Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-49902

mod_forum_view_forum external function misses capabilities check

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 2.9
    • 2.9
    • Forum, Web Services
    • MOODLE_29_STABLE
    • MOODLE_29_STABLE
    • MDL-49902-master
    • Hide
      1. As admin or teacher, create a forum activity inside a course
      2. Open the forum and go to the permissions settings via the Administration block
      3. Remove Student from the list of allowed roles for capability View discussions (mod/forum:viewdiscussion)
      4. As admin, enable "Mobile services": Plugins ► Web Services ► Mobile
      5. Create a Token for a user:
        • Click on Site administration ► Plugins ► Web services ► Manage tokens
      6. Enrol the user you created the token for as student in the course with the forum
      7. Next, you can do a CURL REST call simulating a WS client with the user .
        • You need to replace the wstoken, forumid (the forum instance value) and the URL of your moodle instance

          curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'forumid=4&wsfunction=mod_forum_view_forum&wstoken=a70d553bbaf6d9b260a9e5c701b3c46e'

          Note, you can use jsonlint.com to validate and format the json returned string or append "| python -m json.tool" to automatically format the command output

      8. Confirm that
        • The json returned contains an exception: errorcode = noviewdiscussionspermission
      Show
      As admin or teacher, create a forum activity inside a course Open the forum and go to the permissions settings via the Administration block Remove Student from the list of allowed roles for capability View discussions (mod/forum:viewdiscussion) As admin, enable "Mobile services": Plugins ► Web Services ► Mobile Create a Token for a user: Click on Site administration ► Plugins ► Web services ► Manage tokens Enrol the user you created the token for as student in the course with the forum Next, you can do a CURL REST call simulating a WS client with the user . You need to replace the wstoken, forumid (the forum instance value) and the URL of your moodle instance curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'forumid=4&wsfunction=mod_forum_view_forum&wstoken=a70d553bbaf6d9b260a9e5c701b3c46e' Note, you can use jsonlint.com to validate and format the json returned string or append "| python -m json.tool" to automatically format the command output Confirm that The json returned contains an exception: errorcode = noviewdiscussionspermission

    Description

      When I was implementing new external functions (for 3.0) I noticed that I missed to add capability checks to that new function (and also for mod_forum_view_forum_discussion).

      mod/forum/view.php and mod/forum/discuss.php checks the mod/forum:viewdiscussion capability prior to do logging and completion triggering.

      I'm not marking this as a security bug since 2.9 is not yet released.

      Attachments

        Issue Links

          Activity

            People

              jleyva Juan Leyva
              jleyva Juan Leyva
              Andrew Lyons Andrew Lyons
              Jetha Chan Jetha Chan
              Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Stevani Andolo, Juan Leyva, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Laurent David, Raquel Ortega, Sara Arjona (@sarjona)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                11/May/15