Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-30388

Site Admin > Blocks > Manage Blocks (Click on Block to get list of) > Show all/Next -- Fails and doesn't do pagination

XMLWordPrintable

    • Any
    • MOODLE_21_STABLE
    • MOODLE_21_STABLE, MOODLE_22_STABLE
    • wip-mdl-30388
    • Hide

      Need to manually edit the URL to add the sesskey. Example:

      https://<URL>/course/search.php?search=&perpage=30&page=1

      should be:
      https://<URL>/course/search.php?search=&perpage=30&page=1&blocklist=7&sesskey=qLwJ2tcQYm

      Show
      Need to manually edit the URL to add the sesskey. Example: https://<URL>/course/search.php?search=&perpage=30&page=1 should be: https://<URL>/course/search.php?search=&perpage=30&page=1&blocklist=7&sesskey=qLwJ2tcQYm
    • Hide
      1. Log in as admin
      2. On Site Admin panel go to Plugins > Blocks > Manage Blocks
      3. Click on link in "Instances" column > on blocks (with more then 30 instances)
      4. On top there are links called Show all or Next.
      5. Click on "Next" and you should see next page of results
      6. Click on "Show all" and you should see all the records. In addition you should see Page view link to view pages.
      Show
      Log in as admin On Site Admin panel go to Plugins > Blocks > Manage Blocks Click on link in "Instances" column > on blocks (with more then 30 instances) On top there are links called Show all or Next. Click on "Next" and you should see next page of results Click on "Show all" and you should see all the records. In addition you should see Page view link to view pages.

      When looking at the instances of blocks in either M1.9 or M2.x via the "Manage Blocks" screen you cannot get past the first page of results.

      There is a potential security issue according to one our developer's reports. The page that displays the list of instances of blocks doesn't seem to check if the user is logged in before doing a huge query for the block instances. Report is as follows:


      I'm able to view that page without logging in. It seems like a security flaw since i'm not authorized and I can view the content, or refresh the page over and over putting a heavy load on the server while it tries to fetch 6,500 block records. I think I'm able to do this because the sesskey is in the URL.

      https://<URL>/course/search.php?search=&perpage=99999&blocklist=7&sesskey=qLwJ2tcQYm

      is the correct URL for showing all.

      Steps to reproduce
      M1.9:

      1. On Site Admin panel go to Modules > Manage Blocks
      2. Click on link in "Instances" column > on blocks with any instances (about 40+) there are links called Show all or Next.
      3. Click on either the "Show all" or "Next"
      4. Blank page with a search box

      M2.x:

      1. On Site Admin panel go to Plugins > Blocks > Manage Blocks
      2. Click on link in "Instances" column > on blocks with any instances (about 40+) there are links called Show all or Next.
      3. Click on either the "Show all" or "Next"
      4. Blank page with a search box

            rajeshtaneja Rajesh Taneja
            rex Rex Lorenzo
            Adrian Greeve Adrian Greeve
            Sam Hemelryk Sam Hemelryk
            Rossiani Wijaya Rossiani Wijaya
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.