I logged in as Student B, there was no evidence that she had ever setup a watchlist at all.

Marhara Version: 18.04.1testing

Tags: watchlist
Revision history for this message
Tucker MacNeill (tmacneill) wrote :
Revision history for this message
Robert Lyon (robertl-9) wrote :

Hi Tucker,

Can you check to see who actually owns the page the watchlist was generated for

Because if Student B titled their page with 'Student A' or copied a page off 'Student A' and didn't change the title then the title of the page could cause confusion as both users could have a page with the same title

Running the SQL command should help

 SELECT CONCAT(u.firstname, ' ', u.lastname) AS name, v.title, u.username FROM view v JOIN usr_watchlist_view uwv ON uwv.view = v.id JOIN usr u ON u.id = v.owner WHERE uwv.usr = ?

where ? needs to be the id of user doing the watching (eg Student A)

the username column should show who actually owns the page(s) being watched

Cheers
Robert

Changed in mahara:
status: New → Incomplete
Revision history for this message
Tucker MacNeill (tmacneill) wrote :

Lecturer Q made a '[Template] Personal and Professional Development' page, which Student A and Student B both copied from. Lecturer Q retained access to copied templates. Students then shared their copied pages also with Tutor Group comprised of other tutors in the programme, so that they also had access to on-going portfolio development.

So, yes, both titles of the pages were similar, as the students were told to replace '[Template]' with their own names.

I called this a 'watchlist' bug, because neither student, nor the lecturer in question set up watchlists at all.

Neither Student A nor Student B had access to each other's pages, in order to even setup a watchlist in the first place. Therefore a 'watchlist notification' is pretty strange.

Revision history for this message
Robert Lyon (robertl-9) wrote :

There are 2 ways for a watchlist on a page to be set up

1) Explicitly clicking the 'Add page to watchlist' link under the page's '...' (3 dots) menu

2) By placing a comment on the page - the commenter is automatically added to the watchlist for the page

If the users did neither of these things then I'm not sure how they got onto the watchlist - unless someone altered the data in the database directly

Cheers
Robert

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for Mahara because there has been no activity for 60 days.]

Changed in mahara:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.