Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-32774

Assignment upgrade tool lacks sesskey protection

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 2.3
    • 2.3
    • Assignment
    • MOODLE_23_STABLE
    • MOODLE_23_STABLE
    • MDL-32774-CLEAN
    • Hide

      Attempt to access a URL of the form: /admin/tool/assignmentupgrade/upgradesingle.php?id=XXX&confirm=1 where XXX is the course module id of an instance of the old assignment.

      Success: An error is shown: "A required parameter (sesskey) was missing"
      Error: The assignment upgrades.

      Show
      Attempt to access a URL of the form: /admin/tool/assignmentupgrade/upgradesingle.php?id=XXX&confirm=1 where XXX is the course module id of an instance of the old assignment. Success: An error is shown: "A required parameter (sesskey) was missing" Error: The assignment upgrades.

    Description

      All URLs in the admin/tool/assignmentupgrade plugin should require the sesskey in the URL.

      The files that require protection are:

      upgradesingle.php
      upgradesingleconfirm.php
      batchupgrade.php
      and listnotupgraded.php (when one of the optional parameters "upgradeall" or "selectedassignments" is set)

      Attachments

        Issue Links

          Testing discovered

          Sub-task - Issues are sometimes broken into multiple sub-tasks. MDL-31270 New assignment module to replace all existing subtypes

          • Minor - Minor loss of function where workaround is possible
          • Closed

          Activity

            People

              damyon Damyon Wiese
              damyon Damyon Wiese
              Dan Poltawski Dan Poltawski
              Adrian Greeve Adrian Greeve
              Adrian Greeve, Ilya Tregubov, Kevin Percy, Mathew May, Mihail Geshoski, Shamim Rezaie
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                25/Jun/12