From: mjollnir_ <mjollnir_>
Date: Mon, 1 Jun 2009 17:06:28 +0000 (+0000)
Subject: portfolio: MDL-19358 and MDL-19354 added sesskey() protection when first initating... 
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=766d61cbb8b24af8ef4aae64e055f4fd7f37e883;p=moodle.git

portfolio: MDL-19358 and MDL-19354 added sesskey() protection when first initating a portfolio export; verify callback class is part of the portfolio_caller_base hierarchy; re-check permissions in the caller when waking up the portfolio exporter object (between requests)
---

diff --git a/lib/portfolio/exporter.php b/lib/portfolio/exporter.php
index 3938a8e25e..007e55950c 100644
--- a/lib/portfolio/exporter.php
+++ b/lib/portfolio/exporter.php
@@ -676,6 +676,10 @@ class portfolio_exporter {
         if (!$readonly && !confirm_sesskey($this->get('sesskey'))) {
             throw new portfolio_exception('confirmsesskeybad');
         }
+        if (!$this->caller->check_permissions()) {
+            throw new portfolio_caller_exception('nopermissions', 'portfolio', $this->caller->get_return_url());
+        }
+        error_log("checking permissions after waking");
     }
     /**
     * copies a file from somewhere else in moodle
diff --git a/lib/portfoliolib.php b/lib/portfoliolib.php
index d37b94c7ce..c0a4041784 100644
--- a/lib/portfoliolib.php
+++ b/lib/portfoliolib.php
@@ -224,6 +224,8 @@ class portfolio_add_button {
             $linkoutput .= 'ca_' . $key . '=' . $value . '&amp;';
             $formoutput .= "\n" . '<input type="hidden" name="ca_' . $key . '" value="' . $value . '" />';
         }
+        $formoutput .= "\n" . '<input type="hidden" name="sesskey" value="' . sesskey() . '" />';
+        $linkoutput .= 'sesskey=' . sesskey() . '&amp;';
         $formoutput .= "\n" . '<input type="hidden" name="callbackfile" value="' . $this->callbackfile . '" />';
         $formoutput .= "\n" . '<input type="hidden" name="callbackclass" value="' . $this->callbackclass . '" />';
         $formoutput .= "\n" . '<input type="hidden" name="course" value="' . (!empty($COURSE) ? $COURSE->id : 0) . '" />';
diff --git a/portfolio/add.php b/portfolio/add.php
index 1feb0768ff..1b1942e306 100644
--- a/portfolio/add.php
+++ b/portfolio/add.php
@@ -139,10 +139,16 @@ if (!empty($dataid)) {
             $callbackargs[substr($key, 3)] = $value;
         }
     }
+    if (!confirm_sesskey()) {
+        throw new portfolio_caller_exception('confirmsesskeybad', 'error');
+    }
     // righto, now we have the callback args set up
     // load up the caller file and class and tell it to set up all the data
     // it needs
     require_once($CFG->dirroot . $callbackfile);
+    if (!class_exists($callbackclass) || !is_subclass_of($callbackclass, 'portfolio_caller_base')) {
+        throw new portfolio_caller_exception('callbackclassinvalid', 'portfolio');
+    }
     $caller = new $callbackclass($callbackargs);
     $caller->set('user', $USER);
     $caller->load_data();