MDL-68632 quizaccess_seb: Limit privacy queriyes to the quiz module

Without this, joins are performed against the course_modules table purely on the instance id - other modules can share this ID, resulting in incorrect contexts being pulled in.
2025-04-21 00:12:56 +02:00 · 2020-05-07 13:58:23 +09:30 · 2020-05-07 13:58:23 +09:30 · 9db6c361fd
commit 9db6c361fd
parent aa6830ef99
2 changed files with 13 additions and 1 deletions
--- a/mod/quiz/accessrule/seb/classes/privacy/provider.php
+++ b/mod/quiz/accessrule/seb/classes/privacy/provider.php
@ -93,12 +93,14 @@ class provider implements
        $sql = "SELECT c.id
                  FROM {quizaccess_seb_quizsettings} qs
                  JOIN {course_modules} cm ON cm.instance = qs.quizid
+                  JOIN {modules} m ON cm.module = m.id AND m.name = :modulename
                  JOIN {context} c ON c.instanceid = cm.id AND c.contextlevel = :context
                 WHERE qs.usermodified = :userid
              GROUP BY c.id";

        $params = [
            'context' => CONTEXT_MODULE,
+            'modulename' => 'quiz',
            'userid' => $userid
        ];

@ -108,6 +110,7 @@ class provider implements
                  FROM {quizaccess_seb_template} tem
                  JOIN {quizaccess_seb_quizsettings} qs ON qs.templateid = tem.id
                  JOIN {course_modules} cm ON cm.instance = qs.quizid
+                  JOIN {modules} m ON cm.module = m.id AND m.name = :modulename
                  JOIN {context} c ON c.instanceid = cm.id AND c.contextlevel = :context
                 WHERE qs.usermodified = :userid
              GROUP BY c.id";
@ -139,6 +142,7 @@ class provider implements
        }

        list($insql, $params) = $DB->get_in_or_equal($cmids, SQL_PARAMS_NAMED);
+        $params['modulename'] = 'quiz';

        // SEB quiz settings.
        $sql = "SELECT qs.id as id,
@ -148,6 +152,7 @@ class provider implements
                       qs.timemodified as timemodified
                  FROM {quizaccess_seb_quizsettings} qs
                  JOIN {course_modules} cm ON cm.instance = qs.quizid
+                  JOIN {modules} m ON cm.module = m.id AND m.name = :modulename
                 WHERE cm.id {$insql}";

        $quizsettingslist = $DB->get_records_sql($sql, $params);
@ -180,6 +185,7 @@ class provider implements
                  FROM {quizaccess_seb_template} tem
                  JOIN {quizaccess_seb_quizsettings} qs ON qs.templateid = tem.id
                  JOIN {course_modules} cm ON cm.instance = qs.quizid
+                  JOIN {modules} m ON cm.module = m.id AND m.name = :modulename
                 WHERE cm.id {$insql}";

        $templatesettingslist = $DB->get_records_sql($sql, $params);
@ -262,8 +268,9 @@ class provider implements
        $sql = "SELECT qs.usermodified AS userid
                  FROM {quizaccess_seb_quizsettings} qs
                  JOIN {course_modules} cm ON cm.instance = qs.quizid
+                  JOIN {modules} m ON cm.module = m.id AND m.name = ?
                 WHERE cm.id = ?";
-        $params = [$context->instanceid];
+        $params = ['quiz', $context->instanceid];
        $userlist->add_from_sql('userid', $sql, $params);
    }

--- a/mod/quiz/accessrule/seb/tests/privacy_provider_test.php
+++ b/mod/quiz/accessrule/seb/tests/privacy_provider_test.php
@ -99,6 +99,11 @@ class quizaccess_seb_provider_testcase extends advanced_testcase {

        $context = context_module::instance($this->quiz->cmid);

+        // Add another course_module of a differenty type - doing this lets us
+        // test that the data exporter is correctly limiting its selection to
+        // the quiz and not anything with the same instance id.
+        $this->getDataGenerator()->create_module('label', array('course' => $this->course->id));
+
        $contextlist = provider::get_contexts_for_userid($this->user->id);
        $approvedcontextlist = new approved_contextlist(
            $this->user,