Closed mudrd8mz closed 8 years ago
I have added the require_login function call and the define('AJAX_SCRIPT') lines to import.php. I also added the current user id to any imported images in the files table. I assume that this means no other user can modify or delete them.
I assume that this means no other user can modify or delete them.
Why do you think so? https://github.com/moodle/moodle/blob/master/lib/filestorage/stored_file.php#L331 It is the caller responsible for access control, not this low level API.
Currently, if I read correctly, every logged-in user can still remove any file from any other user's draft area. If that is abused by an automated script that does it in a loop across whole site, it can easily prevent from uploading new files (as they will be deleted before they are saved into the final file area).
I have added an additional constraint that only files from the current users context are retrieved, which I hope resolves this issue.
I have released a new version (v0.0.9), but as the plugin status is currently "Waiting for approval", I cannot request re-approval.
I have released a new version (v0.9.1) to automate the installation process and support the import of equations.
As far as I can see, there are multiple issues with the import.php file