Compare commits
5 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 4e87f7fc28 | |||
| ae4efce8ac | |||
| 395f9fe90d | |||
| 4aca3f960f | |||
| 80b40e2e5c |
+24
-8
@@ -582,8 +582,9 @@ abstract class repository {
|
||||
public static function check_capability($contextid, $instance) {
|
||||
global $USER;
|
||||
|
||||
$context = get_context_instance_by_id($contextid);
|
||||
$can = has_capability('repository/'.$instance->type.':view', $context);
|
||||
// The context we are on.
|
||||
$currentcontext = get_context_instance_by_id($contextid);
|
||||
$can = has_capability('repository/'.$instance->type.':view', $currentcontext);
|
||||
|
||||
// Context in which the repository has been created.
|
||||
$repocontext = get_context_instance_by_id($instance->contextid);
|
||||
@@ -593,14 +594,29 @@ abstract class repository {
|
||||
$can = false;
|
||||
}
|
||||
|
||||
// Ensure that the user can view the repository in the context of the repository.
|
||||
// Ne need to perform the check when already disallowed.
|
||||
// We are going to ensure that the current context was legit, and reliable to check
|
||||
// the capability against. (No need to do that if we already cannot).
|
||||
if ($can) {
|
||||
if ($repocontext->contextlevel == CONTEXT_USER && $repocontext->instanceid != $USER->id) {
|
||||
// Prevent URL hijack to access someone else's repository.
|
||||
$can = false;
|
||||
if ($repocontext->contextlevel == CONTEXT_USER) {
|
||||
// The repository is a user instance, ensure we're the right user to access it!
|
||||
if ($repocontext->instanceid != $USER->id) {
|
||||
$can = false;
|
||||
}
|
||||
} else if ($repocontext->contextlevel == CONTEXT_COURSE) {
|
||||
// The repository is a course one. Let's check that we are on the right course.
|
||||
if (in_array($currentcontext->contextlevel, array(CONTEXT_COURSE, CONTEXT_MODULE, CONTEXT_BLOCK))) {
|
||||
$coursecontext = $currentcontext->get_course_context();
|
||||
if ($coursecontext->instanceid != $repocontext->instanceid) {
|
||||
$can = false;
|
||||
}
|
||||
} else {
|
||||
// We are on a parent context, therefore it's legit to check the permissions
|
||||
// in the current context.
|
||||
}
|
||||
} else {
|
||||
$can = has_capability('repository/'.$instance->type.':view', $repocontext);
|
||||
// Nothing to check here, system instances can have different permissions on different
|
||||
// levels. We do not want to prevent URL hack here, because it does not make sense to
|
||||
// prevent a user to access a repository in a context if it's accessible in another one.
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
+2
-2
@@ -30,10 +30,10 @@
|
||||
defined('MOODLE_INTERNAL') || die();
|
||||
|
||||
|
||||
$version = 2011120508.00; // 20111205 = branching date YYYYMMDD - do not modify!
|
||||
$version = 2011120509.00; // 20111205 = branching date YYYYMMDD - do not modify!
|
||||
// RR = release increments - 00 in DEV branches
|
||||
// .XX = incremental changes
|
||||
|
||||
$release = '2.2.8 (Build: 20130311)'; // Human-friendly version name
|
||||
$release = '2.2.9 (Build: 20130318)'; // Human-friendly version name
|
||||
|
||||
$maturity = MATURITY_STABLE; // this version's maturity level
|
||||
|
||||
Reference in New Issue
Block a user