Commit 1fb737b9 authored by Son Nguyen's avatar Son Nguyen

Check if the block instance belongs to the view Bug#1233500

When editing a page, check the ownership of blocks before
1. update the configuration data
2. delete/move them

Change-Id: I0eab3d99ffe908db3b7c2e852dfdaabeafce1497
Signed-off-by: default avatarSon Nguyen <son.nguyen@catalyst.net.nz>
parent f5cebdef
......@@ -200,6 +200,7 @@ $string['canteditdontown'] = 'You cannot edit this page because you do not own i
$string['canteditsubmitted'] = 'You cannot edit this page because it has been submitted for assessment to "%s". You will have to wait until a tutor releases the page.';
$string['Submitted'] = 'Submitted';
$string['submittedforassessment'] = 'Submitted for assessment';
$string['blocknotinview'] = 'The block with ID "%d" is not in the page.';
$string['viewcreatedsuccessfully'] = 'Page created successfully';
$string['viewaccesseditedsuccessfully'] = 'Page access saved successfully';
......
......@@ -1680,6 +1680,10 @@ class View {
}
require_once(get_config('docroot') . 'blocktype/lib.php');
$bi = new BlockInstance($values['id']); // get it so we can reshuffle stuff
// Check if the block_instance belongs to this view
if ($bi->get('view') != $this->get('id')) {
throw new AccessDeniedException(get_string('blocknotinview', 'view', $bi->get('id')));
}
db_begin();
$bi->delete();
$this->shuffle_column($bi->get('column'), null, $bi->get('order'));
......@@ -1704,6 +1708,10 @@ class View {
}
require_once(get_config('docroot') . 'blocktype/lib.php');
$bi = new BlockInstance($values['id']);
// Check if the block_instance belongs to this view
if ($bi->get('view') != $this->get('id')) {
throw new AccessDeniedException(get_string('blocknotinview', 'view', $bi->get('id')));
}
db_begin();
// moving within the same column
if ($bi->get('column') == $values['column']) {
......@@ -1843,6 +1851,10 @@ class View {
public function configureblockinstance($values) {
require_once(get_config('docroot') . 'blocktype/lib.php');
$bi = new BlockInstance($values['id']);
// Check if the block_instance belongs to this view
if ($bi->get('view') != $this->get('id')) {
throw new AccessDeniedException(get_string('blocknotinview', 'view', $bi->get('id')));
}
return $bi->render_editing(true);
}
......
......@@ -84,6 +84,10 @@ if ($blockid = param_integer('blockconfig', 0)) {
if (!isset($_POST['cancel_action_configureblockinstance_id_' . $blockid]) || !param_integer('removeoncancel', 0) || param_integer('pieform_jssubmission', 0)) {
require_once(get_config('docroot') . 'blocktype/lib.php');
$bi = new BlockInstance($blockid);
// Check if the block_instance belongs to this view
if ($bi->get('view') != $view->get('id')) {
throw new AccessDeniedException(get_string('blocknotinview', 'view', $bi->get('id')));
}
$bi->build_configure_form();
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment