Moodle
  1. Moodle
  2. MDL-32774

Assignment upgrade tool lacks sesskey protection

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.3
    • Fix Version/s: 2.3
    • Component/s: Assignment
    • Labels:
    • Testing Instructions:
      Hide

      Attempt to access a URL of the form: /admin/tool/assignmentupgrade/upgradesingle.php?id=XXX&confirm=1 where XXX is the course module id of an instance of the old assignment.

      Success: An error is shown: "A required parameter (sesskey) was missing"
      Error: The assignment upgrades.

      Show
      Attempt to access a URL of the form: /admin/tool/assignmentupgrade/upgradesingle.php?id=XXX&confirm=1 where XXX is the course module id of an instance of the old assignment. Success: An error is shown: "A required parameter (sesskey) was missing" Error: The assignment upgrades.
    • Affected Branches:
      MOODLE_23_STABLE
    • Fixed Branches:
      MOODLE_23_STABLE
    • Pull Master Branch:
      MDL-32774-CLEAN
    • Rank:
      39771

      Description

      All URLs in the admin/tool/assignmentupgrade plugin should require the sesskey in the URL.

      The files that require protection are:

      upgradesingle.php
      upgradesingleconfirm.php
      batchupgrade.php
      and listnotupgraded.php (when one of the optional parameters "upgradeall" or "selectedassignments" is set)

        Issue Links

          Activity

          Hide
          Damyon Wiese added a comment - - edited

          Reported by Dan Poltawski (see comments in linked ticket)

          Show
          Damyon Wiese added a comment - - edited Reported by Dan Poltawski (see comments in linked ticket)
          Hide
          Dan Poltawski added a comment -

          Submitting for integration review.

          Show
          Dan Poltawski added a comment - Submitting for integration review.
          Hide
          Damyon Wiese added a comment -

          Hi Dan, as per a couple of other tickets - I have cherry-picked this onto my master branch and updated the git diff URL.

          Show
          Damyon Wiese added a comment - Hi Dan, as per a couple of other tickets - I have cherry-picked this onto my master branch and updated the git diff URL.
          Hide
          Damyon Wiese added a comment -

          Updated to sit on separate branch based on moodle master branch.

          Show
          Damyon Wiese added a comment - Updated to sit on separate branch based on moodle master branch.
          Hide
          Dan Poltawski added a comment -

          Integrated, thanks

          Show
          Dan Poltawski added a comment - Integrated, thanks
          Hide
          Adrian Greeve added a comment -

          Checked pre and post patch. attempting to access the URL of the form for upgrading an old assignment type does now show an error message saying that a required parameter (sesskey) is missing.
          Thanks.

          Show
          Adrian Greeve added a comment - Checked pre and post patch. attempting to access the URL of the form for upgrading an old assignment type does now show an error message saying that a required parameter (sesskey) is missing. Thanks.
          Hide
          Eloy Lafuente (stronk7) added a comment -

          This is now part of Moodle and a few millions people around the globe will be using it soon. Isn't that awesome?

          Many, many thanks and don't forget http://youtu.be/4N7dPaP5Z8U

          Closing, ciao

          Show
          Eloy Lafuente (stronk7) added a comment - This is now part of Moodle and a few millions people around the globe will be using it soon. Isn't that awesome? Many, many thanks and don't forget http://youtu.be/4N7dPaP5Z8U Closing, ciao

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: