Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-37243

Comments API doesn't store or validate component

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • 2.2.6, 2.3.3, 2.4.1
    • None
    • Comments
    • MOODLE_22_STABLE, MOODLE_23_STABLE, MOODLE_24_STABLE
    • 40

    Description

      The comments DB table doesn't have a component in it only a comment area:

      moodle=# select * from m24_comments;
       id | contextid |  commentarea   | itemid | content | format | userid | timecreated 
      ----+-----------+----------------+--------+---------+--------+--------+-------------
        2 |        15 | page_comments  |      0 | test    |      0 |      2 |  1355903721
        3 |        15 | page_comments  |      0 | Blah!   |      0 |      2 |  1355966525
        4 |        34 | database_entry |      2 | test    |      0 |      2 |  1355967009
      (3 rows)
      

      As far as I can see, there is no way to get from that commentarea back to a component, therefore there is no way to validate the permisisons. See for example:

         private function check_permissions() {
              $this->postcap = has_capability('moodle/comment:post', $this->context);
              $this->viewcap = has_capability('moodle/comment:view', $this->context);
              if (!empty($this->plugintype)) {
                  $permissions = plugin_callback($this->plugintype, $this->pluginname, 'comment', 'permissions', array($this->comment_param), array('post'=>false, 'view'=>false));
                  $this->postcap = $this->postcap && $permissions['post'];
                  $this->viewcap = $this->viewcap && $permissions['view'];
              }
          }
      

      It looks to me that this plugintype only comes from the HTML and is not validated at all. So for example you could switch to the validation for a mod_assign comment to block_comment validation. You could probably also manipulate the html to view other peoples comments.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              poltawski Dan Poltawski
              Amaia Anabitarte, Bas Brands, Carlos Escobedo, Laurent David, Raquel Ortega, Sabina Abellan, Sara Arjona (@sarjona)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: