Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-47474

Incorrect permission check in calendar export

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • 2.7.3
    • 2.8
    • Calendar
    • MOODLE_28_STABLE
    • MOODLE_27_STABLE
    • Hide
      • Create a course, and one user enrolled as teacher. Log in as this user.
      • Create an assignment in the course with default due date (i.e. one week in the future).
      • Add a conditional availability rule for the assignment - access allowed only from a date 1 month in the future.
      • Go to the course calendar.
      • VERIFY: Assignment due date is shown in the calendar.
      • Click "Export calendar". Select "Recent and next 60 days". Click "Get calendar URL".
      • Copy the resulting URL to the clipboard.
      • Open the URL in a web browser **while not logged in to Moodle** (close and re-open browser, or open a "private window" e.g. in Firefox.)
      • VERIFY: Calendar export file contains one event (the due date of the assignment).
      Show
      Create a course, and one user enrolled as teacher. Log in as this user. Create an assignment in the course with default due date (i.e. one week in the future). Add a conditional availability rule for the assignment - access allowed only from a date 1 month in the future. Go to the course calendar. VERIFY: Assignment due date is shown in the calendar. Click "Export calendar". Select "Recent and next 60 days". Click "Get calendar URL". Copy the resulting URL to the clipboard. Open the URL in a web browser ** while not logged in to Moodle ** (close and re-open browser, or open a "private window" e.g. in Firefox.) VERIFY: Calendar export file contains one event (the due date of the assignment).

      If a calendar export is called while not logged in to Moodle (authentication via auth token), then the code in calendar/export_execute.php near line 178 checks the permissions of the guest user rather than those of the intended user passed in the URL.

      (Will add test case that makes the issue clear. Will also add a patch in a moment.)

            bostelm Henning Bostelmann
            bostelm Henning Bostelmann
            Dan Poltawski Dan Poltawski
            Sam Hemelryk Sam Hemelryk
            Mark Nelson Mark Nelson
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.