Skip to content

Commit

Permalink
MDL-83180 reportbuilder: correct access check for viewing schedules.
Browse files Browse the repository at this point in the history
  • Loading branch information
paulholden authored and junpataleta committed Oct 2, 2024
1 parent 13fdeab commit 1a04009
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,10 @@ protected function initialise(): void {
* @return bool
*/
protected function can_view(): bool {
return permission::can_view_reports_list();
$reportid = $this->get_parameter('reportid', 0, PARAM_INT);
$report = report::get_record(['id' => $reportid], MUST_EXIST);

return permission::can_edit_report($report);
}

/**
Expand Down
4 changes: 4 additions & 0 deletions reportbuilder/classes/system_report.php
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,8 @@ public static function get_name(): string {
* This is necessary to implement independently of the page that would typically embed the report because
* subsequent pages are requested via AJAX requests, and access should be validated each time
*
* Report parameters should also be considered when implementing this method
*
* @return bool
*/
abstract protected function can_view(): bool;
Expand Down Expand Up @@ -261,6 +263,8 @@ final public function get_parameters(): array {
/**
* Return specific report parameter
*
* Capability/permission checks relating to parameters retrieved here should also be considered in your {@see can_view} method
*
* @param string $param
* @param mixed $default
* @param string $type
Expand Down

0 comments on commit 1a04009

Please sign in to comment.