[MDL-69047] Content bank status message should be hard coded - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.9
Fix Version/s: 3.9.1
Component/s: Content bank
Labels:

Affected Branches:
MOODLE_39_STABLE
Fixed Branches:
MOODLE_39_STABLE
Pull from Repository:
git://github.com/aanabit/moodle.git
Pull 3.9 Branch:
~~MDL-69047~~-39
Pull 3.9 Diff URL:
https://github.com/aanabit/moodle/compare/MDL-69047-39~1...MDL-69047-39
Pull Main Branch:
~~MDL-69047~~-master
Pull Main Diff URL:
https://github.com/aanabit/moodle/compare/MDL-69047-master~1...MDL-69047-master
Testing Instructions:
Hide

As an admin go to Content bank (in the drawer for Boost theme or in the Navigation block> Site pages for Classic theme)

Upload the attached chart.h5p file

Open the cog menu and select Rename option.

Add a new name and click on 'Rename'.

Confirm there is a 'The content has been renamed.' message.

Confirm there is a 'statusmsg=contentrenamed' parameter in the URL.

Open the cog menu and select Delete option.

Click on 'Delete'.

Confirm there is a 'The content has been deleted.' message.

Confirm there is a 'statusmsg=contentdeleted' parameter in the URL.
Show
As an admin go to Content bank (in the drawer for Boost theme or in the Navigation block> Site pages for Classic theme) Upload the attached chart.h5p file Open the cog menu and select Rename option. Add a new name and click on 'Rename'. Confirm there is a 'The content has been renamed.' message. Confirm there is a 'statusmsg=contentrenamed' parameter in the URL. Open the cog menu and select Delete option. Click on 'Delete'. Confirm there is a 'The content has been deleted.' message. Confirm there is a 'statusmsg=contentdeleted' parameter in the URL.

Sprint:
Moppies Kanban

Description

https://qa.moodledemo.net/contentbank/index.php?contextid=25%27%22%3Cb%3E&statusmsg=Custom%20Text

The statusmsg is safe from any javascript attack but a student could send this link to a teacher to trick him (link to phishing for exemple) with an official looking statement. Message text should be hardcoded.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

chart.h5p
110 kB
16/Jun/20 11:25 PM
Screenshot_1.png
52 kB
24/Jun/20 1:56 PM

Issue Links

Testing discovered

MDL-69089 Content bank allows empty names

Closed

Activity

People

Assignee:: Amaia Anabitarte

Reporter:: DegrangeM

Peer reviewer:: Carlos Escobedo

Integrator:: Jake Dallimore

Tester:: Janelle Barcega

Participants:: Amaia Anabitarte, Carlos Escobedo, CiBoT, DegrangeM, Jake Dallimore, Janelle Barcega

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 15/Jun/20 1:45 AM

Updated:: 08/Jul/20 1:17 PM

Resolved:: 26/Jun/20 1:28 AM

Fix Release Date:: 13/Jul/20

Time Tracking

Estimated:

Remaining:

Logged:

3h 51m