Commit c61e50c4 authored by Richard Mansfield's avatar Richard Mansfield
Browse files

Check view permission when paginating blog blocks (bug #771653)



Change-Id: Ib9822c15d7e2c015bdf01e31ef79e1d9f8b35507
Signed-off-by: default avatarRichard Mansfield <richard.mansfield@catalyst.net.nz>
parent 87940642
...@@ -37,6 +37,9 @@ $offset = param_integer('offset', 0); ...@@ -37,6 +37,9 @@ $offset = param_integer('offset', 0);
if ($blockid = param_integer('block', null)) { if ($blockid = param_integer('block', null)) {
$bi = new BlockInstance($blockid); $bi = new BlockInstance($blockid);
if (!can_view_view($bi->get('view'))) {
json_reply(true, get_string('accessdenied', 'error'));
}
$configdata = $bi->get('configdata'); $configdata = $bi->get('configdata');
$limit = isset($configdata['count']) ? $configdata['count'] : 5; $limit = isset($configdata['count']) ? $configdata['count'] : 5;
$configdata['countcomments'] = true; $configdata['countcomments'] = true;
...@@ -56,6 +59,9 @@ else { ...@@ -56,6 +59,9 @@ else {
$limit = param_integer('limit', ArtefactTypeBlog::pagination); $limit = param_integer('limit', ArtefactTypeBlog::pagination);
$blogid = param_integer('artefact'); $blogid = param_integer('artefact');
$viewid = param_integer('view'); $viewid = param_integer('view');
if (!can_view_view($viewid)) {
json_reply(true, get_string('accessdenied', 'error'));
}
$options = array('viewid' => $viewid); $options = array('viewid' => $viewid);
$posts = ArtefactTypeBlogpost::get_posts($blogid, $limit, $offset, $options); $posts = ArtefactTypeBlogpost::get_posts($blogid, $limit, $offset, $options);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment