]> git.mjollnir.org Git - moodle.git/commitdiff
projects / moodle.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d352141)
MDL-16159 implemented missing access control and security code in course tags
authorskodak <skodak>
Thu, 21 Aug 2008 20:29:42 +0000 (20:29 +0000)
committerskodak <skodak>
Thu, 21 Aug 2008 20:29:42 +0000 (20:29 +0000)
blocks/tags/block_tags.php patch | blob | history
tag/coursetags_add.php patch | blob | history
tag/coursetags_edit.php patch | blob | history
tag/coursetags_more.php patch | blob | history
tag/search.php patch | blob | history

diff --git a/blocks/tags/block_tags.php b/blocks/tags/block_tags.php
index 4aff6fc9fea860b221b3ce8e10bb4a614f751ac9..71b972446141c4672deb2e7366690e520cfab2e1 100644 (file)
--- a/blocks/tags/block_tags.php
+++ b/blocks/tags/block_tags.php
@@ -75,8 +75,8 @@ class block_tags extends block_base {
             require_once($CFG->dirroot.'/tag/coursetagslib.php');
 
             // Permissions and page awareness
-            $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
-            $isguest = has_capability('moodle/legacy:guest', $sitecontext, $USER->id, false);
+            $systemcontext = get_context_instance(CONTEXT_SYSTEM);
+            $isguest = has_capability('moodle/legacy:guest', $systemcontext, $USER->id, false);
             $loggedin = isloggedin() && !$isguest;
             $coursepage = $canedit = false;
             $coursepage = (isset($COURSE->id) && $COURSE->id != SITEID);
@@ -84,7 +84,7 @@ class block_tags extends block_base {
             $sitepage = (isset($COURSE->id) && $COURSE->id == SITEID && !$mymoodlepage);
             $coursecontext = get_context_instance(CONTEXT_COURSE, $COURSE->id);
             if ($coursepage) {
-                $canedit =  has_capability('moodle/tag:create', $sitecontext);
+                $canedit =  has_capability('moodle/tag:create', $systemcontext);
             }
 
             // Check rss feed - temporarily removed until Dublin Core tags added
@@ -237,6 +237,7 @@ class block_tags extends block_base {
                             <div style="display: none;">
                                 <input type="hidden" name="entryid" value="$COURSE->id" />
                                 <input type="hidden" name="userid" value="$USER->id" />
+                                <input type="hidden" name="sesskey" value="$USER->sesskey" />
                             </div>
                             <div><label for="coursetag_new_tag">$tagthisunit</label></div>
                             <div class="coursetag_form_wrapper">
diff --git a/tag/coursetags_add.php b/tag/coursetags_add.php
index 6154c9a21cd8dc5e63f3e921db07d6dbbcfdec99..268f6e74685703938becbf5bd13db6f234190f2a 100644 (file)
--- a/tag/coursetags_add.php
+++ b/tag/coursetags_add.php
@@ -6,12 +6,21 @@
 
 require_once('../config.php');
 
+require_login();
+
+$systemcontext = get_context_instance(CONTEXT_SYSTEM);
+require_capability('moodle/tag:create', $systemcontext);
+
+if (empty($CFG->usetags)) {
+    print_error('tagsaredisabled', 'tag');
+}
+
 $keyword = optional_param('coursetag_new_tag', '', PARAM_TEXT);
 $courseid = optional_param('entryid', 0, PARAM_INT);
 $userid = optional_param('userid', 0, PARAM_INT);
 
 $keyword = trim(strip_tags($keyword)); //better cleanup of user input is done later
-if ($keyword) {
+if ($keyword and confirm_sesskey()) {
 
     require_once($CFG->dirroot.'/tag/coursetagslib.php');
 
diff --git a/tag/coursetags_edit.php b/tag/coursetags_edit.php
index 68375cbeb86ca2314a731d801c558503cae09f7a..36c8efbff75ea0b1525e758b62089ba44fecd8dc 100644 (file)
--- a/tag/coursetags_edit.php
+++ b/tag/coursetags_edit.php
@@ -14,6 +14,12 @@ $courseid = optional_param('courseid', 0, PARAM_INT);
 $keyword = optional_param('coursetag_new_tag', '', PARAM_TEXT);
 $deltag = optional_param('del_tag', 0, PARAM_INT);
 
+require_login();
+
+if (empty($CFG->usetags)) {
+    print_error('tagsaredisabled', 'tag');
+}
+
 if ($courseid != SITEID) {
     if (! ($course = $DB->get_record('course', array('id' => $courseid), '*')) ) {
         print_error('invalidcourse');
diff --git a/tag/coursetags_more.php b/tag/coursetags_more.php
index 22cab395eab2b22250820b65e4f6bb3011e5bce8..0c34b131a9a2b84e2a118d2c2ca5a5ed80eb0fa1 100644 (file)
--- a/tag/coursetags_more.php
+++ b/tag/coursetags_more.php
@@ -13,6 +13,10 @@ $sort = optional_param('sort', 'alpha', PARAM_TEXT); //alpha, date or popularity
 $show = optional_param('show', 'all', PARAM_TEXT); //all, my, official, community or course
 $courseid = optional_param('courseid', 0, PARAM_INT);
 
+if (empty($CFG->usetags)) {
+    print_error('tagsaredisabled', 'tag');
+}
+
 // Some things require logging in
 if ($CFG->forcelogin or $show == 'my') {
     require_login();
diff --git a/tag/search.php b/tag/search.php
index 92afd87afe52ea32f653c9f36bc798e4d4e6ab24..2b563c8cf5cd2d8af2640d72049b378dd9a1e576 100644 (file)
--- a/tag/search.php
+++ b/tag/search.php
@@ -3,12 +3,10 @@
 require_once('../config.php');
 require_once('lib.php');
 require_once('locallib.php');
-require_once($CFG->dirroot.'/lib/weblib.php');
 
-global $CFG;
 require_login();
 
-ifempty($CFG->usetags)) {
+if (empty($CFG->usetags)) {
     print_error('tagsaredisabled', 'tag');
 }
 
Unnamed repository; edit this file to name it for gitweb.