[MDL-49902] mod_forum_view_forum external function misses capabilities check - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 2.9
Fix Version/s: 2.9
Component/s: Forum, Web Services
Labels:
- ci
- triaged

Affected Branches:
MOODLE_29_STABLE
Fixed Branches:
MOODLE_29_STABLE
Pull from Repository:
git://github.com/jleyva/moodle.git
Pull Master Branch:
~~MDL-49902~~-master
Pull Master Diff URL:
https://github.com/jleyva/moodle/compare/b6a76cd...MDL-49902-master
Testing Instructions:
Hide

As admin or teacher, create a forum activity inside a course

Open the forum and go to the permissions settings via the Administration block

Remove Student from the list of allowed roles for capability View discussions (mod/forum:viewdiscussion)

As admin, enable "Mobile services": Plugins ► Web Services ► Mobile

Create a Token for a user:

Click on Site administration ► Plugins ► Web services ► Manage tokens

Enrol the user you created the token for as student in the course with the forum

Next, you can do a CURL REST call simulating a WS client with the user .

You need to replace the wstoken, forumid (the forum instance value) and the URL of your moodle instance

curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'forumid=4&wsfunction=mod_forum_view_forum&wstoken=a70d553bbaf6d9b260a9e5c701b3c46e'

Note, you can use jsonlint.com to validate and format the json returned string or append "| python -m json.tool" to automatically format the command output

Confirm that

The json returned contains an exception: errorcode = noviewdiscussionspermission
Show
As admin or teacher, create a forum activity inside a course Open the forum and go to the permissions settings via the Administration block Remove Student from the list of allowed roles for capability View discussions (mod/forum:viewdiscussion) As admin, enable "Mobile services": Plugins ► Web Services ► Mobile Create a Token for a user: Click on Site administration ► Plugins ► Web services ► Manage tokens Enrol the user you created the token for as student in the course with the forum Next, you can do a CURL REST call simulating a WS client with the user . You need to replace the wstoken, forumid (the forum instance value) and the URL of your moodle instance curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'forumid=4&wsfunction=mod_forum_view_forum&wstoken=a70d553bbaf6d9b260a9e5c701b3c46e' Note, you can use jsonlint.com to validate and format the json returned string or append "| python -m json.tool" to automatically format the command output Confirm that The json returned contains an exception: errorcode = noviewdiscussionspermission

Description

When I was implementing new external functions (for 3.0) I noticed that I missed to add capability checks to that new function (and also for mod_forum_view_forum_discussion).

mod/forum/view.php and mod/forum/discuss.php checks the mod/forum:viewdiscussion capability prior to do logging and completion triggering.

I'm not marking this as a security bug since 2.9 is not yet released.

Attachments

Issue Links

is a regression caused by

MDL-49502 mod_forum_view_forum

Closed

MDL-49503 New Web Service mod_forum_view_forum_discussion

Closed

Activity

People

Assignee:: Juan Leyva

Reporter:: Juan Leyva

Integrator:: Andrew Lyons

Tester:: Jetha Chan

Participants:: Andrew Lyons, CiBoT, Dan Poltawski, David Monllaó, Jetha Chan, Juan Leyva

Component watchers:: Adrian Greeve, Ilya Tregubov, Kevin Percy, Mathew May, Mihail Geshoski, Shamim Rezaie, Juan Leyva, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 17/Apr/15 11:17 AM

Updated:: 22/Apr/15 3:48 AM

Resolved:: 22/Apr/15 3:48 AM

Fix Release Date:: 11/May/15