rss MDL-24870 fixed the capability checks to access module rss feeds

moodlechick · Feb 4, 2011 · 3ad3f24 · 3ad3f24
1 parent d95a02f
commit 3ad3f24
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 21 deletions.
diff --git a/mod/data/rsslib.php b/mod/data/rsslib.php
@@ -12,13 +12,18 @@ function data_rss_get_feed($context, $args) {
             return null;
         }
 
-        if (!is_enrolled($context, null, 'mod/data:managetemplates') && !isguestuser()) {
-            return null;
+        $dataid = clean_param($args[3], PARAM_INT);
+        $cm = get_coursemodule_from_instance('data', $dataid, 0, false, MUST_EXIST);
+        if ($cm) {
+            $modcontext = get_context_instance(CONTEXT_MODULE, $cm->id);
+
+            //context id from db should match the submitted one
+            if ($context->id != $modcontext->id || !has_capability('mod/data:viewentry', $modcontext)) {
+                return null;
+            }
         }
 
-        $dataid = clean_param($args[3], PARAM_INT);
         $data = $DB->get_record('data', array('id' => $dataid), '*', MUST_EXIST);
-
         if (!rss_enabled_for_mod('data', $data, false, true)) {
             return null;
         }

diff --git a/mod/forum/rsslib.php b/mod/forum/rsslib.php
@@ -44,25 +44,17 @@ function forum_rss_get_feed($context, $args) {
     }
 
     $forumid  = clean_param($args[3], PARAM_INT);
-
-    $uservalidated = false;
-
     $cm = get_coursemodule_from_instance('forum', $forumid, 0, false, MUST_EXIST);
     if ($cm) {
         $modcontext = get_context_instance(CONTEXT_MODULE, $cm->id);
 
         //context id from db should match the submitted one
-        if ($context->id==$modcontext->id && has_capability('mod/forum:viewdiscussion', $modcontext)) {
-            $uservalidated = true;
+        if ($context->id != $modcontext->id || !has_capability('mod/forum:viewdiscussion', $modcontext)) {
+            return null;
         }
     }
 
-    if (!$uservalidated) {
-        return null;
-    }
-
     $forum = $DB->get_record('forum', array('id' => $forumid), '*', MUST_EXIST);
-
     if (!rss_enabled_for_mod('forum', $forum)) {
         return null;
     }

diff --git a/mod/glossary/rsslib.php b/mod/glossary/rsslib.php
@@ -6,22 +6,26 @@
     function glossary_rss_get_feed($context, $args) {
         global $CFG, $DB;
 
+        $status = true;
+
         if (empty($CFG->glossary_enablerssfeeds)) {
             debugging("DISABLED (module configuration)");
             return null;
         }
 
-        $status = true;
+        $glossaryid  = clean_param($args[3], PARAM_INT);
+        $cm = get_coursemodule_from_instance('glossary', $glossaryid, 0, false, MUST_EXIST);
+        if ($cm) {
+            $modcontext = get_context_instance(CONTEXT_MODULE, $cm->id);
 
-        //check capabilities
-        //glossary module doesn't require any capabilities to view glossary entries (aside from being logged in)
-        if (!is_enrolled($context) && !isguestuser()) {
-            return null;
+            //context id from db should match the submitted one
+            //no specific capability required to view glossary entries so just check user is enrolled
+            if ($context->id != $modcontext->id || !is_enrolled($context)) {
+                return null;
+            }
         }
 
-        $glossaryid  = clean_param($args[3], PARAM_INT);
         $glossary = $DB->get_record('glossary', array('id' => $glossaryid), '*', MUST_EXIST);
-
         if (!rss_enabled_for_mod('glossary', $glossary)) {
             return null;
         }