Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-30469

Filepicker: Images used in forum posts can not be used later in 'Recent files'

    Details

    • Testing Instructions:
      Hide

      1. Create forum post and embed an image using filepicker 'Upload file'
      2. Create another post or use any editor in the site that supports html format and inserting of the images
      3. In Filepicker select 'Recent files' and insert an image from 1. Image must be successfully inserted in the editor field

      Show
      1. Create forum post and embed an image using filepicker 'Upload file' 2. Create another post or use any editor in the site that supports html format and inserting of the images 3. In Filepicker select 'Recent files' and insert an image from 1. Image must be successfully inserted in the editor field
    • Affected Branches:
      MOODLE_20_STABLE, MOODLE_21_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE, MOODLE_21_STABLE
    • Pull from Repository:
      git@github.com:marinaglancy/moodle.git

      Description

      Backporting MDL-30214 to previous Moodle versions.

      Forum lacks function forum_get_file_size() which leads to error messages when trying to re-use images attached in forum posts using filepicker's 'recent files'

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

              Hide
              skodak Petr Skoda added a comment -

              Hello, the patch is missing access control checks. Please make sure that the file info is returned only when user may access the actual forum post - see function forum_pluginfile(). The general vulnerability is that users may "steal" files from forums/threads they are not allowed to read.

              Please note the file_info design/implementation is not finished yet, I hope this will be given priority in the future and either me or somebody else will more on this.

              Show
              skodak Petr Skoda added a comment - Hello, the patch is missing access control checks. Please make sure that the file info is returned only when user may access the actual forum post - see function forum_pluginfile(). The general vulnerability is that users may "steal" files from forums/threads they are not allowed to read. Please note the file_info design/implementation is not finished yet, I hope this will be given priority in the future and either me or somebody else will more on this.
              Hide
              salvetore Michael de Raadt added a comment -

              Thanks for working on this, Marina and Petr.

              Show
              salvetore Michael de Raadt added a comment - Thanks for working on this, Marina and Petr.
              Hide
              nebgor Aparup Banerjee added a comment -

              Hi Marina,
              you need to update the patches here with the permission checks (like implemented for MDL-30214)

              Show
              nebgor Aparup Banerjee added a comment - Hi Marina, you need to update the patches here with the permission checks (like implemented for MDL-30214 )
              Hide
              marina Marina Glancy added a comment -

              Included permission checks and re-committed

              Show
              marina Marina Glancy added a comment - Included permission checks and re-committed
              Hide
              samhemelryk Sam Hemelryk added a comment -

              Thanks Marina this has been integrated now

              Show
              samhemelryk Sam Hemelryk added a comment - Thanks Marina this has been integrated now
              Hide
              samhemelryk Sam Hemelryk added a comment -

              Tested during integration

              Show
              samhemelryk Sam Hemelryk added a comment - Tested during integration
              Hide
              stronk7 Eloy Lafuente (stronk7) added a comment -

              Sent upstream! Just in time for Moodle 2.2rc1 (if related), yay!

              Closing and big thanks!

              Show
              stronk7 Eloy Lafuente (stronk7) added a comment - Sent upstream! Just in time for Moodle 2.2rc1 (if related), yay! Closing and big thanks!

                People

                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Fix Release Date:
                    9/Jan/12