Moodle
  1. Moodle
  2. MDL-30469

Filepicker: Images used in forum posts can not be used later in 'Recent files'

    Details

    • Testing Instructions:
      Hide

      1. Create forum post and embed an image using filepicker 'Upload file'
      2. Create another post or use any editor in the site that supports html format and inserting of the images
      3. In Filepicker select 'Recent files' and insert an image from 1. Image must be successfully inserted in the editor field

      Show
      1. Create forum post and embed an image using filepicker 'Upload file' 2. Create another post or use any editor in the site that supports html format and inserting of the images 3. In Filepicker select 'Recent files' and insert an image from 1. Image must be successfully inserted in the editor field
    • Affected Branches:
      MOODLE_20_STABLE, MOODLE_21_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE, MOODLE_21_STABLE
    • Pull from Repository:
      git@github.com:marinaglancy/moodle.git
    • Rank:
      33139

      Description

      Backporting MDL-30214 to previous Moodle versions.

      Forum lacks function forum_get_file_size() which leads to error messages when trying to re-use images attached in forum posts using filepicker's 'recent files'

        Issue Links

          Activity

          Hide
          Petr Škoda added a comment -

          Hello, the patch is missing access control checks. Please make sure that the file info is returned only when user may access the actual forum post - see function forum_pluginfile(). The general vulnerability is that users may "steal" files from forums/threads they are not allowed to read.

          Please note the file_info design/implementation is not finished yet, I hope this will be given priority in the future and either me or somebody else will more on this.

          Show
          Petr Škoda added a comment - Hello, the patch is missing access control checks. Please make sure that the file info is returned only when user may access the actual forum post - see function forum_pluginfile(). The general vulnerability is that users may "steal" files from forums/threads they are not allowed to read. Please note the file_info design/implementation is not finished yet, I hope this will be given priority in the future and either me or somebody else will more on this.
          Hide
          Michael de Raadt added a comment -

          Thanks for working on this, Marina and Petr.

          Show
          Michael de Raadt added a comment - Thanks for working on this, Marina and Petr.
          Hide
          Aparup Banerjee added a comment -

          Hi Marina,
          you need to update the patches here with the permission checks (like implemented for MDL-30214)

          Show
          Aparup Banerjee added a comment - Hi Marina, you need to update the patches here with the permission checks (like implemented for MDL-30214 )
          Hide
          Marina Glancy added a comment -

          Included permission checks and re-committed

          Show
          Marina Glancy added a comment - Included permission checks and re-committed
          Hide
          Sam Hemelryk added a comment -

          Thanks Marina this has been integrated now

          Show
          Sam Hemelryk added a comment - Thanks Marina this has been integrated now
          Hide
          Sam Hemelryk added a comment -

          Tested during integration

          Show
          Sam Hemelryk added a comment - Tested during integration
          Hide
          Eloy Lafuente (stronk7) added a comment -

          Sent upstream! Just in time for Moodle 2.2rc1 (if related), yay!

          Closing and big thanks!

          Show
          Eloy Lafuente (stronk7) added a comment - Sent upstream! Just in time for Moodle 2.2rc1 (if related), yay! Closing and big thanks!

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: