Mahara

Can create a URL that takes you to a different page depending on whether you're logged in to MNet or not.

Bug #1394082 reported by Aaron Wells on 2014-11-19

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mahara	Fix Released	Low	Unassigned	Mahara 17.10.0

Bug Description

As reported on the mahara.org forum: https://mahara.org/interaction/forum/topic.php?id=6549

To replicate:

1. Set up a Moodle instance with the Mahara assignment submission plugin and connect it up to your Mahara instance.

2. Create a view with ID 1000.

3. Create another view with ID 1001.

4. Make both these pages accessible to the public.

5. Set up an Mahara assignment in Moodle.

6. Submit the view with ID 1000 to Moodle as an assignment submission.

7. Note the access URL that gets generated, which will contain an MNet access token, i.e. /view/view.php?mt=abcd1234

8. Add the ID of page 1001 to this URL: /view/view.php?id=1001&mt=abcd1234

Expected Result: This URL should either display page 1000 every time, or an "access denied" message

Actual Result: If you're logged in to Mahara via MNet, you see page 1000. If you're not, you see page 1001.

The cause of this problem, is that /view/view.php completely ignores the "mt=" tag if you're not logged in via MNet. In which case, if an ID is also supplied, it falls back to that.

Tags:

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2014-11-19:

Marking as public security because it seems like it could be used for deception.

Changed in mahara:
milestone:	none → 1.10.1
tags:	added: mnet
information type:	Public → Public Security

Jinelle Foley-Barnes (jinelleb) on 2015-04-20

tags:

added: no-behat-needed

Aaron Wells (u-aaronw) on 2015-10-27

no longer affects:

mahara/1.8

Kristina Hoeppner (kris-hoeppner) on 2016-03-12

no longer affects:	mahara/1.10
no longer affects:	mahara/1.9
no longer affects:	mahara/15.04
no longer affects:	mahara/15.10
no longer affects:	mahara/16.04
Changed in mahara:
milestone:	15.10.1 → 16.10.0
assignee:	Aaron Wells (u-aaronw) → nobody

Robert Lyon (robertl-9) on 2016-10-20

Changed in mahara:
milestone:	16.10.0 → 16.10.1

Robert Lyon (robertl-9) on 2016-10-21

Changed in mahara:
milestone:	16.10.1 → 17.04.0

Kristina Hoeppner (kris-hoeppner) on 2017-03-20

Changed in mahara:
milestone:	17.04.0 → 17.10.0

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2017-09-18: A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/8027

Robert Lyon (robertl-9) on 2017-09-18

Changed in mahara:
milestone:	17.10.0 → 18.04.0
status:	Confirmed → In Progress

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2017-09-26: A change has been merged

Reviewed: https://reviews.mahara.org/8027
Committed: https://git.mahara.org/mahara/mahara/commit/4b53f8fe307ffada7c73a91b0014c3aa7308ba16
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 4b53f8fe307ffada7c73a91b0014c3aa7308ba16
Author: Robert Lyon <email address hidden>
Date: Tue Sep 19 11:55:31 2017 +1200

Bug 1394082: Stop mnet url fall back to added id value

behatnotneeded

Change-Id: I7ccf01a05b3a229916a4d3b4138faaaab47dd7c0
Signed-off-by: Robert Lyon <email address hidden>

Robert Lyon (robertl-9) on 2017-09-26

Changed in mahara:
status:	In Progress → Fix Committed
milestone:	18.04.0 → 17.10.0

Robert Lyon (robertl-9) on 2017-10-30

Changed in mahara:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.