MDL-28126 webservices : should not able to create token if user is de…

…leted,unconfirmed,suspended or guest.
moodle · Dec 14, 2011 · 72306a6 · 72306a6
1 parent acb3bf8
commit 72306a6
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/admin/webservice/forms.php b/admin/webservice/forms.php
@@ -179,7 +179,7 @@ function definition() {
 class web_service_token_form extends moodleform {
 
     function definition() {
-        global $USER, $DB;
+        global $USER, $DB, $CFG;
 
         $mform = $this->_form;
         $data = $this->_customdata;
@@ -188,10 +188,12 @@ function definition() {
 
         if (empty($data->nouserselection)) {
             //user searchable selector - get all users (admin and guest included)
+            //user must be confirmed, not deleted, not suspended, not guest
             $sql = "SELECT u.id, u.firstname, u.lastname
             FROM {user} u
+            WHERE u.deleted = 0 AND u.confirmed = 1 AND u.suspended = 0 AND u.id != ?
             ORDER BY u.lastname";
-            $users = $DB->get_records_sql($sql, array());
+            $users = $DB->get_records_sql($sql, array($CFG->siteguest));
             $options = array();
             foreach ($users as $userid => $user) {
                 $options[$userid] = $user->firstname . " " . $user->lastname;

diff --git a/admin/webservice/tokens.php b/admin/webservice/tokens.php
@@ -71,6 +71,12 @@
                 }
             }
 
+            //check if the user is deleted. unconfirmed, suspended or guest
+            $user = $DB->get_record('user', array('id' => $data->user));
+            if ($user->id == $CFG->siteguest or $user->deleted or !$user->confirmed or $user->suspended) {
+                throw new moodle_exception('forbiddenwsuser', 'webservice');
+            }
+
             //process the creation
             if (empty($errormsg)) {
                 //TODO improvement: either move this function from externallib.php to webservice/lib.php

diff --git a/lang/en/webservice.php b/lang/en/webservice.php
@@ -92,6 +92,7 @@
 $string['externalserviceusers'] = 'External service users';
 $string['failedtolog'] = 'Failed to log';
 $string['filenameexist'] = 'File name already exists: {$a}';
+$string['forbiddenwsuser'] = 'Can not create token for a unconfirmed, deleted, suspended or guest user.';
 $string['function'] = 'Function';
 $string['functions'] = 'Functions';
 $string['generalstructure'] = 'General structure';