Commit b9f8c422 authored by Astor Bizard's avatar Astor Bizard 🐕
Browse files

Secutiry fix: now checks sesskey and post data for activities pool modification.

parent 2fbdc209
......@@ -69,6 +69,7 @@ $string['groupmode_help'] = 'This activity is set to use groups. Members of a sa
If a grouping is set, then only the groups of this grouping will be considered.<br>
If a user doesn\'t belong to any group, or belongs to more than one group, they will be assigned individually.';
$string['groupmodedetails'] = 'Group mode ({$a}).';
$string['invalidsesskeyorpermission'] = 'This action has been prevented for security reasons. Either you do not have the required permission, or you session key could not be confirmed.';
$string['modulenotfound'] = 'Module not found';
$string['noactivityerror'] = 'No activity has been configured.';
$string['noactivitytoadd'] = 'No activity available to add.';
......
......@@ -222,6 +222,7 @@ function randomactivity_reset_userdata($data) {
* @return array Array of grades, indexed by user id.
*/
function randomactivity_get_user_grades($modinstanceid, $userid = 0) {
require_once(__DIR__ . '/locallib.php');
global $DB;
$modinstance = $DB->get_record( 'randomactivity', array( 'id' => $modinstanceid ) );
$course = $modinstance->course;
......
......@@ -25,6 +25,7 @@
Context variables required for this template:
* id Course module ID.
* sesskey Current session key.
* group Currently selected group (0 for all groups).
* activities Space-separated list of course module IDs of current activities pool.
* seed Current seed.
......@@ -34,6 +35,7 @@
Example context (json):
{
"id": "2",
"sesskey": "0000000",
"group": "0",
"activities": "6 8 19",
"seed": "0",
......@@ -41,8 +43,9 @@
"editmode": true
}
}}
<form id="form-randomactivity-activities" class="form-inline">
<form id="form-randomactivity-activities" class="form-inline" method="post">
<input name="id" type="hidden" value="{{id}}">
<input name="sesskey" type="hidden" value="{{sesskey}}">
<input name="group" type="hidden" value="{{group}}">
<input name="activities" type="hidden" value="{{activities}}">
<div id="form-seed">
......
......@@ -23,8 +23,8 @@
defined('MOODLE_INTERNAL') || die();
$plugin->version = 2021052100;
$plugin->version = 2021072200;
$plugin->requires = 2018112800;
$plugin->maturity = MATURITY_STABLE;
$plugin->release = '1.4.1';
$plugin->release = '1.4.2';
$plugin->component = 'mod_randomactivity';
\ No newline at end of file
......@@ -72,17 +72,21 @@ if ( !has_capability('mod/randomactivity:manage', $context)
die();
}
if (($newseed = optional_param('seed', false, PARAM_RAW)) !== false && has_capability('mod/randomactivity:manage', $context)) {
if ($submitteddata = data_submitted()) {
// Form has been submitted.
$newactivities = optional_param('activities', '', PARAM_RAW);
$module->seed = $newseed;
$module->activities = trim($newactivities);
try {
randomactivity_update_instance($module);
$message = get_string('changesapplied', RANDOMACTIVITY);
$messagetype = \core\output\notification::NOTIFY_INFO;
} catch (dml_exception $e) {
$message = get_string('dbupdatefailed', 'error');
if (confirm_sesskey() && has_capability('mod/randomactivity:manage', $context)) {
$module->seed = $submitteddata->seed;
$module->activities = trim($submitteddata->activities);
try {
randomactivity_update_instance($module);
$message = get_string('changesapplied', RANDOMACTIVITY);
$messagetype = \core\output\notification::NOTIFY_INFO;
} catch (dml_exception $e) {
$message = get_string('dbupdatefailed', 'error');
$messagetype = \core\output\notification::NOTIFY_ERROR;
}
} else {
$message = get_string('invalidsesskeyorpermission', RANDOMACTIVITY);
$messagetype = \core\output\notification::NOTIFY_ERROR;
}
redirect(new moodle_url('/mod/randomactivity/view.php', array( 'id' => $id )), $message, null, $messagetype);
......@@ -178,6 +182,7 @@ echo html_writer::table( $table );
// Seed field and global hidden form definition.
$templatedata = new stdClass();
$templatedata->id = $id;
$templatedata->sesskey = sesskey();
$templatedata->group = $group;
$templatedata->activities = $module->activities;
$templatedata->seed = $module->seed;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment