Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-83020

Incorrect context checking in external get_badge method

XMLWordPrintable

    • MOODLE_405_STABLE
    • MOODLE_405_STABLE
    • Hide

      Setup

      1. Log in as admin
      2. Create a user
      3. Navigate to Users > Permissions > Define roles in site administration
      4. Edit the Authenticated user role
      5. Remove the moodle/badges:viewbadges permission
      6. Enable web services, REST protocol, Moodle mobile web service
      7. Create a token for the test user to use the Moodle mobile web service

      Create badge

      1. Navigate to Badges > Add a new badge in site administration
      2. Fill in form
      3. Add criteria and enable access
      4. Make a note of its ID, from the URL:

        /badges/criteria.php?id=<BADGEID1>
        

      Get badge as user

      1. Execute the following:

        $ curl --silent "<WWWROOT>/webservice/rest/server.php?moodlewsrestformat=json" --data "wstoken=<TOKEN>&wsfunction=core_badges_get_badge&id=<BADGEID1>" | python -m json.tool
        

      2. Confirm you get returned "badge" structure
      Show
      Setup Log in as admin Create a user Navigate to Users > Permissions > Define roles in site administration Edit the Authenticated user role Remove the moodle/badges:viewbadges permission Enable web services, REST protocol, Moodle mobile web service Create a token for the test user to use the Moodle mobile web service Create badge Navigate to Badges > Add a new badge in site administration Fill in form Add criteria and enable access Make a note of its ID, from the URL: /badges/criteria.php?id=<BADGEID1> Get badge as user Execute the following: $ curl --silent "<WWWROOT>/webservice/rest/server.php?moodlewsrestformat=json" --data "wstoken=<TOKEN>&wsfunction=core_badges_get_badge&id=<BADGEID1>" | python -m json.tool Confirm you get returned "badge" structure

      See MDL-82105 - this external class, specifically the context in which the capability is being checked:

      https://github.com/moodle/moodle/blob/13c12756b4d7e85f2d2e34038216179fd287c9c2/badges/classes/external/get_badge.php#L79-L82

      This isn't correct, because the capability can be allowed/prevented within course contexts so we cannot assume that using the system context is the correct one to use

      Brand new for 4.5 so setting "Must fix" on this

            pholden Paul Holden
            pholden Paul Holden
            Albert Gasset Albert Gasset
            Sara Arjona (@sarjona) Sara Arjona (@sarjona)
            Kim Jared Lucas Kim Jared Lucas
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 45 minutes
                45m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.