Add some more checking of input and permissions

diff --git a/admin/roles/override.php b/admin/roles/override.php
index 35434063fe2bd782663a8cc105f7d6c938385a82..298213bd87ed0e546e07b33225da0b08bd7e3f95 100755 (executable)
--- a/admin/roles/override.php
+++ b/admin/roles/override.php
@@ -8,25 +8,29 @@
     $courseid  = optional_param('courseid', 0, PARAM_INT); // needed for user tabs
     $cancel    = optional_param('cancel', 0, PARAM_BOOL);
 
-    if ($courseid) {
-        $course = get_record('course', 'id', $courseid);
-    } else {
-        $course = $SITE;
+    if (!$context = get_record('context', 'id', $contextid)) {
+        error('Bad context ID');
+    }
+
+    if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
+        error('No site ID');
     }
 
-    $context = get_record('context', 'id', $contextid);
-    $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
-    if ($contextid == $sitecontext->id) {
+    if ($context->id == $sitecontext->id) {
         error ('Can not override base role capabilities');
     }
 
-    if ($context->contextlevel == CONTEXT_COURSE) {
-        require_login($context->instanceid);
+    require_capability('moodle/role:override', $context);   // Just to make sure
+
+    if ($courseid) {
+        if (!$course = get_record('course', 'id', $courseid)) {
+            error('Bad course ID');
+        }
     } else {
-        require_login();
+        $course = $SITE;
     }
 
-    $baseurl = 'override.php?contextid='.$contextid;
+    $baseurl = 'override.php?contextid='.$context->id;
     if (!empty($userid)) {
         $baseurl .= '&userid='.$userid;
     }
@@ -80,7 +84,7 @@
 
             if (isset($localoverrides[$capname])) {    // Something exists, so update it
                 if ($value == CAP_INHERIT) {       // inherit = delete
-                    delete_records('role_capabilities', 'roleid', $roleid, 'contextid', $contextid,
+                    delete_records('role_capabilities', 'roleid', $roleid, 'contextid', $context->id,
                                                         'capability', $capname);
                 } else {
                     $localoverride = new object();
@@ -97,7 +101,7 @@
                 if ($value != CAP_INHERIT) {    // Ignore inherits
                     $localoverride = new object();
                     $localoverride->capability = $capname;
-                    $localoverride->contextid = $contextid;
+                    $localoverride->contextid = $context->id;
                     $localoverride->roleid = $roleid;
                     $localoverride->permission = $value;
                     $localoverride->timemodified = time();

diff --git a/admin/roles/tabs.php b/admin/roles/tabs.php
index c2720dd890edb1e25726df9117afc4216746e3af..adb8f425db176ad1c28ef82edbddd92cca2856f2 100755 (executable)
--- a/admin/roles/tabs.php
+++ b/admin/roles/tabs.php
@@ -40,15 +40,20 @@ if ($currenttab != 'update') {
 
         case CONTEXT_MODULE:
             // get module type?
-            $cm = get_record('course_modules','id',$context->instanceid);
-            $module = get_record('modules','id',$cm->module); //$module->name;
-            $course = get_record('course','id',$cm->course);
-
-            if (! $form = get_record($module->name, "id", $cm->instance)) {
+            if (!$cm = get_record('course_modules','id',$context->instanceid)) {
+                error('Bad course module ID');
+            }
+            if (!$module = get_record('modules','id',$cm->module)) {  //$module->name;
+                error('Bad module ID');
+            }
+            if (!$course = get_record('course','id',$cm->course)) {
+                error('Bad course ID');
+            }
+            if (!$instance = get_record($module->name, 'id', $cm->instance)) {
                 error("The required instance of this module doesn't exist");
             }
 
-            $strnav = "<a href=\"$CFG->wwwroot/mod/$module->name/view.php?id=$cm->id\">$form->name</a> ->";
+            $strnav = "<a href=\"$CFG->wwwroot/mod/$module->name/view.php?id=$cm->id\">$instance->name</a> ->";
             $fullmodulename = get_string("modulename", $module->name);
             $streditinga = get_string("editinga", "moodle", $fullmodulename);
             $strmodulenameplural = get_string("modulenameplural", $module->name);
@@ -59,6 +64,7 @@ if ($currenttab != 'update') {
                 $focuscursor = "form.name";
             }
 
+            $COURSE = $course;
             print_header_simple($streditinga, '',
                     "<a href=\"$CFG->wwwroot/mod/$module->name/index.php?id=$course->id\">$strmodulenameplural</a> ->
                     $strnav <a href=\"$CFG->wwwroot/course/mod.php?update=$cm->id&sesskey=".sesskey()."\">$streditinga</a> -> $straction", $focuscursor, "", false);