Permalink
Browse files

MDL-37106 calendar: Proper capability checks should be done before pr…

…ocessing an ical request
  • Loading branch information...
1 parent 6c806e8 commit 56f4d0ed805d9bd5a90c6632fef7a8cd5d0489b2 @ankitagarwal ankitagarwal committed with danpoltawski Jan 2, 2013
Showing with 47 additions and 1 deletion.
  1. +42 −0 calendar/lib.php
  2. +5 −1 calendar/managesubscriptions.php
View
@@ -2978,6 +2978,48 @@ function calendar_update_subscription_events($subscriptionid) {
}
/**
+ * Checks to see if the user can edit a given subscription feed.
+ *
+ * @param mixed $subscriptionorid Subscription object or id
+ * @return bool true if current user can edit the subscription else false
+ */
+function calendar_can_edit_subscription($subscriptionorid) {
+ global $DB;
+
+ if (is_array($subscriptionorid)) {
+ $subscription = (object)$subscriptionorid;
+ } else if (is_object($subscriptionorid)) {
+ $subscription = $subscriptionorid;
+ } else {
+ $subscription = $DB->get_record('event_subscriptions', array('id' => $subscriptionorid), '*', MUST_EXIST);
+ }
+ $allowed = new stdClass;
+ $courseid = $subscription->courseid;
+ $groupid = $subscription->groupid;
+ calendar_get_allowed_types($allowed, $courseid);
+ switch ($subscription->eventtype) {
+ case 'user':
+ return $allowed->user;
+ case 'course':
+ if (isset($allowed->courses[$courseid])) {
+ return $allowed->courses[$courseid];
+ } else {
+ return false;
+ }
+ case 'site':
+ return $allowed->site;
+ case 'group':
+ if (isset($allowed->groups[$groupid])) {
+ return $allowed->groups[$groupid];
+ } else {
+ return false;
+ }
+ default:
+ return false;
+ }
+}
+
+/**
* Update calendar subscriptions.
*
* @return bool
@@ -82,7 +82,11 @@
} else if (!empty($subscriptionid)) {
// The user is wanting to perform an action upon an existing subscription.
require_sesskey(); // Must have sesskey for all actions.
- $importresults = calendar_process_subscription_row($subscriptionid, $pollinterval, $action);
+ if (calendar_can_edit_subscription($subscriptionid)) {
+ $importresults = calendar_process_subscription_row($subscriptionid, $pollinterval, $action);
+ } else {
+ print_error('nopermissions', 'error', $PAGE->url, get_string('managesubscriptions', 'calendar'));
+ }
}
$sql = 'SELECT *

0 comments on commit 56f4d0e

Please sign in to comment.