MDL-81247 calendar: Extra validation for webservices

calendar/externallib.php

@@ -898,7 +898,17 @@ class core_calendar_external extends external_api {
         $courseid = (!empty($data[$coursekey])) ? $data[$coursekey] : null;
         $editoroptions = \core_calendar\local\event\forms\create::build_editor_options($context);
         $formoptions = ['editoroptions' => $editoroptions, 'courseid' => $courseid];
-        $formoptions['eventtypes'] = calendar_get_allowed_event_types($courseid);
+        $allowedeeventtypes = calendar_get_allowed_event_types($courseid);
+
+        // Event type validation.
+        if (in_array(true, $allowedeeventtypes, true) === false) {
+            throw new \moodle_exception('nopermissiontoupdatecalendar');
+        }
+        if (empty($eventtype) || !isset($allowedeeventtypes[$eventtype]) || $allowedeeventtypes[$eventtype] == false) {
+            return ['validationerror' => true];
+        }
+
+        $formoptions['eventtypes'] = $allowedeeventtypes;
         if ($courseid) {
             require_once($CFG->libdir . '/grouplib.php');
             $groupcoursedata = groups_get_course_data($courseid);