Watchlist lets you watch and receive notifications about pages you don't have view access to

This bug report is based mostly on looking at the code. I still have to actually run some tests to determine whether the code behaves as I think it does...

I've added a patch for this to doublecheck the view id

To test:

1) make a page and share it with your friends

2) log in as a user who is a friend and watch the page

3) look in db for the entry in usr_watchlist_view - make note of the view id

4) log in as a user that is not a friend - go to any view page they can see and manually manipulate things
- if using firebug on the HTML tab view the <head> and scroll down until you see

<script type="application/javascript">
<link href="http://mahara-devel/theme/raw/static/style/tinymceskin.css?v=3651" type="text/css" rel="stylesheet">

Expand the script one and you should see

 var viewid =

Click the 'edit this HTML' button in firebug and change the id to the one in step 3 and click the 'edit this HHTML' button again

5) now click the 'Add page to watchlist' link in mahara

If all done right you will see the page has been added to the usr_watchlist_view table if the patch is not in place.
If the patch is present then you should see an error message on screen

Patch for this bug https://reviews.mahara.org/#/c/4576/

Hi Rob,

Thanks for the test instructions.

Cheers,
Jinelle

Aaron, how can someone remove an item from somebody else's watchlist? Is that a new feature?

Kristina,

Sorry, I misspoke. I meant to say "it means that if you add a page to your watchlist, and the page owner then revokes your view access to that page".

Since I can't edit Launchpad comments, I'll just repost it with the correction, so it'll be clearer:

So, on further investigation, the watchlist activity has code in it which checks that each person has permission to view the item, and removes it from their watchlist if they don't.

This is a little strange, because it means that if you add a page to your watchlist and the page owner then removes your view access to the page, it remains on your watchlist until they make a change to the page's contents. It also doesn't support the new feedback-watchlist notifications... because I didn't add code for that when I was writing it. :)

We should probably just make a cron task to clear away invalid watchlist items.

But this patch is still good, to prevent people from manipulating their watchlist in order to find out page titles and such.