Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-37243

Comments API doesn't store or validate component

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 2.2.6, 2.3.3, 2.4.1
    • Fix Version/s: None
    • Component/s: Comments
    • Labels:
    • Affected Branches:
      MOODLE_22_STABLE, MOODLE_23_STABLE, MOODLE_24_STABLE
    • Story Points:
      40

      Description

      The comments DB table doesn't have a component in it only a comment area:

      moodle=# select * from m24_comments;
       id | contextid |  commentarea   | itemid | content | format | userid | timecreated 
      ----+-----------+----------------+--------+---------+--------+--------+-------------
        2 |        15 | page_comments  |      0 | test    |      0 |      2 |  1355903721
        3 |        15 | page_comments  |      0 | Blah!   |      0 |      2 |  1355966525
        4 |        34 | database_entry |      2 | test    |      0 |      2 |  1355967009
      (3 rows)
      

      As far as I can see, there is no way to get from that commentarea back to a component, therefore there is no way to validate the permisisons. See for example:

         private function check_permissions() {
              $this->postcap = has_capability('moodle/comment:post', $this->context);
              $this->viewcap = has_capability('moodle/comment:view', $this->context);
              if (!empty($this->plugintype)) {
                  $permissions = plugin_callback($this->plugintype, $this->pluginname, 'comment', 'permissions', array($this->comment_param), array('post'=>false, 'view'=>false));
                  $this->postcap = $this->postcap && $permissions['post'];
                  $this->viewcap = $this->viewcap && $permissions['view'];
              }
          }
      

      It looks to me that this plugintype only comes from the HTML and is not validated at all. So for example you could switch to the validation for a mod_assign comment to block_comment validation. You could probably also manipulate the html to view other peoples comments.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: