From: Nicolas Connault <nicolasconnault@gmail.com>
Date: Thu, 29 Oct 2009 08:37:37 +0000 (+0000)
Subject: MDL-20663 Fixed horrible security hole in ajax callbacks file
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=0c68d9162119959319341278d9c5c5b11c7d25b9;p=moodle.git

MDL-20663 Fixed horrible security hole in ajax callbacks file
---

diff --git a/grade/report/grader/ajax_callbacks.php b/grade/report/grader/ajax_callbacks.php
index 0ed63df038..078b22ea52 100644
--- a/grade/report/grader/ajax_callbacks.php
+++ b/grade/report/grader/ajax_callbacks.php
@@ -29,8 +29,17 @@ $type = optional_param('type', false, PARAM_ALPHA);
 $action = optional_param('action', false, PARAM_ALPHA);
 $newvalue = optional_param('newvalue', false, PARAM_MULTILANG);
 
+/// basic access checks
+if (!$course = $DB->get_record('course', array('id' => $courseid))) {
+    print_error('nocourseid');
+}
+$context = get_context_instance(CONTEXT_COURSE, $course->id);
+require_login($course);
+
 switch ($action) {
     case 'update':
+        require_capability('moodle/grade:edit', $context);
+
         if (!empty($userid) && !empty($itemid) && $newvalue !== false && !empty($type)) {
             // Save the grade or feedback
             if (!$grade_item = grade_item::fetch(array('id'=>$itemid, 'courseid'=>$courseid))) { // we must verify course id here!