check.php potentially allows students to access other students files.
danmarsden opened this issue · 1 comments
Your security checking looks slightly better than last time, but you are still passing the file id as a param and do not check to see if the current user should be able to view this specific file - you are only checking to see if the file is part of an assignment the user can view.
You could first check if the user has 'mod/assign:grade' and if so - the current behaviour is ok - because that user can view "all" assignments, but if they don't have 'mod/assign:grade' then you need to check to see if the logged in user should be able to access the fileid being passed - you can't always rely on the submitter id either, because of group assignments etc.
You also need to implement similar checks in your report.php file.
This stuff is slightly easier for plugins that submit all files to the external service based on the internal events - the server sends all files and retrieves information about scores/links and then moodle takes care of most of the permission checking - because if they can see the file - it runs the get_links command with the appropriate commands and you just make get_links show the relevant information inline.
check.php and report.php had been removed from plugin. Now plugin uses get_links only, without custom pages.