Skip to content
Browse files

MDL-32199 - forum - Ensure that forum RSS feeds don't leak posts and …

…discussions.

Alteration to the code to hide the body of the post / discussion

rebase conflict resolution
  • Loading branch information...
1 parent 5bb8e80 commit 35124c3c4fd4692a54359fe32d3c29e2590dbb83 @abgreeve abgreeve committed May 14, 2012
Showing with 46 additions and 15 deletions.
  1. +46 −15 mod/forum/rsslib.php
View
61 mod/forum/rsslib.php
@@ -33,7 +33,7 @@
* @return string the full path to the cached RSS feed directory. Null if there is a problem.
*/
function forum_rss_get_feed($context, $args) {
- global $CFG, $DB;
+ global $CFG, $DB, $USER;
$status = true;
@@ -45,7 +45,7 @@ function forum_rss_get_feed($context, $args) {
$forumid = clean_param($args[3], PARAM_INT);
$cm = get_coursemodule_from_instance('forum', $forumid, 0, false, MUST_EXIST);
- $modcontext = get_context_instance(CONTEXT_MODULE, $cm->id);
+ $modcontext = context_module::instance($cm->id);
//context id from db should match the submitted one
if ($context->id != $modcontext->id || !has_capability('mod/forum:viewdiscussion', $modcontext)) {
@@ -60,8 +60,15 @@ function forum_rss_get_feed($context, $args) {
//the sql that will retreive the data for the feed and be hashed to get the cache filename
$sql = forum_rss_get_sql($forum, $cm);
- //hash the sql to get the cache file name
- $filename = rss_get_file_name($forum, $sql);
+ // Hash the sql to get the cache file name.
+ // If the forum is Q and A then we need to cache the files per user. This can
+ // have a large impact on performance, so we want to only do it on this type of forum.
+ if ($forum->type == 'qanda') {
+ $filename = rss_get_file_name($forum, $sql . $USER->id);
+ } else {
+ $filename = rss_get_file_name($forum, $sql);
+ }
+
$cachedfilepath = rss_get_file_full_name('mod_forum', $filename);
//Is the cache out of date?
@@ -138,7 +145,7 @@ function forum_rss_feed_discussions_sql($forum, $cm, $newsince=0) {
$now = round(time(), -2);
$params = array($cm->instance);
- $modcontext = get_context_instance(CONTEXT_MODULE, $cm->id);
+ $modcontext = context_module::instance($cm->id);
if (!empty($CFG->forum_enabletimedposts)) { /// Users must fulfill timed posts
if (!has_capability('mod/forum:viewhiddentimedposts', $modcontext)) {
@@ -184,7 +191,7 @@ function forum_rss_feed_discussions_sql($forum, $cm, $newsince=0) {
}
function forum_rss_feed_posts_sql($forum, $cm, $newsince=0) {
- $modcontext = get_context_instance(CONTEXT_MODULE, $cm->id);
+ $modcontext = context_module::instance($cm->id);
//get group enforcement SQL
$groupmode = groups_get_activity_groupmode($cm);
@@ -262,7 +269,7 @@ function forum_rss_get_group_sql($cm, $groupmode, $currentgroup, $modcontext=nul
* @return bool|string false if the contents is empty, otherwise the contents of the feed is returned
*/
function forum_rss_feed_contents($forum, $sql, $context) {
- global $CFG, $DB;
+ global $CFG, $DB, $USER;
$status = true;
@@ -276,18 +283,43 @@ function forum_rss_feed_contents($forum, $sql, $context) {
$isdiscussion = false;
}
+ if (!$cm = get_coursemodule_from_instance('forum', $forum->id, $forum->course)) {
+ print_error('invalidcoursemodule');
+ }
+ $context = context_module::instance($cm->id);
+
$formatoptions = new stdClass();
$items = array();
foreach ($recs as $rec) {
$item = new stdClass();
$user = new stdClass();
- if ($isdiscussion && !empty($rec->discussionname)) {
- $item->title = format_string($rec->discussionname);
- } else if (!empty($rec->postsubject)) {
- $item->title = format_string($rec->postsubject);
+
+ if ($isdiscussion && !forum_user_can_see_discussion($forum, $rec->discussionid, $context)) {
+ // This is a discussion which the user has no permission to view
+ $item->title = get_string('forumsubjecthidden', 'forum');
+ $message = get_string('forumbodyhidden', 'forum');
+ $item->author = get_string('forumauthorhidden', 'forum');
+ } else if (!$isdiscussion && !forum_user_can_see_post($forum, $rec->discussionid, $rec->postid, $USER, $cm)) {
+ // This is a post which the user has no permission to view
+ $item->title = get_string('forumsubjecthidden', 'forum');
+ $message = get_string('forumbodyhidden', 'forum');
+ $item->author = get_string('forumauthorhidden', 'forum');
} else {
- //we should have an item title by now but if we dont somehow then substitute something somewhat meaningful
- $item->title = format_string($forum->name.' '.userdate($rec->postcreated,get_string('strftimedatetimeshort', 'langconfig')));
+ // The user must have permission to view
+ if ($isdiscussion && !empty($rec->discussionname)) {
+ $item->title = format_string($rec->discussionname);
+ } else if (!empty($rec->postsubject)) {
+ $item->title = format_string($rec->postsubject);
+ } else {
+ //we should have an item title by now but if we dont somehow then substitute something somewhat meaningful
+ $item->title = format_string($forum->name.' '.userdate($rec->postcreated,get_string('strftimedatetimeshort', 'langconfig')));
+ }
+ $user->firstname = $rec->userfirstname;
+ $user->lastname = $rec->userlastname;
+ $item->author = fullname($user);
+ $message = file_rewrite_pluginfile_urls($rec->postmessage, 'pluginfile.php', $context->id,
+ 'mod_forum', 'post', $rec->postid);
+ $formatoptions->trusted = $rec->posttrust;
}
$user->firstname = $rec->userfirstname;
$user->lastname = $rec->userlastname;
@@ -300,8 +332,6 @@ function forum_rss_feed_contents($forum, $sql, $context) {
}
$formatoptions->trusted = $rec->posttrust;
- $message = file_rewrite_pluginfile_urls($rec->postmessage, 'pluginfile.php', $context->id,
- 'mod_forum', 'post', $rec->postid);
$item->description = format_text($message, $rec->postformat, $formatoptions, $forum->course);
//TODO: implement post attachment handling
@@ -313,6 +343,7 @@ function forum_rss_feed_contents($forum, $sql, $context) {
$item->attachments = array();
}
}*/
+ $item->pubdate = $rec->postcreated;
$items[] = $item;
}

0 comments on commit 35124c3

Please sign in to comment.
Something went wrong with that request. Please try again.