Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

rss MDL-24870 fixed the capability checks to access module rss feeds

  • Loading branch information...
commit 3ad3f24808ed68c535bb5b3dd858d8f956dd6f86 1 parent d95a02f
@andyjdavis andyjdavis authored
View
13 mod/data/rsslib.php
@@ -12,13 +12,18 @@ function data_rss_get_feed($context, $args) {
return null;
}
- if (!is_enrolled($context, null, 'mod/data:managetemplates') && !isguestuser()) {
- return null;
+ $dataid = clean_param($args[3], PARAM_INT);
+ $cm = get_coursemodule_from_instance('data', $dataid, 0, false, MUST_EXIST);
+ if ($cm) {
+ $modcontext = get_context_instance(CONTEXT_MODULE, $cm->id);
+
+ //context id from db should match the submitted one
+ if ($context->id != $modcontext->id || !has_capability('mod/data:viewentry', $modcontext)) {
+ return null;
+ }
}
- $dataid = clean_param($args[3], PARAM_INT);
$data = $DB->get_record('data', array('id' => $dataid), '*', MUST_EXIST);
-
if (!rss_enabled_for_mod('data', $data, false, true)) {
return null;
}
View
12 mod/forum/rsslib.php
@@ -44,25 +44,17 @@ function forum_rss_get_feed($context, $args) {
}
$forumid = clean_param($args[3], PARAM_INT);
-
- $uservalidated = false;
-
$cm = get_coursemodule_from_instance('forum', $forumid, 0, false, MUST_EXIST);
if ($cm) {
$modcontext = get_context_instance(CONTEXT_MODULE, $cm->id);
//context id from db should match the submitted one
- if ($context->id==$modcontext->id && has_capability('mod/forum:viewdiscussion', $modcontext)) {
- $uservalidated = true;
+ if ($context->id != $modcontext->id || !has_capability('mod/forum:viewdiscussion', $modcontext)) {
+ return null;
}
}
- if (!$uservalidated) {
- return null;
- }
-
$forum = $DB->get_record('forum', array('id' => $forumid), '*', MUST_EXIST);
-
if (!rss_enabled_for_mod('forum', $forum)) {
return null;
}
View
18 mod/glossary/rsslib.php
@@ -6,22 +6,26 @@
function glossary_rss_get_feed($context, $args) {
global $CFG, $DB;
+ $status = true;
+
if (empty($CFG->glossary_enablerssfeeds)) {
debugging("DISABLED (module configuration)");
return null;
}
- $status = true;
+ $glossaryid = clean_param($args[3], PARAM_INT);
+ $cm = get_coursemodule_from_instance('glossary', $glossaryid, 0, false, MUST_EXIST);
+ if ($cm) {
+ $modcontext = get_context_instance(CONTEXT_MODULE, $cm->id);
- //check capabilities
- //glossary module doesn't require any capabilities to view glossary entries (aside from being logged in)
- if (!is_enrolled($context) && !isguestuser()) {
- return null;
+ //context id from db should match the submitted one
+ //no specific capability required to view glossary entries so just check user is enrolled
+ if ($context->id != $modcontext->id || !is_enrolled($context)) {
+ return null;
+ }
}
- $glossaryid = clean_param($args[3], PARAM_INT);
$glossary = $DB->get_record('glossary', array('id' => $glossaryid), '*', MUST_EXIST);
-
if (!rss_enabled_for_mod('glossary', $glossary)) {
return null;
}
Please sign in to comment.
Something went wrong with that request. Please try again.