Compare commits

...

5 Commits

Author SHA1 Message Date
Eloy Lafuente (stronk7) 4e87f7fc28 Moodle release 2.2.9 2013-03-15 11:59:09 +01:00
Eloy Lafuente (stronk7) ae4efce8ac weekly release 2.2.8+ 2013-03-15 09:49:06 +01:00
Damyon Wiese 395f9fe90d Merge branch 'MDL-38474-22' of git://github.com/FMCorz/moodle into MOODLE_22_STABLE 2013-03-15 11:11:31 +08:00
Frederic Massart 4aca3f960f MDL-38474 repository: Correct context when checking permissions to access a repository 2013-03-15 10:07:27 +08:00
Eloy Lafuente (stronk7) 80b40e2e5c weekly release 2.2.8+ 2013-03-14 15:46:07 +01:00
2 changed files with 26 additions and 10 deletions
+24 -8
View File
@@ -582,8 +582,9 @@ abstract class repository {
public static function check_capability($contextid, $instance) {
global $USER;
$context = get_context_instance_by_id($contextid);
$can = has_capability('repository/'.$instance->type.':view', $context);
// The context we are on.
$currentcontext = get_context_instance_by_id($contextid);
$can = has_capability('repository/'.$instance->type.':view', $currentcontext);
// Context in which the repository has been created.
$repocontext = get_context_instance_by_id($instance->contextid);
@@ -593,14 +594,29 @@ abstract class repository {
$can = false;
}
// Ensure that the user can view the repository in the context of the repository.
// Ne need to perform the check when already disallowed.
// We are going to ensure that the current context was legit, and reliable to check
// the capability against. (No need to do that if we already cannot).
if ($can) {
if ($repocontext->contextlevel == CONTEXT_USER && $repocontext->instanceid != $USER->id) {
// Prevent URL hijack to access someone else's repository.
$can = false;
if ($repocontext->contextlevel == CONTEXT_USER) {
// The repository is a user instance, ensure we're the right user to access it!
if ($repocontext->instanceid != $USER->id) {
$can = false;
}
} else if ($repocontext->contextlevel == CONTEXT_COURSE) {
// The repository is a course one. Let's check that we are on the right course.
if (in_array($currentcontext->contextlevel, array(CONTEXT_COURSE, CONTEXT_MODULE, CONTEXT_BLOCK))) {
$coursecontext = $currentcontext->get_course_context();
if ($coursecontext->instanceid != $repocontext->instanceid) {
$can = false;
}
} else {
// We are on a parent context, therefore it's legit to check the permissions
// in the current context.
}
} else {
$can = has_capability('repository/'.$instance->type.':view', $repocontext);
// Nothing to check here, system instances can have different permissions on different
// levels. We do not want to prevent URL hack here, because it does not make sense to
// prevent a user to access a repository in a context if it's accessible in another one.
}
}
+2 -2
View File
@@ -30,10 +30,10 @@
defined('MOODLE_INTERNAL') || die();
$version = 2011120508.00; // 20111205 = branching date YYYYMMDD - do not modify!
$version = 2011120509.00; // 20111205 = branching date YYYYMMDD - do not modify!
// RR = release increments - 00 in DEV branches
// .XX = incremental changes
$release = '2.2.8 (Build: 20130311)'; // Human-friendly version name
$release = '2.2.9 (Build: 20130318)'; // Human-friendly version name
$maturity = MATURITY_STABLE; // this version's maturity level