Skip to content
Browse files

Merge branch 'MDL-38474-23' of git://github.com/FMCorz/moodle into MO…

…ODLE_23_STABLE
  • Loading branch information...
2 parents 0f52118 + ccc803d commit 1f84f2e54af746e75dea4f81c5065479c8c2ea39 @damyon damyon committed Mar 15, 2013
Showing with 25 additions and 7 deletions.
  1. +25 −7 repository/lib.php
View
32 repository/lib.php
@@ -641,8 +641,11 @@ public static function get_types($visible=null) {
public final function check_capability() {
global $USER;
+ // The context we are on.
+ $currentcontext = $this->context;
+
// Ensure that the user can view the repository in the current context.
- $can = has_capability('repository/'.$this->type.':view', $this->context);
+ $can = has_capability('repository/'.$this->type.':view', $this->currentcontext);
// Context in which the repository has been created.
$repocontext = context::instance_by_id($this->instance->contextid);
@@ -652,14 +655,29 @@ public static function get_types($visible=null) {
$can = false;
}
- // Ensure that the user can view the repository in the context of the repository.
- // Ne need to perform the check when already disallowed.
+ // We are going to ensure that the current context was legit, and reliable to check
+ // the capability against. (No need to do that if we already cannot).
if ($can) {
- if ($repocontext->contextlevel == CONTEXT_USER && $repocontext->instanceid != $USER->id) {
- // Prevent URL hijack to access someone else's repository.
- $can = false;
+ if ($repocontext->contextlevel == CONTEXT_USER) {
+ // The repository is a user instance, ensure we're the right user to access it!
+ if ($repocontext->instanceid != $USER->id) {
+ $can = false;
+ }
+ } else if ($repocontext->contextlevel == CONTEXT_COURSE) {
+ // The repository is a course one. Let's check that we are on the right course.
+ if (in_array($currentcontext->contextlevel, array(CONTEXT_COURSE, CONTEXT_MODULE, CONTEXT_BLOCK))) {
+ $coursecontext = $currentcontext->get_course_context();
+ if ($coursecontext->instanceid != $repocontext->instanceid) {
+ $can = false;
+ }
+ } else {
+ // We are on a parent context, therefore it's legit to check the permissions
+ // in the current context.
+ }
} else {
- $can = has_capability('repository/'.$this->type.':view', $repocontext);
+ // Nothing to check here, system instances can have different permissions on different
+ // levels. We do not want to prevent URL hack here, because it does not make sense to
+ // prevent a user to access a repository in a context if it's accessible in another one.
}
}

0 comments on commit 1f84f2e

Please sign in to comment.
Something went wrong with that request. Please try again.