MDL-28350 prevent bogus role assignment via externallib

moodlechick · Jul 15, 2011 · d20f655 · d20f655
1 parent ecb8829
commit d20f655
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/enrol/externallib.php b/enrol/externallib.php
@@ -121,7 +121,7 @@ public static function get_enrolled_users($courseid, $withcapability = null, $gr
             $profilimgurlsmall = moodle_url::make_pluginfile_url($enrolleduser->usercontextid, 'user', 'icon', NULL, '/', 'f2');
             $resultuser = array(
                 'courseid' => $enrolleduser->courseid,
-                'userid' => $enrolleduser->userid, 
+                'userid' => $enrolleduser->userid,
                 'fullname' => fullname($enrolleduser),
                 'profileimgurl' => $profilimgurl->out(false),
                 'profileimgurlsmall' => $profilimgurlsmall->out(false)
@@ -271,6 +271,12 @@ public static function role_assign($assignments) {
             self::validate_context($context);
             require_capability('moodle/role:assign', $context);
 
+            // throw an exception if user is not able to assign the role in this context
+            $roles = get_assignable_roles($context, ROLENAME_SHORT);
+            if (!key_exists($assignment['roleid'], $roles)) {
+                throw new invalid_parameter_exception('Can not assign roleid='.$assignment['roleid'].' in contextid='.$assignment['contextid']);
+            }
+
             role_assign($assignment['roleid'], $assignment['userid'], $assignment['contextid']);
         }
 
@@ -327,6 +333,12 @@ public static function role_unassign($unassignments) {
             self::validate_context($context);
             require_capability('moodle/role:assign', $context);
 
+            // throw an exception if user is not able to unassign the role in this context
+            $roles = get_assignable_roles($context, ROLENAME_SHORT);
+            if (!key_exists($unassignment['roleid'], $roles)) {
+                throw new invalid_parameter_exception('Can not unassign roleid='.$unassignment['roleid'].' in contextid='.$unassignment['contextid']);
+            }
+
             role_unassign($unassignment['roleid'], $unassignment['userid'], $unassignment['contextid']);
         }