Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-32774

Assignment upgrade tool lacks sesskey protection

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.3
    • Fix Version/s: 2.3
    • Component/s: Assignment
    • Labels:
    • Testing Instructions:
      Hide

      Attempt to access a URL of the form: /admin/tool/assignmentupgrade/upgradesingle.php?id=XXX&confirm=1 where XXX is the course module id of an instance of the old assignment.

      Success: An error is shown: "A required parameter (sesskey) was missing"
      Error: The assignment upgrades.

      Show
      Attempt to access a URL of the form: /admin/tool/assignmentupgrade/upgradesingle.php?id=XXX&confirm=1 where XXX is the course module id of an instance of the old assignment. Success: An error is shown: "A required parameter (sesskey) was missing" Error: The assignment upgrades.
    • Affected Branches:
      MOODLE_23_STABLE
    • Fixed Branches:
      MOODLE_23_STABLE
    • Pull Master Branch:
      MDL-32774-CLEAN

      Description

      All URLs in the admin/tool/assignmentupgrade plugin should require the sesskey in the URL.

      The files that require protection are:

      upgradesingle.php
      upgradesingleconfirm.php
      batchupgrade.php
      and listnotupgraded.php (when one of the optional parameters "upgradeall" or "selectedassignments" is set)

        Gliffy Diagrams

          Issue Links

            Activity

            Hide
            damyon Damyon Wiese added a comment - - edited

            Reported by Dan Poltawski (see comments in linked ticket)

            Show
            damyon Damyon Wiese added a comment - - edited Reported by Dan Poltawski (see comments in linked ticket)
            Hide
            poltawski Dan Poltawski added a comment -

            Submitting for integration review.

            Show
            poltawski Dan Poltawski added a comment - Submitting for integration review.
            Hide
            damyon Damyon Wiese added a comment -

            Hi Dan, as per a couple of other tickets - I have cherry-picked this onto my master branch and updated the git diff URL.

            Show
            damyon Damyon Wiese added a comment - Hi Dan, as per a couple of other tickets - I have cherry-picked this onto my master branch and updated the git diff URL.
            Hide
            damyon Damyon Wiese added a comment -

            Updated to sit on separate branch based on moodle master branch.

            Show
            damyon Damyon Wiese added a comment - Updated to sit on separate branch based on moodle master branch.
            Hide
            poltawski Dan Poltawski added a comment -

            Integrated, thanks

            Show
            poltawski Dan Poltawski added a comment - Integrated, thanks
            Hide
            abgreeve Adrian Greeve added a comment -

            Checked pre and post patch. attempting to access the URL of the form for upgrading an old assignment type does now show an error message saying that a required parameter (sesskey) is missing.
            Thanks.

            Show
            abgreeve Adrian Greeve added a comment - Checked pre and post patch. attempting to access the URL of the form for upgrading an old assignment type does now show an error message saying that a required parameter (sesskey) is missing. Thanks.
            Hide
            stronk7 Eloy Lafuente (stronk7) added a comment -

            This is now part of Moodle and a few millions people around the globe will be using it soon. Isn't that awesome?

            Many, many thanks and don't forget http://youtu.be/4N7dPaP5Z8U

            Closing, ciao

            Show
            stronk7 Eloy Lafuente (stronk7) added a comment - This is now part of Moodle and a few millions people around the globe will be using it soon. Isn't that awesome? Many, many thanks and don't forget http://youtu.be/4N7dPaP5Z8U Closing, ciao

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  25/Jun/12