Commit d265d0b2 authored by Nigel McNie's avatar Nigel McNie
Browse files

Use the actual group ID on on the interaction delete page, rather than the...

Use the actual group ID on on the interaction delete page, rather than the interaction ID. Fixes #2241.

This was potentially a small security hole too - before, it would allow users who had permissions to delete a forum with an ID the same as an interaction they were allowed control over. But it's a terribly blind attack at the best of times.
parent d49f1ab0
......@@ -37,7 +37,7 @@ $id = param_integer('id');
$instance = interaction_instance_from_id($id);
if (!$group = get_record('group', 'id', $id, 'deleted', 0)) {
if (!$group = get_record('group', 'id', $instance->get('group'), 'deleted', 0)) {
throw new GroupNotFoundException(get_string('groupnotfound', 'group', $id));
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment