Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-19353 portfolio code review META
  3. MDL-19358

portfolio export does not verify activity access control

XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • 2.0
    • 2.0
    • Portfolio
    • None
    • MOODLE_20_STABLE
    • MOODLE_20_STABLE

      Portfolio export needs to verify access control, the easiest way is to use require_login() with correct $cm parameter - replicating the logic from require_login() would be probably a major maintenance problem...

      Sample exploit:
      1/ go to forum in one browser and copy "Save..." link
      2/ make module hidden in another browser as where you are logged in as admin
      3/ paste the url in first browser - export will complete anyway

            mjollnir Penny Leach (Inactive)
            skodak Petr Skoda
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.