mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-03-14 20:50:21 +01:00
Code Issues Projects Releases Wiki Activity

MDL-14591 - better security when reawakening an interupted export

Browse Source
This commit is contained in:
mjollnir_ 2008-08-20 15:58:29 +00:00
parent 349242a31d
commit beb4ac1a5d
3 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lang/en_utf8/portfolio.php
View File

@ -56,6 +56,7 @@ $string['nopermissions'] = 'Sorry but you do not have the required permissions t
$string['nonprimative'] = 'A non primative value was passed as a callback argument to portfolio_add_button. Refusing to continue. The key was $a->key and the value was $a->value'; $string['nonprimative'] = 'A non primative value was passed as a callback argument to portfolio_add_button. Refusing to continue. The key was $a->key and the value was $a->value';
$string['notexportable'] = 'Sorry, but the type of content you are trying to export is not exportable'; $string['notexportable'] = 'Sorry, but the type of content you are trying to export is not exportable';
$string['notimplemented'] = 'Sorry, but you are trying to export content in some format that is not yet implemented ($a)'; $string['notimplemented'] = 'Sorry, but you are trying to export content in some format that is not yet implemented ($a)';
$string['notyours'] = 'You are trying to resume a portfolio export that doesn\'t belong to you!';
$string['nouploaddirectory'] = 'Could not create a temporary directory to package your data into'; $string['nouploaddirectory'] = 'Could not create a temporary directory to package your data into';
$string['portfolio'] = 'Portfolio'; $string['portfolio'] = 'Portfolio';
$string['portfolios'] = 'Portfolios'; $string['portfolios'] = 'Portfolios';

13
lib/portfoliolib.php
View File

@ -1795,6 +1795,8 @@ final class portfolio_exporter {
*/ */
private $id; private $id;
private $sesskey;
/** /**
* construct a new exporter for use * construct a new exporter for use
* *
@ -1826,7 +1828,7 @@ final class portfolio_exporter {
return $this->{$field}; return $this->{$field};
} }
$a = (object)array('property' => $field, 'class' => get_class($this)); $a = (object)array('property' => $field, 'class' => get_class($this));
throw new portfolio_export_exception($this, 'invalidproperty', 'portfolio', $a); throw new portfolio_export_exception($this, 'invalidproperty', 'portfolio', '', $a);
} }
/** /**
@ -2306,6 +2308,15 @@ final class portfolio_exporter {
); );
} }
public function verify_rewaken() {
global $USER;
if ($this->get('user')->id != $USER->id) {
throw new portfolio_exception('notyours', 'portfolio');
}
if (!confirm_sesskey($this->get('sesskey'))) {
throw new portfolio_exception('confirmsesskeybad');
}
}
} }
/** /**

4
portfolio/add.php
View File

@ -10,13 +10,14 @@ require_once($CFG->libdir . '/formslib.php');
$exporter = null; $exporter = null;
$dataid = 0; $dataid = 0;
if (!$dataid = optional_param('id') ) { if (!$dataid = optional_param('id', '', PARAM_INT) ) {
if (isset($SESSION->portfolioexport)) { if (isset($SESSION->portfolioexport)) {
$dataid = $SESSION->portfolioexport; $dataid = $SESSION->portfolioexport;
} }
} }
if ($dataid) { if ($dataid) {
$exporter = portfolio_exporter::rewaken_object($dataid); $exporter = portfolio_exporter::rewaken_object($dataid);
$exporter->verify_rewaken();
if ($cancel = optional_param('cancel', 0, PARAM_RAW)) { if ($cancel = optional_param('cancel', 0, PARAM_RAW)) {
$exporter->cancel_request(); $exporter->cancel_request();
} }
@ -32,6 +33,7 @@ if ($dataid) {
} }
$instance->set('user', $USER); $instance->set('user', $USER);
$exporter->set('instance', $instance); $exporter->set('instance', $instance);
$exporter->set('sesskey', sesskey());
$exporter->save(); $exporter->save();
} }
} }