Forums | Mahara Community
Support
/
Security and Confidentiality Issues
25 November 2014, 14:59
Hi all,
Our IT have asked me to contact you as they are concerned if a person enters
https://my.navitas-professional.edu.au/mahara/user/view.php?id=
for our Mahara site and a figure after the equals they can access users names and any profile pictures on the site. This isn't possible within Moodle itself but it is within Mahara. Is they anything we can do to stop this from happening?
Many thanks,
Heidi Humphrey
25 November 2014, 20:32
Hello Heidi,
According to the Mahara user manual, chapter 9.2.1.11 (http://manual.mahara.org/en/1.10/administration/config_site.html#site-options) you can uncheck the option "Allow public profile" and then you must login to access users' profile.
But if you have allowed users to produce public pages (the option below the former "Allow public pages") profiles are automaticaly made public (what is making sense in fact).
You solution would be to uncheck the "Allow public pages" and the "Allow public profile*.
Not sure if this helps you with your problem ?
Best wishes
-dajan
26 November 2014, 11:18
Thanks Dajan,
That is very useful information. I am not sure if we want to switch off students being allowed to have public profiles so will raise this question with others.
Many thanks,
Heidi
10 December 2014, 17:11
Hi Heidi,
I'm a bit late to this conversation, but I thought it might be worth mentioning a few things.
An additional wrinkle to what Dajan said, is that it should be a fairly minor code change if you wanted to make new user profiles private by default. (In the longer run it might be nice if Mahara had more "default permissions" configuration available.)
Another thing to note is that if you're using an older version of Mahara (before Mahara 1.8), there was a bug we resolved around a year ago, where profile information was visible to logged-out users even if the profile was marked "private". See https://bugs.launchpad.net/mahara/+bug/1158625
And on a broader note, quite a few types of Mahara URLs can be "enumerated" as you've described, in order to find visible user profiles and pages. You might be able to guard against this by using the "clean URLs" setting and blocking outside access to the "id=" URLs. See https://wiki.mahara.org/index.php/System_Administrator%27s_Guide/Clean_URL_Configuration
Cheers,
Aaron
18 December 2014, 13:27
Hi Aaron thank you for this helpful reply. I pass it onto our IT guys.
Many thanks,
Heidi