Permalink
Browse files

MDL-38474 repository: Correct context when checking permissions to ac…

…cess a repository
  • Loading branch information...
1 parent 1bfc006 commit ccc803db330696312f4a6d7bce1bbb109d73e972 @FMCorz FMCorz committed Mar 14, 2013
Showing with 25 additions and 7 deletions.
  1. +25 −7 repository/lib.php
View
@@ -641,8 +641,11 @@ public static function get_types($visible=null) {
public final function check_capability() {
global $USER;
+ // The context we are on.
+ $currentcontext = $this->context;
+
// Ensure that the user can view the repository in the current context.
- $can = has_capability('repository/'.$this->type.':view', $this->context);
+ $can = has_capability('repository/'.$this->type.':view', $this->currentcontext);
// Context in which the repository has been created.
$repocontext = context::instance_by_id($this->instance->contextid);
@@ -652,14 +655,29 @@ public static function get_types($visible=null) {
$can = false;
}
- // Ensure that the user can view the repository in the context of the repository.
- // Ne need to perform the check when already disallowed.
+ // We are going to ensure that the current context was legit, and reliable to check
+ // the capability against. (No need to do that if we already cannot).
if ($can) {
- if ($repocontext->contextlevel == CONTEXT_USER && $repocontext->instanceid != $USER->id) {
- // Prevent URL hijack to access someone else's repository.
- $can = false;
+ if ($repocontext->contextlevel == CONTEXT_USER) {
+ // The repository is a user instance, ensure we're the right user to access it!
+ if ($repocontext->instanceid != $USER->id) {
+ $can = false;
+ }
+ } else if ($repocontext->contextlevel == CONTEXT_COURSE) {
+ // The repository is a course one. Let's check that we are on the right course.
+ if (in_array($currentcontext->contextlevel, array(CONTEXT_COURSE, CONTEXT_MODULE, CONTEXT_BLOCK))) {
+ $coursecontext = $currentcontext->get_course_context();
+ if ($coursecontext->instanceid != $repocontext->instanceid) {
+ $can = false;
+ }
+ } else {
+ // We are on a parent context, therefore it's legit to check the permissions
+ // in the current context.
+ }
} else {
- $can = has_capability('repository/'.$this->type.':view', $repocontext);
+ // Nothing to check here, system instances can have different permissions on different
+ // levels. We do not want to prevent URL hack here, because it does not make sense to
+ // prevent a user to access a repository in a context if it's accessible in another one.
}
}

0 comments on commit ccc803d

Please sign in to comment.