MDL-15403: Patch sent by Peter Bulmer, said to have been written by D…

…onal McMullan. Prevents a remotely-triggered mass-unenrolments of users in a (mnet-enabled) course. (backport from 1.9)
moodle · Jul 9, 2008 · 73ef9f1 · 73ef9f1
1 parent 70e5759
commit 73ef9f1
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/enrol/mnet/enrol.php b/enrol/mnet/enrol.php
@@ -305,6 +305,9 @@ function enrol_user($user, $courseid) {
         $userrecord = get_record('user','username',addslashes($user['username']), 'mnethostid',$MNET_REMOTE_CLIENT->id);
 
         if ($userrecord == false) {
+            // We should at least be checking that we allow the remote
+            // site to create users
+            // TODO: more rigour here thanks!
             $userrecord = new stdClass();
             $userrecord->username   = addslashes($user['username']);
             $userrecord->email      = addslashes($user['email']);
@@ -342,20 +345,23 @@ function enrol_user($user, $courseid) {
     * @param int    $courseid   The id of the local course
     * @return bool              Whether the user can login from the remote host
     */
-    function unenrol_user($user, $courseid) {
+    function unenrol_user($username, $courseid) {
         global $MNET_REMOTE_CLIENT;
 
-        $userrecord = get_record('user','username',$user['username'], 'mnethostid',$MNET_REMOTE_CLIENT->id);
+        $userrecord = get_record('user', 'username', addslashes($username), 'mnethostid', $MNET_REMOTE_CLIENT->id);
 
         if ($userrecord == false) {
+            return false;
             // TODO: Error out
         }
 
         if (! $course = get_record('course', 'id', $courseid) ) {
+            return false;
             // TODO: Error out
         }
 
         if (! $context = get_context_instance(CONTEXT_COURSE, $course->id)) {
+            return false;
             // TODO: Error out (Invalid context)
         }
 
@@ -566,8 +572,7 @@ function req_unenrol_user($userid, $courseid) {
         require_once $CFG->dirroot . '/mnet/xmlrpc/client.php';
 
         // in case the remote host doesn't have it
-        $user = get_record('user', 'id', $userid, '','','','', 'username, email');
-        $user = $user->username;
+        $username = get_field('user', 'username', 'id', $userid);
 
         $course = get_record('mnet_enrol_course', 'id', $courseid);
 
@@ -578,7 +583,7 @@ function req_unenrol_user($userid, $courseid) {
         // set up the RPC request
         $mnetrequest = new mnet_xmlrpc_client();
         $mnetrequest->set_method('enrol/mnet/enrol.php/unenrol_user');
-        $mnetrequest->add_param($user);
+        $mnetrequest->add_param($username);
         $mnetrequest->add_param($course->remoteid);
 
         // TODO - prevent removal of enrolments that are not of