Skip to content
Browse files

Merge branch 'MDL-38474-22' of git://github.com/FMCorz/moodle into MO…

…ODLE_22_STABLE
  • Loading branch information...
2 parents 80b40e2 + 4aca3f9 commit 395f9fe90d21772097f6b8b09e0d7533b6c298d9 @damyon damyon committed Mar 15, 2013
Showing with 24 additions and 8 deletions.
  1. +24 −8 repository/lib.php
View
32 repository/lib.php
@@ -582,8 +582,9 @@ public static function get_types($visible=null) {
public static function check_capability($contextid, $instance) {
global $USER;
- $context = get_context_instance_by_id($contextid);
- $can = has_capability('repository/'.$instance->type.':view', $context);
+ // The context we are on.
+ $currentcontext = get_context_instance_by_id($contextid);
+ $can = has_capability('repository/'.$instance->type.':view', $currentcontext);
// Context in which the repository has been created.
$repocontext = get_context_instance_by_id($instance->contextid);
@@ -593,14 +594,29 @@ public static function check_capability($contextid, $instance) {
$can = false;
}
- // Ensure that the user can view the repository in the context of the repository.
- // Ne need to perform the check when already disallowed.
+ // We are going to ensure that the current context was legit, and reliable to check
+ // the capability against. (No need to do that if we already cannot).
if ($can) {
- if ($repocontext->contextlevel == CONTEXT_USER && $repocontext->instanceid != $USER->id) {
- // Prevent URL hijack to access someone else's repository.
- $can = false;
+ if ($repocontext->contextlevel == CONTEXT_USER) {
+ // The repository is a user instance, ensure we're the right user to access it!
+ if ($repocontext->instanceid != $USER->id) {
+ $can = false;
+ }
+ } else if ($repocontext->contextlevel == CONTEXT_COURSE) {
+ // The repository is a course one. Let's check that we are on the right course.
+ if (in_array($currentcontext->contextlevel, array(CONTEXT_COURSE, CONTEXT_MODULE, CONTEXT_BLOCK))) {
+ $coursecontext = $currentcontext->get_course_context();
+ if ($coursecontext->instanceid != $repocontext->instanceid) {
+ $can = false;
+ }
+ } else {
+ // We are on a parent context, therefore it's legit to check the permissions
+ // in the current context.
+ }
} else {
- $can = has_capability('repository/'.$instance->type.':view', $repocontext);
+ // Nothing to check here, system instances can have different permissions on different
+ // levels. We do not want to prevent URL hack here, because it does not make sense to
+ // prevent a user to access a repository in a context if it's accessible in another one.
}
}

0 comments on commit 395f9fe

Please sign in to comment.
Something went wrong with that request. Please try again.