Uploaded image for project: 'Plugins'
  1. Plugins
  2. CONTRIB-3120

User B (non admin) can book over User A's booking

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 2.0
    • Fix Version/s: None
    • Component/s: Block: Mrbs
    • Labels:
      None
    • Affected Branches:
      MOODLE_20_STABLE

      Description

      In short, to steal someone's booking, you just have to click on any blank spot, then change the date, time and room to the booking you want to steal, click save changes and MRBS Moodle 2.0 allows you to do it.

      DETAILS ON HOW TO DUPLICATE BUG
      I create two users in Moodle 2.0 both as MRBS schedulers. With User A, I book a room - Say Monday Period 1. Then I log in with User B and I see User A's booking. When I click on the booking, I cannot remove the booking - so far so good. But if I click to book on another OPEN slot, the booking form comes up and in that form, if I change the date to Monday Period 1 (same room), then click on save changes at the bottom, I will actually overwwrite User A's booking! Now when I log back in with User A, I see my booking is now gone and changed to User B. So User B stole my booking!

      I tried this "sneaky trick" on the MRBS demo site and when I clicked "save changes" there, it said I couldn't create that booking because that spot was already booked by User A.

        Attachments

          Activity

            People

            Assignee:
            davosmith Davo Smith
            Reporter:
            cardosoc Chris Cardoso
            Participants:
            Component watchers:
            Davo Smith
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: