Forums | Mahara Community
Security and Confidentiality Issues
25 November 2014, 14:59
Our IT have asked me to contact you as they are concerned if a person enters
for our Mahara site and a figure after the equals they can access users names and any profile pictures on the site. This isn't possible within Moodle itself but it is within Mahara. Is they anything we can do to stop this from happening?
25 November 2014, 20:32
According to the Mahara user manual, chapter 18.104.22.168 (http://manual.mahara.org/en/1.10/administration/config_site.html#site-options) you can uncheck the option "Allow public profile" and then you must login to access users' profile.
But if you have allowed users to produce public pages (the option below the former "Allow public pages") profiles are automaticaly made public (what is making sense in fact).
You solution would be to uncheck the "Allow public pages" and the "Allow public profile*.
Not sure if this helps you with your problem ?
26 November 2014, 11:18
That is very useful information. I am not sure if we want to switch off students being allowed to have public profiles so will raise this question with others.
10 December 2014, 17:11
I'm a bit late to this conversation, but I thought it might be worth mentioning a few things.
An additional wrinkle to what Dajan said, is that it should be a fairly minor code change if you wanted to make new user profiles private by default. (In the longer run it might be nice if Mahara had more "default permissions" configuration available.)
Another thing to note is that if you're using an older version of Mahara (before Mahara 1.8), there was a bug we resolved around a year ago, where profile information was visible to logged-out users even if the profile was marked "private". See https://bugs.launchpad.net/mahara/+bug/1158625
And on a broader note, quite a few types of Mahara URLs can be "enumerated" as you've described, in order to find visible user profiles and pages. You might be able to guard against this by using the "clean URLs" setting and blocking outside access to the "id=" URLs. See https://wiki.mahara.org/index.php/System_Administrator%27s_Guide/Clean_URL_Configuration
18 December 2014, 13:27
Hi Aaron thank you for this helpful reply. I pass it onto our IT guys.