Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-78093

Retrieving grade feedback fails for user with unusual idnumber values

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • 4.2.1
    • 4.2
    • Gradebook
    • MOODLE_402_STABLE
    • MOODLE_402_STABLE
    • Hide
      1. Log in as admin
      2. Create a new user
        • ID number: Hello <there>
      3. Navigate to Users > Permissions > User policies in site administration
      4. Select ID number from Show user identity and save changes
      5. Create a course
      6. Enrol test user as student
      7. Add an Assignment activity to the course
      8. In assignment, press Grade button
      9. Enter some text under Feedback comments and save changes
      10. Return to course
      11. Navigate to course gradebook (Grader report)
      12. In your test user table row, press Cell actions for the assignment activity
      13. Press View feedback
      14. Confirm modal opens and shows the feedback that was previously entered
      15. Close the modal
      16. Make the following change (to simulate a genuine error):

        $ git diff
        diff --git a/grade/classes/external/get_feedback.php b/grade/classes/external/get_feedback.php
        index fd94c21f54f..51b7b67ce47 100644
        --- a/grade/classes/external/get_feedback.php
        +++ b/grade/classes/external/get_feedback.php
        @@ -71,6 +71,8 @@ class get_feedback extends external_api {
                     ]
                 );
         
        +        throw new \coding_exception('oh no');
        +
                 $context = \context_course::instance($courseid);
                 parent::validate_context($context);
         
        

      17. Press View feedback in the cell actions again
      18. Confirm exception information is shown
      Show
      Log in as admin Create a new user ID number: Hello <there> Navigate to Users > Permissions > User policies in site administration Select ID number from Show user identity and save changes Create a course Enrol test user as student Add an Assignment activity to the course In assignment, press Grade button Enter some text under Feedback comments and save changes Return to course Navigate to course gradebook ( Grader report ) In your test user table row, press Cell actions for the assignment activity Press View feedback Confirm modal opens and shows the feedback that was previously entered Close the modal Make the following change (to simulate a genuine error): $ git diff diff --git a/grade/classes/external/get_feedback.php b/grade/classes/external/get_feedback.php index fd94c21f54f..51b7b67ce47 100644 --- a/grade/classes/external/get_feedback.php +++ b/grade/classes/external/get_feedback.php @@ -71,6 +71,8 @@ class get_feedback extends external_api { ] ); + throw new \coding_exception('oh no'); + $context = \context_course::instance($courseid); parent::validate_context($context); Press View feedback in the cell actions again Confirm exception information is shown

      For a user with gradebook feedback, who also has HTML entities within their ID number (a PARAM_RAW field, reference) - clicking on the "View feedback" link doesn't do anything

      There are two problems

      1. There is no indication of failure (other than nothing happened);
      2. The external field type definition is too strict (PARAM_TEXT)

      When I view me browser console, I see the following exception:

      [
      	{
      		"error": true,
      		"exception": {
      			"message": "Invalid response value detected",
      			"errorcode": "invalidresponse",
      			"backtrace": "* line 457 of /lib/external/classes/external_api.php: invalid_response_exception thrown\n* line ? of unknownfile: call to core_external\\external_api::clean_returnvalue()\n* line 257 of /lib/external/classes/external_api.php: call to call_user_func()\n* line 83 of /lib/ajax/service.php: call to core_external\\external_api::call_external_function()\n",
      			"link": "http://moodle.internal/master/grade/report/grader/index.php?id=2",
      			"moreinfourl": "https://docs.moodle.org/403/en/error/debug/invalidresponse",
      			"debuginfo": "additionalfield => Invalid response value detected (Invalid external api response: the value is \"XSS<script>alert('id, number');</script>\" of PHP type \"string\", the server was expecting \"text\" type): Invalid external api response: the value is \"XSS<script>alert('id, number');</script>\" of PHP type \"string\", the server was expecting \"text\" type\nError code: invalidresponse"
      		}
      	}
      ]
      

      All from MDL-77030

            pholden Paul Holden
            pholden Paul Holden
            Ilya Tregubov Ilya Tregubov
            Jun Pataleta Jun Pataleta
            Ron Carl Alfon Yu Ron Carl Alfon Yu
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 44 minutes
                1h 44m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.