Permalink
Browse files
MDL-28350 prevent bogus role assignment via externallib
- Loading branch information...
Showing
with
12 additions
and
0 deletions.
-
+12
−0
enrol/externallib.php
|
|
@@ -175,6 +175,12 @@ public static function role_assign($assignments) { |
|
|
self::validate_context($context);
|
|
|
require_capability('moodle/role:assign', $context);
|
|
|
|
|
|
+ // throw an exception if user is not able to assign the role in this context
|
|
|
+ $roles = get_assignable_roles($context, ROLENAME_SHORT);
|
|
|
+ if (!key_exists($assignment['roleid'], $roles)) {
|
|
|
+ throw new invalid_parameter_exception('Can not assign roleid='.$assignment['roleid'].' in contextid='.$assignment['contextid']);
|
|
|
+ }
|
|
|
+
|
|
|
role_assign($assignment['roleid'], $assignment['userid'], $assignment['contextid']);
|
|
|
}
|
|
|
|
|
|
@@ -231,6 +237,12 @@ public static function role_unassign($unassignments) { |
|
|
self::validate_context($context);
|
|
|
require_capability('moodle/role:assign', $context);
|
|
|
|
|
|
+ // throw an exception if user is not able to unassign the role in this context
|
|
|
+ $roles = get_assignable_roles($context, ROLENAME_SHORT);
|
|
|
+ if (!key_exists($unassignment['roleid'], $roles)) {
|
|
|
+ throw new invalid_parameter_exception('Can not unassign roleid='.$unassignment['roleid'].' in contextid='.$unassignment['contextid']);
|
|
|
+ }
|
|
|
+
|
|
|
role_unassign($unassignment['roleid'], $unassignment['userid'], $unassignment['contextid']);
|
|
|
}
|
|
|
|
|
|
|
0 comments on commit
4b9cb37