Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Low
|
Unassigned |
Bug Description
As reported on the mahara.org forum: https:/
To replicate:
1. Set up a Moodle instance with the Mahara assignment submission plugin and connect it up to your Mahara instance.
2. Create a view with ID 1000.
3. Create another view with ID 1001.
4. Make both these pages accessible to the public.
5. Set up an Mahara assignment in Moodle.
6. Submit the view with ID 1000 to Moodle as an assignment submission.
7. Note the access URL that gets generated, which will contain an MNet access token, i.e. /view/view.
8. Add the ID of page 1001 to this URL: /view/view.
Expected Result: This URL should either display page 1000 every time, or an "access denied" message
Actual Result: If you're logged in to Mahara via MNet, you see page 1000. If you're not, you see page 1001.
The cause of this problem, is that /view/view.php completely ignores the "mt=" tag if you're not logged in via MNet. In which case, if an ID is also supplied, it falls back to that.
tags: | added: no-behat-needed |
no longer affects: | mahara/1.8 |
no longer affects: | mahara/1.10 |
no longer affects: | mahara/1.9 |
no longer affects: | mahara/15.04 |
no longer affects: | mahara/15.10 |
no longer affects: | mahara/16.04 |
Changed in mahara: | |
milestone: | 15.10.1 → 16.10.0 |
assignee: | Aaron Wells (u-aaronw) → nobody |
Changed in mahara: | |
milestone: | 16.10.0 → 16.10.1 |
Changed in mahara: | |
milestone: | 16.10.1 → 17.04.0 |
Changed in mahara: | |
milestone: | 17.04.0 → 17.10.0 |
Changed in mahara: | |
milestone: | 17.10.0 → 18.04.0 |
status: | Confirmed → In Progress |
Changed in mahara: | |
status: | In Progress → Fix Committed |
milestone: | 18.04.0 → 17.10.0 |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
Marking as public security because it seems like it could be used for deception.