From b144aaa4dcf880c5e9a67c65272a2104276aed29 Mon Sep 17 00:00:00 2001 From: moodler Date: Sun, 24 Sep 2006 13:30:43 +0000 Subject: [PATCH] Add some more checking of input and permissions --- admin/roles/override.php | 30 +++++++++++++++++------------- admin/roles/tabs.php | 18 ++++++++++++------ 2 files changed, 29 insertions(+), 19 deletions(-) diff --git a/admin/roles/override.php b/admin/roles/override.php index 35434063fe..298213bd87 100755 --- a/admin/roles/override.php +++ b/admin/roles/override.php @@ -8,25 +8,29 @@ $courseid = optional_param('courseid', 0, PARAM_INT); // needed for user tabs $cancel = optional_param('cancel', 0, PARAM_BOOL); - if ($courseid) { - $course = get_record('course', 'id', $courseid); - } else { - $course = $SITE; + if (!$context = get_record('context', 'id', $contextid)) { + error('Bad context ID'); + } + + if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) { + error('No site ID'); } - $context = get_record('context', 'id', $contextid); - $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID); - if ($contextid == $sitecontext->id) { + if ($context->id == $sitecontext->id) { error ('Can not override base role capabilities'); } - if ($context->contextlevel == CONTEXT_COURSE) { - require_login($context->instanceid); + require_capability('moodle/role:override', $context); // Just to make sure + + if ($courseid) { + if (!$course = get_record('course', 'id', $courseid)) { + error('Bad course ID'); + } } else { - require_login(); + $course = $SITE; } - $baseurl = 'override.php?contextid='.$contextid; + $baseurl = 'override.php?contextid='.$context->id; if (!empty($userid)) { $baseurl .= '&userid='.$userid; } @@ -80,7 +84,7 @@ if (isset($localoverrides[$capname])) { // Something exists, so update it if ($value == CAP_INHERIT) { // inherit = delete - delete_records('role_capabilities', 'roleid', $roleid, 'contextid', $contextid, + delete_records('role_capabilities', 'roleid', $roleid, 'contextid', $context->id, 'capability', $capname); } else { $localoverride = new object(); @@ -97,7 +101,7 @@ if ($value != CAP_INHERIT) { // Ignore inherits $localoverride = new object(); $localoverride->capability = $capname; - $localoverride->contextid = $contextid; + $localoverride->contextid = $context->id; $localoverride->roleid = $roleid; $localoverride->permission = $value; $localoverride->timemodified = time(); diff --git a/admin/roles/tabs.php b/admin/roles/tabs.php index c2720dd890..adb8f425db 100755 --- a/admin/roles/tabs.php +++ b/admin/roles/tabs.php @@ -40,15 +40,20 @@ if ($currenttab != 'update') { case CONTEXT_MODULE: // get module type? - $cm = get_record('course_modules','id',$context->instanceid); - $module = get_record('modules','id',$cm->module); //$module->name; - $course = get_record('course','id',$cm->course); - - if (! $form = get_record($module->name, "id", $cm->instance)) { + if (!$cm = get_record('course_modules','id',$context->instanceid)) { + error('Bad course module ID'); + } + if (!$module = get_record('modules','id',$cm->module)) { //$module->name; + error('Bad module ID'); + } + if (!$course = get_record('course','id',$cm->course)) { + error('Bad course ID'); + } + if (!$instance = get_record($module->name, 'id', $cm->instance)) { error("The required instance of this module doesn't exist"); } - $strnav = "wwwroot/mod/$module->name/view.php?id=$cm->id\">$form->name ->"; + $strnav = "wwwroot/mod/$module->name/view.php?id=$cm->id\">$instance->name ->"; $fullmodulename = get_string("modulename", $module->name); $streditinga = get_string("editinga", "moodle", $fullmodulename); $strmodulenameplural = get_string("modulenameplural", $module->name); @@ -59,6 +64,7 @@ if ($currenttab != 'update') { $focuscursor = "form.name"; } + $COURSE = $course; print_header_simple($streditinga, '', "wwwroot/mod/$module->name/index.php?id=$course->id\">$strmodulenameplural -> $strnav wwwroot/course/mod.php?update=$cm->id&sesskey=".sesskey()."\">$streditinga -> $straction", $focuscursor, "", false); -- 2.39.5