MDL-20663 Fixed horrible security hole in ajax callbacks file

diff --git a/grade/report/grader/ajax_callbacks.php b/grade/report/grader/ajax_callbacks.php
index 0ed63df038d042b166a5afa3635d373ad473204c..078b22ea52b4554398b615d94910e2b3496ce326 100644 (file)
--- a/grade/report/grader/ajax_callbacks.php
+++ b/grade/report/grader/ajax_callbacks.php
@@ -29,8 +29,17 @@ $type = optional_param('type', false, PARAM_ALPHA);
 $action = optional_param('action', false, PARAM_ALPHA);
 $newvalue = optional_param('newvalue', false, PARAM_MULTILANG);
 
+/// basic access checks
+if (!$course = $DB->get_record('course', array('id' => $courseid))) {
+    print_error('nocourseid');
+}
+$context = get_context_instance(CONTEXT_COURSE, $course->id);
+require_login($course);
+
 switch ($action) {
     case 'update':
+        require_capability('moodle/grade:edit', $context);
+
         if (!empty($userid) && !empty($itemid) && $newvalue !== false && !empty($type)) {
             // Save the grade or feedback
             if (!$grade_item = grade_item::fetch(array('id'=>$itemid, 'courseid'=>$courseid))) { // we must verify course id here!