Closed daniil-berg closed 2 years ago
Im sorry to disappoint you, but also having admin right (or teacher right), I can simply wipe all courses.. may I suggest you have a look at the Risk section in: https://docs.moodle.org/311/en/Risks
For us, whoever able to grade a question/quiz is a trusted person, so this check is sufficient for us. shall you want an extra check, please share your idea - as far as I know, all checks land you into the Risks outlined in the link above.
In
getannotation.php
andsaveannotation.php
there aren't any permission checks preventing someone from accessing arbitrary annotation data and saving unlimited amounts of data to the DB respectively, as long as he has themod/quiz:grade
permission. In the first case this is a potential data leak, in the second case this opens the door for flooding the database because there are no checks made with$attemptid
and$attemptcount
. (Someone could just create new database entries just by changing those parameters.)