Non institution member can copy another institutions view
Bug #630900 reported by
Dirk Meyer
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
A user who does not belong to any institution can copy the views of any institution that has any institution views. Institution views should be restricted to be copied only by members of that institution.
1.3.0 rc1
Linux
MySQL
security vulnerability: | yes → no |
visibility: | private → public |
tags: | added: institutions |
Changed in mahara: | |
status: | Confirmed → Fix Released |
To post a comment you must log in.
I think there are two things we need to do before we can implement this. First, Mahara doesn't have the ability to add view access for an institution yet (only logged-in, groups, users, etc.).
Second, we need more fine-grained copy permissions. Currently a view is either copyable by everyone who can see it, or not copyable at all.
At the request of BCU we recently added comment permissions on every access record, so we could do the same thing with copying.