-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
4.1.11, 4.2.8
-
MOODLE_401_STABLE, MOODLE_402_STABLE
require_login($course) is called, but the instanceid passed isn't checked to see if it's actually part of the course being passed.
here:
https://github.com/moodle/moodle/blob/master/mod/lti/return.php#L44
I'm pretty sure $lti->course should actually be $course->id
jaked - am I missing something there?
I don't think there's a security issue there in the current code, but it's a security check that is missing... I've added could be a sec issue, but I suspect we can remove that flag after someone else (Jake?) verifies that....