Elastic search: Search results are not restricted for aretfacts on pages shared with group

Bug #1840201 reported by Lisa Seeto on 2019-08-15
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Status tracked in 20.04
19.04
Undecided
Unassigned
19.10
High
Unassigned
20.04
High
Cecilia Vela Gurovic

Bug Description

A user can create a page with media artefacts on it and share it with a group. The user can specify which users in that group have access, i.e "Everyone in group", "Member" and "Admin". When a user selects to share the page with "Member" or "Admin" all members of the group can view via the media category in Elastic Search page and can see the artefact. The preview image for an Image block for this issue is displaying as a broken link in FireFox and not displaying at all in Chrome.

Have Elastic Search set up and able to search.
1. Create a group that has admin and members.
2. Log in as a user (doesn't have to be group member) and create a page with an Image block.
3. Share the page with the group and choose "Admin" in dropdown
4. Log in as an Member of the group and go to Elastic search with no search words (should return everything you have access to see.
5. Select Media tab and view
Expected results:
No artefacts from pages that are not shared with User are returned as results.
Actual results:
User can see artefacts from the page they do not have permission to access.

Mahara: 19.10dev
OS: Ubunt 18.04.2
DB: Postgres
Browser: Firefox 68.01, Chrome 75.0.3770.142

Lisa Seeto (lisaseeto) wrote :

Marking as high as it's to do with permissions and thus privacy.

Changed in mahara:
importance: Undecided → High
status: New → Confirmed
milestone: none → 19.10.0
tags: added: privacy
Changed in mahara:
milestone: 19.10.0 → 19.10.1

Please check if also a problem in 19.04.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers