From: mjollnir_ Date: Wed, 20 Aug 2008 15:58:29 +0000 (+0000) Subject: MDL-14591 - better security when reawakening an interupted export X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=beb4ac1a5d3cff50d6fb37721b538d167feb8eff;p=moodle.git MDL-14591 - better security when reawakening an interupted export --- diff --git a/lang/en_utf8/portfolio.php b/lang/en_utf8/portfolio.php index d43ccaf9e9..d4131c11ca 100644 --- a/lang/en_utf8/portfolio.php +++ b/lang/en_utf8/portfolio.php @@ -56,6 +56,7 @@ $string['nopermissions'] = 'Sorry but you do not have the required permissions t $string['nonprimative'] = 'A non primative value was passed as a callback argument to portfolio_add_button. Refusing to continue. The key was $a->key and the value was $a->value'; $string['notexportable'] = 'Sorry, but the type of content you are trying to export is not exportable'; $string['notimplemented'] = 'Sorry, but you are trying to export content in some format that is not yet implemented ($a)'; +$string['notyours'] = 'You are trying to resume a portfolio export that doesn\'t belong to you!'; $string['nouploaddirectory'] = 'Could not create a temporary directory to package your data into'; $string['portfolio'] = 'Portfolio'; $string['portfolios'] = 'Portfolios'; diff --git a/lib/portfoliolib.php b/lib/portfoliolib.php index e6e1213438..3a12903ed4 100644 --- a/lib/portfoliolib.php +++ b/lib/portfoliolib.php @@ -1795,6 +1795,8 @@ final class portfolio_exporter { */ private $id; + private $sesskey; + /** * construct a new exporter for use * @@ -1826,7 +1828,7 @@ final class portfolio_exporter { return $this->{$field}; } $a = (object)array('property' => $field, 'class' => get_class($this)); - throw new portfolio_export_exception($this, 'invalidproperty', 'portfolio', $a); + throw new portfolio_export_exception($this, 'invalidproperty', 'portfolio', '', $a); } /** @@ -2306,6 +2308,15 @@ final class portfolio_exporter { ); } + public function verify_rewaken() { + global $USER; + if ($this->get('user')->id != $USER->id) { + throw new portfolio_exception('notyours', 'portfolio'); + } + if (!confirm_sesskey($this->get('sesskey'))) { + throw new portfolio_exception('confirmsesskeybad'); + } + } } /** diff --git a/portfolio/add.php b/portfolio/add.php index 76867fb78e..fa25e78a17 100644 --- a/portfolio/add.php +++ b/portfolio/add.php @@ -10,13 +10,14 @@ require_once($CFG->libdir . '/formslib.php'); $exporter = null; $dataid = 0; -if (!$dataid = optional_param('id') ) { +if (!$dataid = optional_param('id', '', PARAM_INT) ) { if (isset($SESSION->portfolioexport)) { $dataid = $SESSION->portfolioexport; } } if ($dataid) { $exporter = portfolio_exporter::rewaken_object($dataid); + $exporter->verify_rewaken(); if ($cancel = optional_param('cancel', 0, PARAM_RAW)) { $exporter->cancel_request(); } @@ -32,6 +33,7 @@ if ($dataid) { } $instance->set('user', $USER); $exporter->set('instance', $instance); + $exporter->set('sesskey', sesskey()); $exporter->save(); } }