Non institution member can copy another institutions view
Bug #630900 reported by
Dirk Meyer
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mahara |
Fix Released
|
Wishlist
|
Unassigned | ||
Bug Description
A user who does not belong to any institution can copy the views of any institution that has any institution views. Institution views should be restricted to be copied only by members of that institution.
1.3.0 rc1
Linux
MySQL
| security vulnerability: | yes → no |
| visibility: | private → public |
Revision history for this message
| Richard Mansfield (richard-mansfield) wrote | #1 |
| Changed in mahara: | |
| status: | New → Confirmed |
| importance: | Undecided → Wishlist |
| tags: | added: institutions |
| Changed in mahara: | |
| status: | Confirmed → Fix Released |
Revision history for this message
| Kristina Hoeppner (kris-hoeppner) wrote | #2 |
To post a comment you must log in.
I think there are two things we need to do before we can implement this. First, Mahara doesn't have the ability to add view access for an institution yet (only logged-in, groups, users, etc.).
Second, we need more fine-grained copy permissions. Currently a view is either copyable by everyone who can see it, or not copyable at all.
At the request of BCU we recently added comment permissions on every access record, so we could do the same thing with copying.