Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-29895

Remove call to require_login() when admin_externalpage_setup() is used

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      For each of the 46 files file affected by this patch (list below):

      A) open corresponding URL as non-admin but logged in user.
      B) Confirm you get "permission denied" error.
      C) With another browser/incognito session open corresponding URL logged in as admin.
      D) Confirm that you can visit the page (the "permission denied" error is gone).

      List of URLs to check:

      1. admin/filters.php
      2. admin/message.php
      3. admin/mnet/access_control.php
      4. admin/mnet/delete.php
      5. admin/mnet/index.php
      6. admin/mnet/peers.php
      7. admin/mnet/profilefields.php
      8. admin/mnet/services.php
      9. admin/mnet/testclient.php
      10. admin/mnet/trustedhosts.php
      11. admin/portfolio.php
      12. admin/qtypes.php
      13. admin/repository.php
      14. admin/repositoryinstance.php
      15. admin/roles/define.php
      16. admin/roles/manage.php
      17. admin/tool/dbtransfer/dbexport.php
      18. admin/tool/dbtransfer/index.php
      19. admin/tool/health/index.php
      20. admin/tool/httpsreplace/index.php
      21. admin/tool/httpsreplace/tool.php
      22. admin/tool/innodb/index.php
      23. admin/tool/log/store/database/test_settings.php
      24. admin/tool/monitor/managerules.php
      25. admin/tool/spamcleaner/index.php
      26. admin/tool/unsuproles/index.php
      27. admin/tool/uploaduser/index.php
      28. admin/tool/uploaduser/picture.php
      29. admin/tool/xmldb/index.php
      30. admin/user/user_bulk_confirm.php
      31. admin/user/user_bulk_delete.php
      32. admin/user/user_bulk_download.php
      33. admin/user/user_bulk_forcepasswordchange.php
      34. admin/user/user_bulk_message.php
      35. admin/webservice/tokens.php
      36. auth/test_settings.php
      37. comment/index.php
      38. course/pending.php
      39. enrol/test_settings.php
      40. grade/edit/letter/index.php
      41. message/defaultoutputs.php
      42. my/indexsys.php
      43. report/loglive/index.php
      44. report/performance/index.php
      45. report/security/index.php
      46. user/profilesys.php
      Show
      For each of the 46 files file affected by this patch (list below): A) open corresponding URL as non-admin but logged in user. B) Confirm you get "permission denied" error. C) With another browser/incognito session open corresponding URL logged in as admin. D) Confirm that you can visit the page (the "permission denied" error is gone). List of URLs to check: admin/filters.php admin/message.php admin/mnet/access_control.php admin/mnet/delete.php admin/mnet/index.php admin/mnet/peers.php admin/mnet/profilefields.php admin/mnet/services.php admin/mnet/testclient.php admin/mnet/trustedhosts.php admin/portfolio.php admin/qtypes.php admin/repository.php admin/repositoryinstance.php admin/roles/define.php admin/roles/manage.php admin/tool/dbtransfer/dbexport.php admin/tool/dbtransfer/index.php admin/tool/health/index.php admin/tool/httpsreplace/index.php admin/tool/httpsreplace/tool.php admin/tool/innodb/index.php admin/tool/log/store/database/test_settings.php admin/tool/monitor/managerules.php admin/tool/spamcleaner/index.php admin/tool/unsuproles/index.php admin/tool/uploaduser/index.php admin/tool/uploaduser/picture.php admin/tool/xmldb/index.php admin/user/user_bulk_confirm.php admin/user/user_bulk_delete.php admin/user/user_bulk_download.php admin/user/user_bulk_forcepasswordchange.php admin/user/user_bulk_message.php admin/webservice/tokens.php auth/test_settings.php comment/index.php course/pending.php enrol/test_settings.php grade/edit/letter/index.php message/defaultoutputs.php my/indexsys.php report/loglive/index.php report/performance/index.php report/security/index.php user/profilesys.php
    • Affected Branches:
      MOODLE_23_STABLE, MOODLE_24_STABLE, MOODLE_35_STABLE
    • Fixed Branches:
      MOODLE_36_STABLE
    • Pull from Repository:
    • Pull Master Branch:
    • Pull Master Diff URL:

      Description

      When admin_externalpage_setup() is called, there is no need to call require_login(). For example it could be removed from the following code:

      require_login();
      		 
       
      		 
      admin_externalpage_setup('letters');

      Please confirm that my reasoning is correct and I will prepare a patch for all affected areas.
      Possible list (for review) of all the files where both functions are used:
      grade/edit/letter/index.php
      grade/edit/scale/edit.php
      grade/edit/outcome/edit.php
      grade/edit/outcome/edit.php
      admin/user/user_bulk_message.php
      admin/user/user_bulk_forcepasswordchange.php
      admin/user/user_bulk_delete.php
      admin/user/user_bulk_download.php
      admin/user/user_bulk_enrol.php
      admin/user/user_bulk_confirm.php
      admin/qbehaviours.php
      admin/report/security/index.php
      admin/filters.php
      admin/roles/define.php
      admin/roles/manage.php
      admin/qtypes.php
      admin/mnet/services.php
      admin/mnet/delete.php
      admin/mnet/testclient.php
      admin/mnet/access_control.php
      admin/mnet/trustedhosts.php
      admin/mnet/index.php
      admin/mnet/peers.php
      admin/mnet/profilefields.php
      admin/purgecaches.php
      admin/tool/xmldb/index.php
      admin/tool/spamcleaner/index.php
      admin/tool/capability/index.php
      admin/tool/uploaduser/index.php
      admin/tool/uploaduser/picture.php
      admin/tool/qeupgradehelper/convertquiz.php
      admin/tool/qeupgradehelper/resetquiz.php
      admin/tool/qeupgradehelper/listupgraded.php
      admin/tool/qeupgradehelper/index.php
      admin/tool/qeupgradehelper/extracttestcase.php
      admin/tool/qeupgradehelper/listtodo.php
      admin/tool/qeupgradehelper/cronsetup.php
      admin/tool/qeupgradehelper/listpreupgrade.php
      admin/tool/innodb/index.php
      admin/tool/dbtransfer/index.php
      admin/tool/dbtransfer/dbexport.php
      admin/tool/unsuproles/index.php
      admin/tool/health/index.php
      cohort/index.php
      comment/index.php
      course/pending.php
      course/index.php
      course/index.php
      course/category.php
      course/category.php
      lib/adminlib.php

        Attachments

          Activity

            People

            Assignee:
            cyvanes Charles YVANES
            Reporter:
            tmuras Tomasz Muras
            Peer reviewer:
            Adrian Greeve
            Integrator:
            Eloy Lafuente (stronk7)
            Tester:
            Anna Carissa Sadia
            Participants:
            Component watchers:
            Andrew Nicols, Dongsheng Cai, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              3/Dec/18

                Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 hours
                4h