Moodle

RSS not generating if forum/course is hidden

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 1.9.3
  • Fix Version/s: 1.9.4
  • Component/s: Forum, RSS
  • Labels:
    None
  • Environment:
    Any.
  • Database:
    Any
  • Difficulty:
    Easy
  • Affected Branches:
    MOODLE_19_STABLE
  • Fixed Branches:
    MOODLE_19_STABLE

Description

When forum or course is hidden, RSS feeds from the forum are not being generated.

This is caused by wrong capability check in rss/file.php:
//Check for "security" if the course is hidden or the activity is hidden
if (Unable to render embedded object: File ($isblog and () not found.$course->visible || !$cm->visible) && (!has_capability('moodle/course:viewhiddenactivities', $context))) {

User ID should be passed to has_capability because current user ($USER) is overwritten at the beginning of the rss/file.php file.

Patch attached.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Petr Škoda (skodak) added a comment -

hello,
unfortunately we can not use $USER because feed readers may not send cookies and session will not work and it would not be secure anyway, this should be fixed in 2.0

Show
Petr Škoda (skodak) added a comment - hello, unfortunately we can not use $USER because feed readers may not send cookies and session will not work and it would not be secure anyway, this should be fixed in 2.0
Hide
Permalink
Tomasz Muras added a comment -

Hi,

That's exactly the problem. Currently $USER is used, as has_capability is called without 3rd argument. The fix for 1.9 is very simple in this case, instead of:
has_capability('moodle/course:viewhiddenactivities', $context)

we can use:
has_capability('moodle/course:viewhiddenactivities', $context, $userid)

$userid contains correct user ID already and we won't user $USER.

Show
Tomasz Muras added a comment - Hi, That's exactly the problem. Currently $USER is used, as has_capability is called without 3rd argument. The fix for 1.9 is very simple in this case, instead of: has_capability('moodle/course:viewhiddenactivities', $context) we can use: has_capability('moodle/course:viewhiddenactivities', $context, $userid) $userid contains correct user ID already and we won't user $USER.
Hide
Permalink
Petr Škoda (skodak) added a comment -

my +1 to remove the has_capability() from there because we can not find out the userid properly and later reimplement it in 2.0

Show
Petr Škoda (skodak) added a comment - my +1 to remove the has_capability() from there because we can not find out the userid properly and later reimplement it in 2.0
Hide
Permalink
Petr Škoda (skodak) added a comment -

I have changed the code in 1.9.x so that access to feeds from hidden courses or activities is not allowed - this is a security issue, we can not rely on user submitted userid parameter here, sorry

Show
Petr Škoda (skodak) added a comment - I have changed the code in 1.9.x so that access to feeds from hidden courses or activities is not allowed - this is a security issue, we can not rely on user submitted userid parameter here, sorry
Hide
Permalink
Tomasz Muras added a comment -

Petr, that sounds good!
I guess that the issue can be closed now.

Show
Tomasz Muras added a comment - Petr, that sounds good! I guess that the issue can be closed now.
Hide
Permalink
Andrew Davis added a comment -

Sounds fair. Closing.

Show
Andrew Davis added a comment - Sounds fair. Closing.

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.