Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68428

Consider how to handle cases where an unauthorised user hits the import endpoint without a course param

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.9
    • Fix Version/s: None
    • Component/s: Other
    • Labels:

      Description

      If a student somehow knows what data to post to the endpoint, they might try to do so. If they omit the course param, they will be presented with the import confirmation because we have not yet been able to place them in a course and check capabilities, namely 'moodle/course:manageactivities'. This can only occur when someone is doing something they shouldn't be, and it's not that Moodle will allow the import either. It's more about how early we're able to detect that the person isn't able to import and throw an appropriate error. When the course is provided, we already check the relevant capability on the confirmation page (index.php) and throw an error. It's only when course is omitted that there's an issue.

      We'd like to be able to do this at the confirmation page, which is a system context page. At this stage in the process, we've no way to check 'moodle/course:manageactivities' (which of course a student does not have), because we don't yet have a course to check.

      This issue is about discussing and possibly implementing a solution which will allow us to throw an error as soon as we can if a user is known (somehow) to not be a valid users of the import feature.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              jaked Jake Dallimore
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: