Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-47474

Incorrect permission check in calendar export

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.8
    • Fix Version/s: 2.7.3
    • Component/s: Calendar
    • Labels:
    • Testing Instructions:
      Hide
      • Create a course, and one user enrolled as teacher. Log in as this user.
      • Create an assignment in the course with default due date (i.e. one week in the future).
      • Add a conditional availability rule for the assignment - access allowed only from a date 1 month in the future.
      • Go to the course calendar.
      • VERIFY: Assignment due date is shown in the calendar.
      • Click "Export calendar". Select "Recent and next 60 days". Click "Get calendar URL".
      • Copy the resulting URL to the clipboard.
      • Open the URL in a web browser **while not logged in to Moodle** (close and re-open browser, or open a "private window" e.g. in Firefox.)
      • VERIFY: Calendar export file contains one event (the due date of the assignment).
      Show
      Create a course, and one user enrolled as teacher. Log in as this user. Create an assignment in the course with default due date (i.e. one week in the future). Add a conditional availability rule for the assignment - access allowed only from a date 1 month in the future. Go to the course calendar. VERIFY: Assignment due date is shown in the calendar. Click "Export calendar". Select "Recent and next 60 days". Click "Get calendar URL". Copy the resulting URL to the clipboard. Open the URL in a web browser ** while not logged in to Moodle ** (close and re-open browser, or open a "private window" e.g. in Firefox.) VERIFY: Calendar export file contains one event (the due date of the assignment).
    • Affected Branches:
      MOODLE_28_STABLE
    • Fixed Branches:
      MOODLE_27_STABLE
    • Pull Master Branch:

      Description

      If a calendar export is called while not logged in to Moodle (authentication via auth token), then the code in calendar/export_execute.php near line 178 checks the permissions of the guest user rather than those of the intended user passed in the URL.

      (Will add test case that makes the issue clear. Will also add a patch in a moment.)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              bostelm Henning Bostelmann
              Reporter:
              bostelm Henning Bostelmann
              Peer reviewer:
              Dan Poltawski
              Integrator:
              Sam Hemelryk
              Tester:
              Mark Nelson
              Participants:
              Component watchers:
              Andrew Nicols, Dongsheng Cai, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                10/Nov/14