PlagiarismCheck / moodle-plagiarism_pchkorg

Plagiarismcheck.org is a sophisticated similarity search engine. We advocate for bringing technology into academics to help instructors save time and motivate students write better papers.
https://plagiarismcheck.org
GNU General Public License v3.0
13 stars 4 forks source link

check.php potentially allows students to access other students files. #21

Closed danmarsden closed 5 years ago

danmarsden commented 5 years ago

Your security checking looks slightly better than last time, but you are still passing the file id as a param and do not check to see if the current user should be able to view this specific file - you are only checking to see if the file is part of an assignment the user can view.

You could first check if the user has 'mod/assign:grade' and if so - the current behaviour is ok - because that user can view "all" assignments, but if they don't have 'mod/assign:grade' then you need to check to see if the logged in user should be able to access the fileid being passed - you can't always rely on the submitter id either, because of group assignments etc.

You also need to implement similar checks in your report.php file.

This stuff is slightly easier for plugins that submit all files to the external service based on the internal events - the server sends all files and retrieves information about scores/links and then moodle takes care of most of the permission checking - because if they can see the file - it runs the get_links command with the appropriate commands and you just make get_links show the relevant information inline.

JaneAdelmann commented 5 years ago

check.php and report.php had been removed from plugin. Now plugin uses get_links only, without custom pages.