Elastic search: Search results are not restricted for aretfacts on pages shared with group
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Robert Lyon | ||
18.10 |
Fix Released
|
High
|
Unassigned | ||
19.04 |
Fix Released
|
High
|
Unassigned | ||
19.10 |
Fix Released
|
High
|
Unassigned | ||
20.04 |
Fix Released
|
High
|
Robert Lyon |
Bug Description
A user can create a page with media artefacts on it and share it with a group. The user can specify which users in that group have access, i.e "Everyone in group", "Member" and "Admin". When a user selects to share the page with "Member" or "Admin" all members of the group can view via the media category in Elastic Search page and can see the artefact. The preview image for an Image block for this issue is displaying as a broken link in FireFox and not displaying at all in Chrome.
Have Elastic Search set up and able to search.
1. Create a group that has admin and members.
2. Log in as a user (doesn't have to be group member) and create a page with an Image block.
3. Share the page with the group and choose "Admin" in dropdown
4. Log in as an Member of the group and go to Elastic search with no search words (should return everything you have access to see.
5. Select Media tab and view
Expected results:
No artefacts from pages that are not shared with User are returned as results.
Actual results:
User can see artefacts from the page they do not have permission to access.
Mahara: 19.10dev
OS: Ubunt 18.04.2
DB: Postgres
Browser: Firefox 68.01, Chrome 75.0.3770.142
CVE References
Changed in mahara: | |
milestone: | 19.10.0 → 19.10.1 |
information type: | Private Security → Public Security |
Changed in mahara: | |
milestone: | 20.04.0 → none |
Marking as high as it's to do with permissions and thus privacy.