Non-admin role users can edit group settings

Bug #1609200 reported by Ghada El-Zoghbi
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Ghada El-Zoghbi
15.04
Fix Released
High
Unassigned
15.10
Fix Released
High
Unassigned
16.04
Fix Released
High
Unassigned
16.10
Fix Released
High
Ghada El-Zoghbi

Bug Description

Only the admin of a group should be able to change the group's settings (via group/edit.php). But any member of a group can view and edit the settings if they go to the URL directly:

* http://my.mahara/group/edit.php?id=3

There is no check to make sure the user has admin role.

To replicate:

1. Create a group as User 1. Note the group's id
2. Add User 2 to the group as a "member" (not an "admin")
3. Log in as User 2
4. Type in e.g. http://my.mahara/group/edit.php?id=X , where X is the group's ID

Expected result: You get an error message saying "You can't edit this group"

Actual result: You see the group config page, and you can make changes and they will be saved.

CVE References

Changed in mahara:
assignee: nobody → Ghada El-Zoghbi (ghada-z)
information type: Public → Private Security
Revision history for this message
Aaron Wells (u-aaronw) wrote :
description: updated
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/6808
Committed: https://git.mahara.org/mahara/mahara/commit/230e0bcf0d19f7489a85305d33ac88b39dbf19e1
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit 230e0bcf0d19f7489a85305d33ac88b39dbf19e1
Author: Aaron Wells <email address hidden>
Date: Wed Aug 3 14:23:08 2016 +1200

Bug 1609200: Limit group config to group's admins

behatnotneeded: Test to come later

Change-Id: Ibbb574c67d80e3fd6a139752590bdd602e822f88
(cherry picked from commit 47905d70a15798ef7cad3ed1b5c63bf530e1ef3c)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6809
Committed: https://git.mahara.org/mahara/mahara/commit/7cd868125963731ecda8d2323984e6aea5430b22
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.10_STABLE

commit 7cd868125963731ecda8d2323984e6aea5430b22
Author: Aaron Wells <email address hidden>
Date: Wed Aug 3 14:23:08 2016 +1200

Bug 1609200: Limit group config to group's admins

behatnotneeded: Test to come later

Change-Id: Ibbb574c67d80e3fd6a139752590bdd602e822f88
(cherry picked from commit 47905d70a15798ef7cad3ed1b5c63bf530e1ef3c)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6810
Committed: https://git.mahara.org/mahara/mahara/commit/3e6b80bc736b8c0b74dc3cfe315d1ee7d023ee26
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit 3e6b80bc736b8c0b74dc3cfe315d1ee7d023ee26
Author: Aaron Wells <email address hidden>
Date: Wed Aug 3 14:23:08 2016 +1200

Bug 1609200: Limit group config to group's admins

behatnotneeded: Test to come later

Change-Id: Ibbb574c67d80e3fd6a139752590bdd602e822f88
(cherry picked from commit 47905d70a15798ef7cad3ed1b5c63bf530e1ef3c)

Robert Lyon (robertl-9)
information type: Private Security → Public Security
Robert Lyon (robertl-9)
Changed in mahara:
milestone: 16.10.0 → none
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.