MDL-53772 libraries: More context fixes

1. Improve upgrade note 2. Don't abuse $PAGE to get the current course/cm 3. Use validate_context, never $PAGE->set_context() 4. Reset current coursemodule in validate_context(). 5. Respect moodlepageclass when calling an external function.
moodle · Apr 14, 2016 · e02e7f5 · e02e7f5
1 parent e689d68
commit e02e7f5
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 6 deletions.
diff --git a/course/classes/output/course_module_name.php b/course/classes/output/course_module_name.php
@@ -86,15 +86,15 @@ public function export_for_template(\renderer_base $output) {
      * @return static
      */
     public static function update($itemid, $newvalue) {
-        global $PAGE;
         $context = context_module::instance($itemid);
         // Check access.
         \external_api::validate_context($context);
         require_capability('moodle/course:manageactivities', $context);
         // Update value.
-        set_coursemodule_name($PAGE->cm->id, $newvalue);
+        set_coursemodule_name($itemid, $newvalue);
+        $coursemodulerecord = get_coursemodule_from_id('', $itemid, 0, false, MUST_EXIST);
         // Return instance.
-        $cm = get_fast_modinfo($PAGE->course)->get_cm($PAGE->cm->id);
+        $cm = get_fast_modinfo($coursemodulerecord->course)->get_cm($itemid);
         return new static($cm, true);
     }
 }
diff --git a/lib/external/externallib.php b/lib/external/externallib.php
@@ -461,7 +461,7 @@ public static function fetch_notifications($contextid) {
             ]);
 
         $context = \context::instance_by_id($contextid);
-        $PAGE->set_context($context);
+        self::validate_context($context);
 
         return \core\notification::fetch_as_array($PAGE->get_renderer('core'));
     }

diff --git a/lib/externallib.php b/lib/externallib.php
@@ -202,8 +202,16 @@ public static function call_external_function($function, $args, $ajaxonly=false)
         $response = array();
 
         try {
-
-            $PAGE = new moodle_page();
+            // Taken straight from from setup.php.
+            if (!empty($CFG->moodlepageclass)) {
+                if (!empty($CFG->moodlepageclassfile)) {
+                    require_once($CFG->moodlepageclassfile);
+                }
+                $classname = $CFG->moodlepageclass;
+            } else {
+                $classname = 'moodle_page';
+            }
+            $PAGE = new $classname();
             $COURSE = clone($SITE);
 
             if ($ajaxonly && !$externalfunctioninfo->allowed_from_ajax) {

diff --git a/lib/pagelib.php b/lib/pagelib.php
@@ -1568,6 +1568,8 @@ public function reset_theme_and_output() {
         $this->_theme = null;
         $this->_wherethemewasinitialised = null;
         $this->_course = null;
+        $this->_cm = null;
+        $this->_module = null;
         $this->_context = null;
     }
 

diff --git a/lib/upgrade.txt b/lib/upgrade.txt
@@ -7,6 +7,7 @@ information provided here is intended especially for developers.
   only to courses the user is enrolled in, and are visible to them.
 * External functions that are not calling external_api::validate_context are buggy and will now generate
   exceptions. Previously they were only generating warnings in the webserver error log.
+  See https://docs.moodle.org/dev/External_functions_API#Security
 * The moodle/blog:associatecourse and moodle/blog:associatemodule capabilities has been removed.
 * The following functions has been finally deprecated and can not be used any more:
     - profile_display_badges()