-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
3.9
-
MOODLE_39_STABLE
Modifying how the editor use AJAX was not easy without hampering future editor updates, so an AJAX script (h5p/ajax.php) was chosen instead of invoking web service functions.
Currently, the AJAX script only checks if a user has a valid token that comes from the editor, but we can't check if the user making the request has, for example, permissions to upload files (link to source code).
The H5P component itself does not define editing capabilities and it's intended to always be used within another component, such as the content bank. Therefore, the H5P component should implement a mechanism to allow those components to be responsible for managing the edition permissions.