Permalink
Browse files

MDL-28350 prevent bogus role assignment via externallib

  • Loading branch information...
skodak committed Jul 15, 2011
1 parent c015236 commit 4b9cb37191469eca95c230e19790cb976dfca05c
Showing with 12 additions and 0 deletions.
  1. +12 −0 enrol/externallib.php
View
@@ -175,6 +175,12 @@ public static function role_assign($assignments) {
self::validate_context($context);
require_capability('moodle/role:assign', $context);
+ // throw an exception if user is not able to assign the role in this context
+ $roles = get_assignable_roles($context, ROLENAME_SHORT);
+ if (!key_exists($assignment['roleid'], $roles)) {
+ throw new invalid_parameter_exception('Can not assign roleid='.$assignment['roleid'].' in contextid='.$assignment['contextid']);
+ }
+
role_assign($assignment['roleid'], $assignment['userid'], $assignment['contextid']);
}
@@ -231,6 +237,12 @@ public static function role_unassign($unassignments) {
self::validate_context($context);
require_capability('moodle/role:assign', $context);
+ // throw an exception if user is not able to unassign the role in this context
+ $roles = get_assignable_roles($context, ROLENAME_SHORT);
+ if (!key_exists($unassignment['roleid'], $roles)) {
+ throw new invalid_parameter_exception('Can not unassign roleid='.$unassignment['roleid'].' in contextid='.$unassignment['contextid']);
+ }
+
role_unassign($unassignment['roleid'], $unassignment['userid'], $unassignment['contextid']);
}

0 comments on commit 4b9cb37

Please sign in to comment.