From 05e4c75ca51bfa7caaed1dc542e84a45c06993b3 Mon Sep 17 00:00:00 2001
From: David Matamoros <davidmc@moodle.com>
Date: Thu, 18 Feb 2021 17:16:36 +0100
Subject: [PATCH] MDL-70910 contentbank: fix for using contentid not validated

---
 contentbank/classes/external/rename_content.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/contentbank/classes/external/rename_content.php b/contentbank/classes/external/rename_content.php
index 1374aaec50b..2540a8a54fc 100644
--- a/contentbank/classes/external/rename_content.php
+++ b/contentbank/classes/external/rename_content.php
@@ -81,13 +81,13 @@ class rename_content extends external_api {
         // If name is empty don't try to rename and return a more detailed message.
         if (empty(trim($params['name']))) {
             $warnings[] = [
-                'item' => $contentid,
+                'item' => $params['contentid'],
                 'warningcode' => 'emptynamenotallowed',
                 'message' => get_string('emptynamenotallowed', 'core_contentbank')
             ];
         } else {
             try {
-                $record = $DB->get_record('contentbank_content', ['id' => $contentid], '*', MUST_EXIST);
+                $record = $DB->get_record('contentbank_content', ['id' => $params['contentid']], '*', MUST_EXIST);
                 $cb = new contentbank();
                 $content = $cb->get_content_from_id($record->id);
                 $contenttype = $content->get_content_type_instance();
@@ -100,7 +100,7 @@ class rename_content extends external_api {
                         $result = true;
                     } else {
                         $warnings[] = [
-                            'item' => $contentid,
+                            'item' => $params['contentid'],
                             'warningcode' => 'contentnotrenamed',
                             'message' => get_string('contentnotrenamed', 'core_contentbank')
                         ];
@@ -108,7 +108,7 @@ class rename_content extends external_api {
                 } else {
                     // The user has no permission to manage this content.
                     $warnings[] = [
-                        'item' => $contentid,
+                        'item' => $params['contentid'],
                         'warningcode' => 'nopermissiontomanage',
                         'message' => get_string('nopermissiontomanage', 'core_contentbank')
                     ];
@@ -116,7 +116,7 @@ class rename_content extends external_api {
             } catch (\moodle_exception $e) {
                 // The content or the context don't exist.
                 $warnings[] = [
-                    'item' => $contentid,
+                    'item' => $params['contentid'],
                     'warningcode' => 'exception',
                     'message' => $e->getMessage()
                 ];