Project

General

Profile

Bug #2121

Any one can delete thematic items (registered users)

Added by Julio Montoya about 9 years ago. Updated over 7 years ago.

Status:
Feature implemented
Priority:
Normal
Category:
-
Target version:
Start date:
07/10/2010
Due date:
% Done:

90%

Estimated time:
Spent time:
Complexity:
Normal
SCRUM pts - complexity:
?

Description

This works in sessions and courses

Associated revisions

Revision 7fddb15f (diff)
Added by Julio Montoya about 9 years ago

Fixing unwanted delete items see #2121

History

#1

Updated by Julio Montoya about 9 years ago

This should work also to edit the content I did not test it yet but I guess so

#2

Updated by Julio Montoya about 9 years ago

Wow this works also with the attendance tool

#3

Updated by Julio Montoya about 9 years ago

  • Status changed from New to Needs testing
  • Assignee changed from Julio Montoya to Curt Ricardo Rodriguez Salazar
  • % Done changed from 0 to 90

This is a partial fix because i'm working in other task bt#1651

I have some other changes to do, but this should fix most of the security problems

http://code.google.com/p/chamilo/source/detail?r=2abc0bad119de514b748353b5555fff21ceee7fb&repo=classic

#4

Updated by Julio Montoya about 9 years ago

  • Subject changed from Any user can delete thematic items of any course to Any user can delete thematic items
#5

Updated by Julio Montoya about 9 years ago

  • Subject changed from Any user can delete thematic items to Any one can delete thematic items (registered users)
#6

Updated by Bryan Fuertes Malca over 8 years ago

  • Assignee changed from Curt Ricardo Rodriguez Salazar to Bryan Fuertes Malca
#7

Updated by Bryan Fuertes Malca over 8 years ago

  • Assignee deleted (Bryan Fuertes Malca)
#8

Updated by Yannick Warnier over 7 years ago

  • Target version set to 1.9 Beta
#9

Updated by Yannick Warnier over 7 years ago

  • Target version changed from 1.9 Beta to 1.9 RC1
#10

Updated by Yannick Warnier over 7 years ago

  • Status changed from Needs testing to Needs more info
  • Assignee set to Eric Petitdemange

Hi Coursenligne,

Can we ask you to review this one? Basically, you should just check that a student cannot delete attendances or thematic advance items... If he can't you can close :-)

#11

Updated by Eric Petitdemange over 7 years ago

Just to ensure, can you tell me how I can perform the test?
As "apprenant, login z, pwd z, I don't see where I can delete things, but I may not be register as pair as your needs

#12

Updated by Yannick Warnier over 7 years ago

That's OK, you're testing it the right way. We just need you to look around and see if, as a student, you find any way to delete stuff. To go into the security aspect of it, you should also check as teacher what the link is when you delete something, then logout, login as a student and try to put that delete link again and see if it works (it should tell you that you are not authorized).

Do this in the attendance tool and in the thematic advance, and we should be fully covered.

#13

Updated by Eric Petitdemange over 7 years ago

Testing with typing in the full address /main/admin/course_list... Get an error message telling me I don't have access to this page.

#14

Updated by Eric Petitdemange over 7 years ago

  • Status changed from Needs more info to Feature implemented

Closed as KO.
I detected an issue I open a case ;)

#15

Updated by Yannick Warnier over 7 years ago

Coursenligne 45 wrote:

Closed as KO.

You mean "Closed as OK", right? (watch the details! :-))

#16

Updated by Eric Petitdemange over 7 years ago

Yes :)
This one is really closed!
The platform is doing what I would expect...

Also available in: Atom PDF