Non-group admin can manage group views and group files
Bug #631189 reported by
Dirk Meyer
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Wishlist
|
Richard Mansfield |
Bug Description
Maybe its intended, but a group member who is not an admin of that group can add, delete and edit group views and files.
1.3.0rc1
MySQL
Linux
Changed in mahara: | |
importance: | Medium → Wishlist |
Changed in mahara: | |
milestone: | none → 1.5.0 |
status: | Confirmed → Fix Committed |
assignee: | nobody → Richard Mansfield (richard-mansfield) |
tags: | added: newfeature |
To post a comment you must log in.
I don't think there's an easy way to restrict editing of ordinary group views.
But it would be quite easy to stop the group homepage view from being edited by non-admins, and I think we should do that before the release.
Group files have view/edit permissions set individually for each file and each role in the group, which is intentional. If a group admin uploads a file to a group and doesn't want ordinary members to be able to edit it, s/he must edit the file in the group files area and set the permission explicitly.