Moodle
  1. Moodle
  2. MDL-30388

Site Admin > Blocks > Manage Blocks (Click on Block to get list of) > Show all/Next -- Fails and doesn't do pagination

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.2
    • Fix Version/s: 2.1.5, 2.2.2
    • Component/s: Administration
    • Labels:
    • Database:
      Any
    • Testing Instructions:
      Hide
      1. Log in as admin
      2. On Site Admin panel go to Plugins > Blocks > Manage Blocks
      3. Click on link in "Instances" column > on blocks (with more then 30 instances)
      4. On top there are links called Show all or Next.
      5. Click on "Next" and you should see next page of results
      6. Click on "Show all" and you should see all the records. In addition you should see Page view link to view pages.
      Show
      Log in as admin On Site Admin panel go to Plugins > Blocks > Manage Blocks Click on link in "Instances" column > on blocks (with more then 30 instances) On top there are links called Show all or Next. Click on "Next" and you should see next page of results Click on "Show all" and you should see all the records. In addition you should see Page view link to view pages.
    • Workaround:
      Hide

      Need to manually edit the URL to add the sesskey. Example:

      https://<URL>/course/search.php?search=&perpage=30&page=1

      should be:
      https://<URL>/course/search.php?search=&perpage=30&page=1&blocklist=7&sesskey=qLwJ2tcQYm

      Show
      Need to manually edit the URL to add the sesskey. Example: https://<URL>/course/search.php?search=&perpage=30&page=1 should be: https://<URL>/course/search.php?search=&perpage=30&page=1&blocklist=7&sesskey=qLwJ2tcQYm
    • Affected Branches:
      MOODLE_21_STABLE
    • Fixed Branches:
      MOODLE_21_STABLE, MOODLE_22_STABLE
    • Pull Master Branch:
      wip-mdl-30388
    • Rank:
      33008

      Description

      When looking at the instances of blocks in either M1.9 or M2.x via the "Manage Blocks" screen you cannot get past the first page of results.

      There is a potential security issue according to one our developer's reports. The page that displays the list of instances of blocks doesn't seem to check if the user is logged in before doing a huge query for the block instances. Report is as follows:


      I'm able to view that page without logging in. It seems like a security flaw since i'm not authorized and I can view the content, or refresh the page over and over putting a heavy load on the server while it tries to fetch 6,500 block records. I think I'm able to do this because the sesskey is in the URL.

      https://<URL>/course/search.php?search=&perpage=99999&blocklist=7&sesskey=qLwJ2tcQYm

      is the correct URL for showing all.

      Steps to reproduce
      M1.9:

      1. On Site Admin panel go to Modules > Manage Blocks
      2. Click on link in "Instances" column > on blocks with any instances (about 40+) there are links called Show all or Next.
      3. Click on either the "Show all" or "Next"
      4. Blank page with a search box

      M2.x:

      1. On Site Admin panel go to Plugins > Blocks > Manage Blocks
      2. Click on link in "Instances" column > on blocks with any instances (about 40+) there are links called Show all or Next.
      3. Click on either the "Show all" or "Next"
      4. Blank page with a search box

        Issue Links

          Activity

          Rex Lorenzo created issue -
          Michael de Raadt made changes -
          Field Original Value New Value
          Security Could be a security issue [ 10030 ] Minor security issue [ 10001 ]
          Fix Version/s STABLE backlog [ 10463 ]
          Priority Minor [ 4 ] Major [ 3 ]
          Labels triaged
          Rajesh Taneja made changes -
          Fix Version/s STABLE Sprint 17 [ 11550 ]
          Fix Version/s STABLE backlog [ 10463 ]
          Rajesh Taneja made changes -
          Status Open [ 1 ] Development in progress [ 3 ]
          Rajesh Taneja made changes -
          Summary Site Admin > Blocks > Manage Blocks (Click on Block to get list of) > Show all/Next -- Fails Site Admin > Blocks > Manage Blocks (Click on Block to get list of) > Show all/Next -- Fails and doesn't do pagination
          Security Minor security issue [ 10001 ]
          Rajesh Taneja made changes -
          Pull Master Diff URL https://github.com/rajeshtaneja/moodle/compare/master...wip-mdl-30388
          Pull Master Branch wip-mdl-30388
          Testing Instructions As site admin.

          M1.9:
          # On Site Admin panel go to Modules > Manage Blocks
          # Click on link in "Instances" column > on blocks with any instances (about 40+) there are links called Show all or Next.
          # Click on either the "Show all" or "Next"
          # Expected result is to see is either all the instances or the next page of results
          # Actual result is a blank page with a search box

          M2.x:
          # On Site Admin panel go to Plugins > Blocks > Manage Blocks
          # Click on link in "Instances" column > on blocks with any instances (about 40+) there are links called Show all or Next.
          # Click on either the "Show all" or "Next"
          # Expected result is to see is either all the instances or the next page of results
          # Actual result is a blank page with a search box
          # Log in as admin
          # On Site Admin panel go to Plugins > Blocks > Manage Blocks
          # Click on link in "Instances" column > on blocks (with more then 30 instances)
          # On top there are links called Show all or Next.
          # Click on "Next" and you should see next page of results
          # Click on "Show all" and you should see all the records. In addition you should see *Page view* link to view pages.

          Description When looking at the instances of blocks in either M1.9 or M2.x via the "Manage Blocks" screen you cannot get past the first page of results.

          There is a potential security issue according to one our developer's reports. The page that displays the list of instances of blocks doesn't seem to check if the user is logged in before doing a huge query for the block instances. Report is as follows:

          ---
          I'm able to view that page without logging in. It seems like a security flaw since i'm not authorized and I can view the content, or refresh the page over and over putting a heavy load on the server while it tries to fetch 6,500 block records. I think I'm able to do this because the sesskey is in the URL.

          https://&lt;URL&gt;/course/search.php?search=&perpage=99999&blocklist=7&sesskey=qLwJ2tcQYm

          is the correct URL for showing all.
          ---
          When looking at the instances of blocks in either M1.9 or M2.x via the "Manage Blocks" screen you cannot get past the first page of results.

          There is a potential security issue according to one our developer's reports. The page that displays the list of instances of blocks doesn't seem to check if the user is logged in before doing a huge query for the block instances. Report is as follows:

          ---
          I'm able to view that page without logging in. It seems like a security flaw since i'm not authorized and I can view the content, or refresh the page over and over putting a heavy load on the server while it tries to fetch 6,500 block records. I think I'm able to do this because the sesskey is in the URL.

          https://&lt;URL&gt;/course/search.php?search=&perpage=99999&blocklist=7&sesskey=qLwJ2tcQYm

          is the correct URL for showing all.
          ---
          Steps to reproduce
          M1.9:
          # On Site Admin panel go to Modules > Manage Blocks
          # Click on link in "Instances" column > on blocks with any instances (about 40+) there are links called Show all or Next.
          # Click on either the "Show all" or "Next"
          # Blank page with a search box

          M2.x:
          # On Site Admin panel go to Plugins > Blocks > Manage Blocks
          # Click on link in "Instances" column > on blocks with any instances (about 40+) there are links called Show all or Next.
          # Click on either the "Show all" or "Next"
          # Blank page with a search box
          Pull 2.2 Diff URL https://github.com/rajeshtaneja/moodle/compare/MOODLE_22_STABLE...wip-mdl-30388-m22
          Pull 2.1 Branch wip-mdl-30388-m21
          Pull 2.2 Branch wip-mdl-30388-m22
          Pull 2.1 Diff URL https://github.com/rajeshtaneja/moodle/compare/MOODLE_21_STABLE...wip-mdl-30388-m21
          Pull from Repository git://github.com/rajeshtaneja/moodle.git
          Rajesh Taneja made changes -
          Status Development in progress [ 3 ] Waiting for peer review [ 10012 ]
          Rajesh Taneja made changes -
          Original Estimate 0 minutes [ 0 ]
          Remaining Estimate 0 minutes [ 0 ]
          Status Waiting for peer review [ 10012 ] Peer review in progress [ 10013 ]
          Peer reviewer abgreeve
          Adrian Greeve made changes -
          Status Peer review in progress [ 10013 ] Development in progress [ 3 ]
          Rajesh Taneja made changes -
          Status Development in progress [ 3 ] Waiting for integration review [ 10010 ]
          Eloy Lafuente (stronk7) made changes -
          Currently in integration Yes [ 10041 ]
          Sam Hemelryk made changes -
          Status Waiting for integration review [ 10010 ] Integration review in progress [ 10004 ]
          Integrator samhemelryk
          Sam Hemelryk made changes -
          Status Integration review in progress [ 10004 ] Reopened [ 4 ]
          Rajesh Taneja made changes -
          Status Reopened [ 4 ] Development in progress [ 3 ]
          Rajesh Taneja made changes -
          Status Development in progress [ 3 ] Waiting for integration review [ 10010 ]
          Sam Hemelryk made changes -
          Status Waiting for integration review [ 10010 ] Integration review in progress [ 10004 ]
          Sam Hemelryk made changes -
          Status Integration review in progress [ 10004 ] Reopened [ 4 ]
          Rajesh Taneja made changes -
          Status Reopened [ 4 ] Waiting for integration review [ 10010 ]
          Sam Hemelryk made changes -
          Status Waiting for integration review [ 10010 ] Integration review in progress [ 10004 ]
          Sam Hemelryk made changes -
          Status Integration review in progress [ 10004 ] Waiting for testing [ 10005 ]
          Fix Version/s 2.1.5 [ 11553 ]
          Fix Version/s 2.2.2 [ 11552 ]
          Rossiani Wijaya made changes -
          Status Waiting for testing [ 10005 ] Testing in progress [ 10011 ]
          Tester rwijaya
          Rossiani Wijaya made changes -
          Link This issue testing discovered MDL-31640 [ MDL-31640 ]
          Rossiani Wijaya made changes -
          Status Testing in progress [ 10011 ] Tested [ 10006 ]
          Eloy Lafuente (stronk7) made changes -
          Status Tested [ 10006 ] Closed [ 6 ]
          Resolution Fixed [ 1 ]
          Currently in integration Yes [ 10041 ]
          Eloy Lafuente (stronk7) made changes -
          Integration date 17/Feb/12
          Dan Poltawski made changes -
          Link This issue is duplicated by MDL-18180 [ MDL-18180 ]
          Eloy Lafuente (stronk7) made changes -
          Fix Version/s STABLE Sprint 17 [ 11550 ]

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: