Moodle
  1. Moodle
  2. MDL-30469

Filepicker: Images used in forum posts can not be used later in 'Recent files'

    Details

    • Testing Instructions:
      Hide

      1. Create forum post and embed an image using filepicker 'Upload file'
      2. Create another post or use any editor in the site that supports html format and inserting of the images
      3. In Filepicker select 'Recent files' and insert an image from 1. Image must be successfully inserted in the editor field

      Show
      1. Create forum post and embed an image using filepicker 'Upload file' 2. Create another post or use any editor in the site that supports html format and inserting of the images 3. In Filepicker select 'Recent files' and insert an image from 1. Image must be successfully inserted in the editor field
    • Affected Branches:
      MOODLE_20_STABLE, MOODLE_21_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE, MOODLE_21_STABLE
    • Pull from Repository:
      git@github.com:marinaglancy/moodle.git

      Description

      Backporting MDL-30214 to previous Moodle versions.

      Forum lacks function forum_get_file_size() which leads to error messages when trying to re-use images attached in forum posts using filepicker's 'recent files'

        Gliffy Diagrams

          Issue Links

            Activity

            Hide
            Petr Skoda added a comment -

            Hello, the patch is missing access control checks. Please make sure that the file info is returned only when user may access the actual forum post - see function forum_pluginfile(). The general vulnerability is that users may "steal" files from forums/threads they are not allowed to read.

            Please note the file_info design/implementation is not finished yet, I hope this will be given priority in the future and either me or somebody else will more on this.

            Show
            Petr Skoda added a comment - Hello, the patch is missing access control checks. Please make sure that the file info is returned only when user may access the actual forum post - see function forum_pluginfile(). The general vulnerability is that users may "steal" files from forums/threads they are not allowed to read. Please note the file_info design/implementation is not finished yet, I hope this will be given priority in the future and either me or somebody else will more on this.
            Hide
            Michael de Raadt added a comment -

            Thanks for working on this, Marina and Petr.

            Show
            Michael de Raadt added a comment - Thanks for working on this, Marina and Petr.
            Hide
            Aparup Banerjee added a comment -

            Hi Marina,
            you need to update the patches here with the permission checks (like implemented for MDL-30214)

            Show
            Aparup Banerjee added a comment - Hi Marina, you need to update the patches here with the permission checks (like implemented for MDL-30214 )
            Hide
            Marina Glancy added a comment -

            Included permission checks and re-committed

            Show
            Marina Glancy added a comment - Included permission checks and re-committed
            Hide
            Sam Hemelryk added a comment -

            Thanks Marina this has been integrated now

            Show
            Sam Hemelryk added a comment - Thanks Marina this has been integrated now
            Hide
            Sam Hemelryk added a comment -

            Tested during integration

            Show
            Sam Hemelryk added a comment - Tested during integration
            Hide
            Eloy Lafuente (stronk7) added a comment -

            Sent upstream! Just in time for Moodle 2.2rc1 (if related), yay!

            Closing and big thanks!

            Show
            Eloy Lafuente (stronk7) added a comment - Sent upstream! Just in time for Moodle 2.2rc1 (if related), yay! Closing and big thanks!

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: