From 94b9dad79d06ea5bd81febee0c8faf2308f9272b Mon Sep 17 00:00:00 2001
From: Jerome Mouneyrac <jerome@moodle.com>
Date: Mon, 14 Nov 2011 12:09:40 +0800
Subject: [PATCH] MDL-28126 webservices : should not able to create token if
 user is deleted,unconfirmed,suspended or guest.

---
 admin/webservice/forms.php  | 6 ++++--
 admin/webservice/tokens.php | 6 ++++++
 lang/en/webservice.php      | 1 +
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/admin/webservice/forms.php b/admin/webservice/forms.php
index 75202284f36d3..f1908eb6c290e 100644
--- a/admin/webservice/forms.php
+++ b/admin/webservice/forms.php
@@ -179,7 +179,7 @@ function definition() {
 class web_service_token_form extends moodleform {
 
     function definition() {
-        global $USER, $DB;
+        global $USER, $DB, $CFG;
 
         $mform = $this->_form;
         $data = $this->_customdata;
@@ -188,10 +188,12 @@ function definition() {
 
         if (empty($data->nouserselection)) {
             //user searchable selector - get all users (admin and guest included)
+            //user must be confirmed, not deleted, not suspended, not guest
             $sql = "SELECT u.id, u.firstname, u.lastname
             FROM {user} u
+            WHERE u.deleted = 0 AND u.confirmed = 1 AND u.suspended = 0 AND u.id != ?
             ORDER BY u.lastname";
-            $users = $DB->get_records_sql($sql, array());
+            $users = $DB->get_records_sql($sql, array($CFG->siteguest));
             $options = array();
             foreach ($users as $userid => $user) {
                 $options[$userid] = $user->firstname . " " . $user->lastname;
diff --git a/admin/webservice/tokens.php b/admin/webservice/tokens.php
index ec06e23185fb4..cf229ab5446c7 100644
--- a/admin/webservice/tokens.php
+++ b/admin/webservice/tokens.php
@@ -71,6 +71,12 @@
                 }
             }
 
+            //check if the user is deleted. unconfirmed, suspended or guest
+            $user = $DB->get_record('user', array('id' => $data->user));
+            if ($user->id == $CFG->siteguest or $user->deleted or !$user->confirmed or $user->suspended) {
+                throw new moodle_exception('forbiddenwsuser', 'webservice');
+            }
+
             //process the creation
             if (empty($errormsg)) {
                 //TODO improvement: either move this function from externallib.php to webservice/lib.php
diff --git a/lang/en/webservice.php b/lang/en/webservice.php
index 74f84c8f76411..aac539124f7ae 100644
--- a/lang/en/webservice.php
+++ b/lang/en/webservice.php
@@ -92,6 +92,7 @@
 $string['externalserviceusers'] = 'External service users';
 $string['failedtolog'] = 'Failed to log';
 $string['filenameexist'] = 'File name already exists: {$a}';
+$string['forbiddenwsuser'] = 'Can not create token for a unconfirmed, deleted, suspended or guest user.';
 $string['function'] = 'Function';
 $string['functions'] = 'Functions';
 $string['generalstructure'] = 'General structure';