Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

MDL-28432 use enrol/cohort and enrol/manual capabilities correctly in…

… cohort enrol UI and fix input validation in ajax
  • Loading branch information...
commit 6b0b96c581a6dc06de89fba2325713f057e60be1 1 parent ac30618
Petr Skoda skodak authored
Showing with 15 additions and 1 deletion.
  1. +14 −1 enrol/ajax.php
  2. +1 −0  enrol/cohort/addinstance.php
15 enrol/ajax.php
View
@@ -102,16 +102,29 @@
break;
case 'enrolcohort':
require_capability('moodle/course:enrolconfig', $context);
+ require_capability('enrol/cohort:config', $context);
$roleid = required_param('roleid', PARAM_INT);
+ if (!array_key_exists($roleid, $manager->get_assignable_roles())) {
+ throw new enrol_ajax_exception('invalidrole');
+ }
$cohortid = required_param('cohortid', PARAM_INT);
+ if (!array_key_exists($cohortid, $manager->get_cohorts())) {
+ throw new enrol_ajax_exception('errorenrolcohort');
+ }
if (!$manager->enrol_cohort($cohortid, $roleid)) {
throw new enrol_ajax_exception('errorenrolcohort');
}
break;
case 'enrolcohortusers':
- require_capability('moodle/course:enrolconfig', $context);
+ require_capability('enrol/manual:enrol', $context);
$roleid = required_param('roleid', PARAM_INT);
+ if (!array_key_exists($roleid, $manager->get_assignable_roles())) {
+ throw new enrol_ajax_exception('invalidrole');
+ }
$cohortid = required_param('cohortid', PARAM_INT);
+ if (!array_key_exists($cohortid, $manager->get_cohorts())) {
+ throw new enrol_ajax_exception('errorenrolcohortusers');
+ }
$result = $manager->enrol_cohort_users($cohortid, $roleid);
if ($result === false) {
throw new enrol_ajax_exception('errorenrolcohortusers');
1  enrol/cohort/addinstance.php
View
@@ -35,6 +35,7 @@
require_login($course);
require_capability('moodle/course:enrolconfig', $context);
+require_capability('enrol/cohort:config', $context);
$PAGE->set_url('/enrol/cohort/addinstance.php', array('id'=>$course->id));
$PAGE->set_pagelayout('admin');
Please sign in to comment.
Something went wrong with that request. Please try again.