Commit accc0863 authored by Astor Bizard's avatar Astor Bizard
Browse files

Merge branch 'test' into 'master'

Security checks for overrides modifications, fix webservice token

See merge request !15
parents d41be0f4 dccff423
......@@ -37,29 +37,24 @@ require_once($CFG->libdir . '/formslib.php');
*/
function vpl_get_overrideactions($id, $overrideid, $editing) {
global $OUTPUT, $PAGE;
$templatedata = new stdClass();
$templatedata->iseditingcurrent = false;
$templatedata->noedit = false;
if ($editing == $overrideid) {
vpl_include_jsfile('override.js');
$save = '<span class="btn-link override-action-button" onclick="VPL.submitOverrideForms();">' .
$OUTPUT->pix_icon( 'save', get_string('save'), 'mod_vpl' ) .
'</span>';
$cancel = '<span class="btn-link override-action-button" onclick="VPL.cancelOverrideForms();">' .
$OUTPUT->pix_icon( 'cancel', get_string('cancel'), 'mod_vpl' ) .
'</span>';
return $save . $cancel;
$templatedata->iseditingcurrent = true;
} else if ($editing === null) {
$edit = '<a href="?id=' . $id . '&edit=' . $overrideid . '">' .
$OUTPUT->pix_icon( 'editthis', get_string('edit'), 'mod_vpl' ) .
'</a>';
$deletebuttonid = 'delete_override_' . $overrideid;
$delete = '<a id="' . $deletebuttonid . '" href="?id=' . $id . '&delete=' . $overrideid . '">' .
$OUTPUT->pix_icon( 'delete', get_string('delete'), 'mod_vpl' ) .
'</a>';
$PAGE->requires->event_handler('#' . $deletebuttonid, 'click', 'M.util.show_confirm_dialog',
array('message' => get_string('confirmoverridedeletion', VPL)));
return $edit . $delete;
} else {
return '';
$templatedata->id = $id;
$templatedata->sesskey = sesskey();
$templatedata->deletebuttonid = $deletebuttonid;
$templatedata->overrideid = $overrideid;
$templatedata->noedit = true;
}
return $OUTPUT->render_from_template('mod_vpl/overrideactions', $templatedata);
}
class vpl_override_users_form extends moodleform {
......@@ -156,6 +151,7 @@ $update = optional_param('update', null, PARAM_INT);
$vpl = new mod_vpl( $id );
$vpl->require_capability( VPL_MANAGE_CAPABILITY );
$vpl->prepare_page( 'forms/overrides.php', array( 'id' => $id ) );
$thisurl = new moodle_url('/mod/vpl/forms/overrides.php', array( 'id' => $id ));
$vplid = $vpl->get_instance()->id;
......@@ -217,6 +213,9 @@ if ($edit !== null || $update !== null) {
}
if ($delete !== null) {
if (data_submitted() === false || !confirm_sesskey()) {
redirect($thisurl, get_string('invaliddataorsesskey', VPL), null, \core\output\notification::NOTIFY_ERROR);
}
$overrideid = $delete;
if (isset($overrides[$overrideid])) {
$override = $overrides[$overrideid];
......@@ -228,10 +227,13 @@ if ($delete !== null) {
\mod_vpl\event\override_deleted::log($vpl, $overrideid);
}
// Properly reload the page.
redirect(new moodle_url('/mod/vpl/forms/overrides.php', array( 'id' => $id )));
redirect($thisurl);
}
if ($update !== null) {
if (data_submitted() === false || !confirm_sesskey()) {
redirect($thisurl, get_string('invaliddataorsesskey', VPL), null, \core\output\notification::NOTIFY_ERROR);
}
// Update or create an override.
$override = $optionsform->get_data();
unset($override->id); // The id field of the form is not the override id - do not use it.
......@@ -324,7 +326,7 @@ if ($update !== null) {
// Do not redirect if validation fails.
if ($optionsform->is_validated() || $optionsform->is_cancelled()) {
// Properly reload the page.
redirect(new moodle_url('/mod/vpl/forms/overrides.php', array( 'id' => $id )));
redirect($thisurl);
}
}
......
......@@ -162,6 +162,7 @@ $string ['indicator:socialbreadth_help'] = 'This indicator is based on the socia
$string ['individualwork'] = 'Individual work';
$string ['instanceselection'] = 'VPL selection';
$string ['interfacetheme'] = 'Interface theme:';
$string ['invaliddataorsesskey'] = 'This action has been prevented for security reasons. Either data has not been submitted properly, or you session key could not be confirmed.';
$string ['isexample'] = 'This activity acts as example';
$string ['jail_servers'] = 'Execution servers list';
$string ['jail_servers_config'] = 'Execution servers config';
......
......@@ -936,7 +936,8 @@ function vpl_get_webservice_token($vpl) {
}
$tokenrecord = $DB->get_record( 'external_tokens', array (
'userid' => $USER->id,
'externalserviceid' => $service->id
'externalserviceid' => $service->id,
'tokentype' => EXTERNAL_TOKEN_PERMANENT
) );
if (! empty( $tokenrecord ) and $tokenrecord->validuntil > 0 and $tokenrecord->validuntil < $now) {
unset( $tokenrecord ); // Will be deleted before creating a new one.
......@@ -946,7 +947,8 @@ function vpl_get_webservice_token($vpl) {
$webservice->generate_user_ws_tokens($USER->id);
$tokenrecord = $DB->get_record( 'external_tokens', array (
'userid' => $USER->id,
'externalserviceid' => $service->id
'externalserviceid' => $service->id,
'tokentype' => EXTERNAL_TOKEN_PERMANENT
) );
if (empty( $tokenrecord )) {
return '';
......
{{!
This file is part of Moodle - http://moodle.org/
Moodle is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
Moodle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Moodle. If not, see <http://www.gnu.org/licenses/>.
}}
{{!
@template mod_vpl/overrideactions
Classes required for JS:
* none
Data attributes required for JS:
* none
Context variables required for this template:
* iseditingcurrent Whether current override row is the one being edited.
* noedit Whether no override row is currently being edited.
* id VPL ID.
* sesskey Current session key.
* overrideid Current override row.
* deletebuttonid HTML ID attribute for the delete button.
Example context (json):
{
"iseditingcurrent": false,
"noedit": true,
"id": 2,
"sesskey": "000000",
"overrideid": 1,
"deletebuttonid": "delete_override_1"
}
}}
{{# iseditingcurrent}}
<span class="btn-link override-action-button" onclick="VPL.submitOverrideForms();">{{# pix}} save, mod_vpl, {{# str}} save {{/ str}} {{/ pix}}</span>{{!
}}<span class="btn-link override-action-button" onclick="VPL.cancelOverrideForms();">{{# pix}} cancel, mod_vpl, {{# str}} cancel {{/ str}} {{/ pix}}</span>
{{/ iseditingcurrent}}
{{# noedit}}
<a href="?id={{id}}&edit={{overrideid}}">{{# pix}} editthis, mod_vpl, {{# str}} edit {{/ str}} {{/ pix}}</a>{{!
}}<form method="post" style="display:none;">
<input name="id" type="hidden" value="{{id}}">
<input name="sesskey" type="hidden" value="{{sesskey}}">
<input name="delete" type="hidden" value="{{overrideid}}">
<input id="{{deletebuttonid}}" type="submit">
</form>{{!
}}<span class="btn-link override-action-button" onclick="document.getElementById('{{deletebuttonid}}').click();">{{# pix}} delete, mod_vpl, {{# str}} delete {{/ str}} {{/ pix}}</span>
{{/ noedit}}
\ No newline at end of file
......@@ -29,7 +29,7 @@
defined('MOODLE_INTERNAL') || die();
$plugin->version = 2021061600;
$plugin->version = 2021101100;
$plugin->requires = 2014051200; // Moodle 2.7!
$plugin->maturity = MATURITY_STABLE;
$plugin->release = '3.4';
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment