Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-49902

mod_forum_view_forum external function misses capabilities check

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.9
    • Fix Version/s: 2.9
    • Component/s: Forum, Web Services
    • Labels:
    • Testing Instructions:
      Hide
      1. As admin or teacher, create a forum activity inside a course
      2. Open the forum and go to the permissions settings via the Administration block
      3. Remove Student from the list of allowed roles for capability View discussions (mod/forum:viewdiscussion)
      4. As admin, enable "Mobile services": Plugins ► Web Services ► Mobile
      5. Create a Token for a user:
        • Click on Site administration ► Plugins ► Web services ► Manage tokens
      6. Enrol the user you created the token for as student in the course with the forum
      7. Next, you can do a CURL REST call simulating a WS client with the user .
        • You need to replace the wstoken, forumid (the forum instance value) and the URL of your moodle instance

          curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'forumid=4&wsfunction=mod_forum_view_forum&wstoken=a70d553bbaf6d9b260a9e5c701b3c46e'

          Note, you can use jsonlint.com to validate and format the json returned string or append "| python -m json.tool" to automatically format the command output

      8. Confirm that
        • The json returned contains an exception: errorcode = noviewdiscussionspermission
      Show
      As admin or teacher, create a forum activity inside a course Open the forum and go to the permissions settings via the Administration block Remove Student from the list of allowed roles for capability View discussions (mod/forum:viewdiscussion) As admin, enable "Mobile services": Plugins ► Web Services ► Mobile Create a Token for a user: Click on Site administration ► Plugins ► Web services ► Manage tokens Enrol the user you created the token for as student in the course with the forum Next, you can do a CURL REST call simulating a WS client with the user . You need to replace the wstoken, forumid (the forum instance value) and the URL of your moodle instance curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'forumid=4&wsfunction=mod_forum_view_forum&wstoken=a70d553bbaf6d9b260a9e5c701b3c46e' Note, you can use jsonlint.com to validate and format the json returned string or append "| python -m json.tool" to automatically format the command output Confirm that The json returned contains an exception: errorcode = noviewdiscussionspermission
    • Affected Branches:
      MOODLE_29_STABLE
    • Fixed Branches:
      MOODLE_29_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-49902-master

      Description

      When I was implementing new external functions (for 3.0) I noticed that I missed to add capability checks to that new function (and also for mod_forum_view_forum_discussion).

      mod/forum/view.php and mod/forum/discuss.php checks the mod/forum:viewdiscussion capability prior to do logging and completion triggering.

      I'm not marking this as a security bug since 2.9 is not yet released.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  11/May/15