Bug #1463
Shared Document Folder in session course acessable to students
80%
Description
Every student in a session-training can upload documents to the shared document folder by using the Folder combo box and change the Home folder into the __username folder.
This is unexpected and might be dangerous. In a training (no session) this is not allowed.
Files
Related issues
Associated revisions
History
Updated by Juan Carlos Raña Trabado over 9 years ago
Updated by - Assignee set to Juan Carlos Raña Trabado
Can confirm that the file is uploaded to a directory other than your own ?
It would be very helpful if you gave more detailed information about the steps to upload the file because I could not reproduce the bug. I'd appreciate a clip
Updated by Jan Derriks over 9 years ago
Updated by - File bugshareddoc.swf bugshareddoc.swf added
Jan Derriks wrote:
Every student in a session-training can upload documents to the shared document folder by using the Folder combo box and change the Home folder into the __username folder.
This is unexpected and might be dangerous. In a training (no session) this is not allowed.
Updated by Juan Carlos Raña Trabado over 9 years ago
this does not solve the problem but is a necessary first step
Updated by Juan Carlos Raña Trabado over 9 years ago
The problem arises when the same student is in a course and at a session or more than one session.
In order to solve, a question. Jan what situation is more favorable ?
- A user has a folder for each session with documents
different in each session of the course.
- A user has in each session the same folder with the documents
of all sessions in that course
Updated by Yannick Warnier over 9 years ago
Updated by - Status changed from New to Needs more info
- Assignee changed from Juan Carlos Raña Trabado to Jan Derriks
- Target version set to 1.8.7.1
Jan, we would really need your opinion on this (urgently if you want it into 1.8.7.1)
Updated by Juan Carlos Raña Trabado over 9 years ago
The problem does not occur Jan. In fact you mention in the video have not send any document to the folder of another user, (if you are a student) you've uploaded to own but not the other, the folders of other users only can see (as is correct)
Updated by Juan Carlos Raña Trabado over 9 years ago
Checking your report on the alleged security problem, I believe that there is, but I have seen other:
1. A student should not be able to download a complete directory another student, then the same can not be hidden files
will want to download. Also download the whole folder shared directories for the same reason. You should only be able to do
with theirs.
2. When you create a resource tool in the documents from one session should appear next to it a star-shaped symbol indicating this.
3. You can not create two files or two folders with the same name in two different sessions. This is a general problem Documents tool. I've fixed only in the files folder shared. Now it is possible to create two documents or two folders with the same name in two different sessions. This circumstance gave rise to the folder when creating a user in a meeting, was not established in another (although he did drive) because item_propierties table has a single composite index that prevents it.
4. When navigating through folders of the shared directory breadcrumb showing the correct text but when you click on it did not lead to but rather the previous directory.
5. When in a session must be to improve information on the shared folder, so that users do not confuse with another. By example, using the shared folder and base course another session.
I have resolved all these issues, so I make new tasks
Updated by Yannick Warnier over 9 years ago
Task will be closed if no feedback before Thursday night.
Update install guide to add Directory block - refs #1463