MDL-48017 core_calendar: add context validation to get_calendar_events

moodle · Jan 5, 2015 · cdb4e29 · cdb4e29
1 parent c4250ef
commit cdb4e29
Showing 1 changed file with 11 additions and 5 deletions.
diff --git a/calendar/externallib.php b/calendar/externallib.php
@@ -173,13 +173,19 @@ public static function get_calendar_events($events = array(), $options = array()
 
         // Let us findout courses that we can return events from.
         if (!$hassystemcap) {
-            $courses = enrol_get_my_courses();
-            $courses = array_keys($courses);
             foreach ($params['events']['courseids'] as $id) {
-                if (in_array($id, $courses)) {
+               try {
+                    $context = context_course::instance($id);
+                    self::validate_context($context);
                     $funcparam['courses'][] = $id;
-                } else {
-                    $warnings[] = array('item' => $id, 'warningcode' => 'nopermissions', 'message' => 'you do not have permissions to access this course');
+                } catch (Exception $e) {
+                    $warnings[] = array(
+                        'item' => 'course',
+                        'itemid' => $id,
+                        'warningcode' => 'nopermissions',
+                        'message' => 'No access rights in course context '.$e->getMessage().$e->getTraceAsString()
+                    );
+                    continue;
                 }
             }
         } else {