Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-19353 portfolio code review META
  3. MDL-19358

portfolio export does not verify activity access control

    XMLWordPrintable

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.0
    • Fix Version/s: 2.0
    • Component/s: Portfolio
    • Labels:
      None
    • Affected Branches:
      MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE

      Description

      Portfolio export needs to verify access control, the easiest way is to use require_login() with correct $cm parameter - replicating the logic from require_login() would be probably a major maintenance problem...

      Sample exploit:
      1/ go to forum in one browser and copy "Save..." link
      2/ make module hidden in another browser as where you are logged in as admin
      3/ paste the url in first browser - export will complete anyway

        Attachments

          Activity

            People

            • Assignee:
              mjollnir Penny Leach
              Reporter:
              skodak Petr Skoda
              Participants:
              Component watchers:
              Amaia Anabitarte, Bas Brands, Carlos Escobedo, Sara Arjona (@sarjona), Víctor Déniz Falcón
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                24/Nov/10