Members from other institution can be seen when sharing portfolios despite isolated institutions

Bug #1851557 reported by Kristina Hoeppner on 2019-11-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Status tracked in 20.04
19.04
High
Unassigned
19.10
High
Unassigned
20.04
High
Robert Lyon

Bug Description

When you have isolated institutions turned on and a minimum of two institutions, you can see people from another institution when you share your portfolio page though you should not be allowed to see them. This will also need to be checked for when "See own groups only" is turned on as that restricts the sharing even more.

Similarly, when a person searches for groups, they should only see groups that are associated with their institution or that they are in if "See own groups only" is turned on.

To replicate scenario 1:

1. Allow isolated institutions in the config.php.
2. Set up 2 institutions with 3 people each.
3. Put two group members from the same institution into a group each.
4. Log in as a normal institution member and create a page.
5. Share that page and select "Search for... user".
Expected result: You only see the 2 other people from your own institution.
Actual result: You can share your page with everyone.

To test scenario 2:

1. Allow isolated institutions in the config.php.
2. In Admin menu -> Configure site -> Site options -> group settings.
3. Set up 2 institutions with 3 people each.
4. Put two group members from the same institution into a group each.
5. Log in as a normal institution member and create a page.
6. Share that page and select "Search for... user".
Expected result: You only see the one other person from your institution who's in the same group as the person you are currently logged in.

To replicate scenario 3:

1. Allow isolated institutions in the config.php.
2. In Admin menu -> Configure site -> Site options -> group settings.
3. Set up 2 institutions with 3 people each.
4. Put two group members from the same institution into a group each.
5. Set up 2 additional groups in each institution as site admin.
6. Log in as a normal institution member and create a page.
7. Share that page and select "Search for... groups".
Expected result: You only see the 1 group in which you are a member.

To replicate scenario 4:

1. Allow isolated institutions in the config.php.
2. Set up 2 institutions with 3 people each.
3. Put two group members from the same institution into a group each.
4. Set up 2 additional groups in each institution as site admin.
5. Log in as a normal institution member and create a page.
6. Share that page and select "Search for... groups".
Expected result: You only see the 3 groups that were created in your own institution.
Actual result: You can see all groups listed.

Scenario 5: When "See own groups only" is turned on along isolated institutions, regular users should only be able to invite people who are also in at least one of the groups they are in. Institution admins and staff can see everyone in their institution.

To replicate scenario 5:

1. Allow isolated institutions in the config.php.
2. In Admin menu -> Configure site -> Site options -> Group settings -> Turn on "See own groups only".
3. In In Admin menu -> Configure site -> Site options -> Group settings -> Allow everyone to create a group.
4. Set up 2 institutions with 4 people each.
5. Put two group members from one institution into the same group, and 1 each into a separate group.
6. Log in as a normal institution member and create an open group.
7. Click the "Members" tab and invite people.
Expected result: You only see the one person who is already in a group with you, but nobody else.
Actual result: You see everyone in your institution (but not people from other institutions, which is correct).

Mahara Bot (dev-mahara) wrote :

Patch for "19.10_STABLE" branch: https://reviews.mahara.org/10702

Reviewed: https://reviews.mahara.org/10570
Committed: https://git.mahara.org/mahara/mahara/commit/61a2bfc1380bdfa69fa955973efa93853d3116c9
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 61a2bfc1380bdfa69fa955973efa93853d3116c9
Author: Robert Lyon <email address hidden>
Date: Thu Nov 7 10:12:55 2019 +1300

Bug 1851557: Restricting access users / groups select2 results

Need to test the following, when:
- isolated institutions are on only
- when isolated institutions and "See own groups only" are on
- when both are off

behatnotneeded

Change-Id: Id36dbe871320fc9b16e5c7f2df4f6d7596e798e8
Signed-off-by: Robert Lyon <email address hidden>

Reviewed: https://reviews.mahara.org/10731
Committed: https://git.mahara.org/mahara/mahara/commit/605af92f30161808f18f288c34567bf689a280ca
Submitter: Robert Lyon (<email address hidden>)
Branch: 19.04_STABLE

commit 605af92f30161808f18f288c34567bf689a280ca
Author: Robert Lyon <email address hidden>
Date: Thu Nov 7 10:12:55 2019 +1300

Bug 1851557: Restricting access users / groups select2 results

Need to test the following, when:
- isolated institutions are on only
- when isolated institutions and "See own groups only" are on
- when both are off

behatnotneeded

Change-Id: Id36dbe871320fc9b16e5c7f2df4f6d7596e798e8
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/10702
Committed: https://git.mahara.org/mahara/mahara/commit/61b6b9c876a0e590dbafb1322269b67d99e1e8aa
Submitter: Robert Lyon (<email address hidden>)
Branch: 19.10_STABLE

commit 61b6b9c876a0e590dbafb1322269b67d99e1e8aa
Author: Robert Lyon <email address hidden>
Date: Thu Nov 7 10:12:55 2019 +1300

Bug 1851557: Restricting access users / groups select2 results

Need to test the following, when:
- isolated institutions are on only
- when isolated institutions and "See own groups only" are on
- when both are off

behatnotneeded

Change-Id: Id36dbe871320fc9b16e5c7f2df4f6d7596e798e8
Signed-off-by: Robert Lyon <email address hidden>

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers