Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-42129

forums: Move Threads lets user move their content to a topic where they shouldn't have write permission

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: OPEN
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 10.8 [Tentative], 11.4, 11.5 [Tentative], 12.0, 12.1, 12.2, 12.3, 12.4, 12.5, 12.6, 12.7, 19.0, 19.1, 19.2, 20.0 [Tentative]
    • Fix Version/s: None
    • Component/s: Forums Tool
    • Labels:
      None
    • Test Plan:
      Hide

      To reproduce issue:

      1. In a course site with at least two students, create two groups with one student in each group.
      2. Go to Forums and create New Forum.
      3. Give the forum a title and, at the bottom of the page, Save Settings & Add Topic.
      4. Give the topic a title, then select the radio button Automatically create multiple topics for groups.
      5. Check the boxes to select the groups.
      6. Click Save.
      7. Create another topic for the whole class, restricted by dates, such that it is not currently available.
      8. Log in as a student and verify you can only access the group topic that is assigned to your group (i.e., not the other group's topic and not the date-restricted topic.)
      9. Go to the topic you can access and Start a New Conversation.
      10. Create a second conversation.
      11. To the left of the first conversation, select the check box, then Move Thread(s).
      12. Issue: In the Move Thread(s) dialog, note that you can select ANY topic in the Forums, INCLUDING those where you have neither read nor write permissions!
        If Issue Fixed: There should either be some indication that there are no threads available to move it to, or you shouldn't even be able to get to the screen where you can move threads, because there's nowhere you have permission to move it.
      13. Choose the other group's topic and move your thread to it.
      14. For your remaining thread in the current topic, move it to the topic that is date-restricted.
      15. Go back to Forums and confirm you can't access your posts.
      16. Now log in as instructor and verify that each thread has been moved to the selected topic.
      17. Choose Forum Settings for the date-restricted forum and change the dates so that it's available to students.
      18. Log back in as the student who just moved the thread to the topic to which they should now have access and verify you can see it.
      19. Try moving it to the group topic you don't have permission to post in.
      20. Issue: You can successfully move the thread.
        If Issue Fixed: You should only be able to move it to your own group's topic.
      Show
      To reproduce issue: In a course site with at least two students, create two groups with one student in each group. Go to Forums and create New Forum . Give the forum a title and, at the bottom of the page, Save Settings & Add Topic . Give the topic a title, then select the radio button Automatically create multiple topics for groups . Check the boxes to select the groups. Click Save . Create another topic for the whole class, restricted by dates, such that it is not currently available. Log in as a student and verify you can only access the group topic that is assigned to your group (i.e., not the other group's topic and not the date-restricted topic.) Go to the topic you can access and Start a New Conversation . Create a second conversation. To the left of the first conversation, select the check box, then Move Thread(s) . Issue: In the Move Thread(s) dialog, note that you can select ANY topic in the Forums , INCLUDING those where you have neither read nor write permissions! If Issue Fixed: There should either be some indication that there are no threads available to move it to, or you shouldn't even be able to get to the screen where you can move threads, because there's nowhere you have permission to move it. Choose the other group's topic and move your thread to it. For your remaining thread in the current topic, move it to the topic that is date-restricted. Go back to Forums and confirm you can't access your posts. Now log in as instructor and verify that each thread has been moved to the selected topic. Choose Forum Settings for the date-restricted forum and change the dates so that it's available to students. Log back in as the student who just moved the thread to the topic to which they should now have access and verify you can see it. Try moving it to the group topic you don't have permission to post in. Issue: You can successfully move the thread. If Issue Fixed: You should only be able to move it to your own group's topic.

      Description

      (I could've sworn I posted this jira back in 2016, but can't find it.)

      Issue: In Forums, Move Threads does NOT hide topics for which the user has no write permissions.

      This means that if you have permission to start a New Conversation and Edit Messages: Own in a topic (default Contributor permissions), you can do the following:

      1. Create a conversation in a topic where you are allowed to do it (correct behavior based on New Conversation permission).
      2. Choose to Move Threads and move your conversation to a different topic (correct behavior).
      3. INCORRECT behavior: Select a Topic where you do NOT have the permission New Conversation as the target location for your conversation and move your conversation to this unauthorized location.

      To remedy the issue, the Forums tool needs to perform the following checks before displaying Forums/Topics to which the user can move their content:

      1. User must be a member of at least one role or group that has the permission New Conversation in each Topic to be displayed.
      2. If EITHER the target Topic OR the Forum containing the Topic is restricted by DATE, the current date is NOT within the allowed time frame for general user access, AND the user attempting to move the thread is NOT an Owner in the Topic, the Topic should NOT display.

      Screencast video showing issue with group topics

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  rainribbon Tiffany Stull
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:

                    Git Source Code