From: dongsheng <dongsheng>
Date: Thu, 4 Sep 2008 06:28:47 +0000 (+0000)
Subject: "MDL-13766, check context id"
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=2057487cf89dca8a3797afd8efdbd423511840f9;p=moodle.git

"MDL-13766, check context id"
---

diff --git a/lang/en_utf8/repository.php b/lang/en_utf8/repository.php
index c124dc8d74..aeaeeab0b0 100644
--- a/lang/en_utf8/repository.php
+++ b/lang/en_utf8/repository.php
@@ -39,6 +39,7 @@ $string['loading'] = 'Loading...';
 $string['manage'] = 'Manage repositories';
 $string['manageurl'] = 'Manage';
 $string['manageuserrepository'] = 'Manage individual repository';
+$string['nopermissiontoaccess'] = 'No permission to access this repository';
 $string['noenter'] = 'Nothing entered';
 $string['operation'] = 'Operation';
 $string['openpicker'] = 'Choose a file...';
diff --git a/repository/lib.php b/repository/lib.php
index eb70d30d2b..04a6c99f35 100644
--- a/repository/lib.php
+++ b/repository/lib.php
@@ -870,6 +870,33 @@ abstract class repository {
 class repository_exception extends moodle_exception {
 }
 
+/**
+ * Check context
+ * @param int $ctx_id
+ * @return boolean
+ */
+function repository_check_context($ctx_id){
+    global $USER;
+    $context = get_context_instance_by_id($ctx_id);
+    $level = $context->contextlevel;
+    if ($level == CONTEXT_COURSE) {
+        if (!has_capability('moodle/course:view', $context)) {
+            return false;
+        } else {
+            return true;
+        }
+    } elseif ($level == CONTEXT_USER) {
+        $c = get_context_instance(CONTEXT_USER, $USER->id);
+        if ($c->id == $ctx_id) {
+            return true;
+        } else {
+            return false;
+        }
+    } elseif ($level == CONTEXT_SYSTEM) {
+        // it is always ok in system level
+    }
+    return false;
+}
 
 /**
  * Return repository instances
diff --git a/repository/ws.php b/repository/ws.php
index 301aaaa776..200d11a51c 100644
--- a/repository/ws.php
+++ b/repository/ws.php
@@ -35,6 +35,12 @@ if(!$repository = $DB->get_record_sql($sql)) {
     $type = $repository->type;
 }
 
+if (!repository_check_context($ctx_id)) {
+    $err = new stdclass;
+    $err->e = get_string('nopermissiontoaccess', 'repository');
+    die(json_encode($err));
+}
+
 if(file_exists($CFG->dirroot.'/repository/'.
     $type.'/repository.class.php'))
 {