MDL-14591 - better security when reawakening an interupted export

2025-03-15 05:00:06 +01:00 · 2008-08-20 15:58:29 +00:00 · 2008-08-20 15:58:29 +00:00 · beb4ac1a5d
commit beb4ac1a5d
parent 349242a31d
3 changed files with 16 additions and 2 deletions
--- a/lang/en_utf8/portfolio.php
+++ b/lang/en_utf8/portfolio.php
@ -56,6 +56,7 @@ $string['nopermissions'] = 'Sorry but you do not have the required permissions t
 $string['nonprimative'] = 'A non primative value was passed as a callback argument to portfolio_add_button.  Refusing to continue.  The key was $a->key and the value was $a->value';
 $string['notexportable'] = 'Sorry, but the type of content you are trying to export is not exportable';
 $string['notimplemented'] = 'Sorry, but you are trying to export content in some format that is not yet implemented ($a)';
+$string['notyours'] = 'You are trying to resume a portfolio export that doesn\'t belong to you!';
 $string['nouploaddirectory'] = 'Could not create a temporary directory to package your data into';
 $string['portfolio'] = 'Portfolio';
 $string['portfolios'] = 'Portfolios';
--- a/lib/portfoliolib.php
+++ b/lib/portfoliolib.php
@ -1795,6 +1795,8 @@ final class portfolio_exporter {
    */
    private $id;

+    private $sesskey;
+
    /**
    * construct a new exporter for use
    *
@ -1826,7 +1828,7 @@ final class portfolio_exporter {
            return $this->{$field};
        }
        $a = (object)array('property' => $field, 'class' => get_class($this));
-        throw new portfolio_export_exception($this, 'invalidproperty', 'portfolio', $a);
+        throw new portfolio_export_exception($this, 'invalidproperty', 'portfolio', '', $a);
    }

    /**
@ -2306,6 +2308,15 @@ final class portfolio_exporter {
        );
    }

+    public function verify_rewaken() {
+        global $USER;
+        if ($this->get('user')->id != $USER->id) {
+            throw new portfolio_exception('notyours', 'portfolio');
+        }
+        if (!confirm_sesskey($this->get('sesskey'))) {
+            throw new portfolio_exception('confirmsesskeybad');
+        }
+    }
 }

 /**
--- a/portfolio/add.php
+++ b/portfolio/add.php
@ -10,13 +10,14 @@ require_once($CFG->libdir . '/formslib.php');
 $exporter = null;
 $dataid = 0;

-if (!$dataid = optional_param('id') ) {
+if (!$dataid = optional_param('id', '', PARAM_INT) ) {
    if (isset($SESSION->portfolioexport)) {
        $dataid = $SESSION->portfolioexport;
    }
 }
 if ($dataid) {
    $exporter = portfolio_exporter::rewaken_object($dataid);
+    $exporter->verify_rewaken();
    if ($cancel = optional_param('cancel', 0, PARAM_RAW)) {
        $exporter->cancel_request();
    }
@ -32,6 +33,7 @@ if ($dataid) {
            }
            $instance->set('user', $USER);
            $exporter->set('instance', $instance);
+            $exporter->set('sesskey', sesskey());
            $exporter->save();
        }
    }