|
I added $this->caller->check_permissions to the verify_rewaken method in the portfolio_exporter object. This ensures the caller permissions are checked every page request again on the active export object.
If you're happy with that fix let's close this bug now. I do not understand, I did not say to use only require_login() - both has_capability() and require_login($course, false, $cm) must be used before allowing any export from activities
They are both checked before starting export.
Your exploit was about the situation changing midway through the export and the permissions not being verified between 2 and 3 in your example above, which is what i've fixed in my last commit. I'm not sure about the $cm parameter to require_login but that's a separate issue to check, which I will do now. added $cm and a todo about changing this whenever portfolio export gets implemented somewhere other than a cm (blog, for instance)
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
Sub-task
Open
Blocker
 |
|
All content on this web site is made available under the GNU General Public License, unless otherwise stated.
Maybe it's not being called properly when the exporter object is rewoken across requests. I'll check that.
I don't agree with your best fix though. Just doing require_login is not enough, we have to check the export capabilities on the context being exported as well.