Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-49902

mod_forum_view_forum external function misses capabilities check

XMLWordPrintable

    • MOODLE_29_STABLE
    • MOODLE_29_STABLE
    • MDL-49902-master
    • Hide
      1. As admin or teacher, create a forum activity inside a course
      2. Open the forum and go to the permissions settings via the Administration block
      3. Remove Student from the list of allowed roles for capability View discussions (mod/forum:viewdiscussion)
      4. As admin, enable "Mobile services": Plugins ► Web Services ► Mobile
      5. Create a Token for a user:
        • Click on Site administration ► Plugins ► Web services ► Manage tokens
      6. Enrol the user you created the token for as student in the course with the forum
      7. Next, you can do a CURL REST call simulating a WS client with the user .
        • You need to replace the wstoken, forumid (the forum instance value) and the URL of your moodle instance

          curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'forumid=4&wsfunction=mod_forum_view_forum&wstoken=a70d553bbaf6d9b260a9e5c701b3c46e'

          Note, you can use jsonlint.com to validate and format the json returned string or append "| python -m json.tool" to automatically format the command output

      8. Confirm that
        • The json returned contains an exception: errorcode = noviewdiscussionspermission
      Show
      As admin or teacher, create a forum activity inside a course Open the forum and go to the permissions settings via the Administration block Remove Student from the list of allowed roles for capability View discussions (mod/forum:viewdiscussion) As admin, enable "Mobile services": Plugins ► Web Services ► Mobile Create a Token for a user: Click on Site administration ► Plugins ► Web services ► Manage tokens Enrol the user you created the token for as student in the course with the forum Next, you can do a CURL REST call simulating a WS client with the user . You need to replace the wstoken, forumid (the forum instance value) and the URL of your moodle instance curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'forumid=4&wsfunction=mod_forum_view_forum&wstoken=a70d553bbaf6d9b260a9e5c701b3c46e' Note, you can use jsonlint.com to validate and format the json returned string or append "| python -m json.tool" to automatically format the command output Confirm that The json returned contains an exception: errorcode = noviewdiscussionspermission

      When I was implementing new external functions (for 3.0) I noticed that I missed to add capability checks to that new function (and also for mod_forum_view_forum_discussion).

      mod/forum/view.php and mod/forum/discuss.php checks the mod/forum:viewdiscussion capability prior to do logging and completion triggering.

      I'm not marking this as a security bug since 2.9 is not yet released.

            jleyva Juan Leyva
            jleyva Juan Leyva
            Andrew Lyons Andrew Lyons
            Jetha Chan Jetha Chan
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.