H5P does not respect multisite's maximum upload file size

[greatislander]

Description of Issue

The H5P plugin allows users to bypass the maximum upload file size of a WordPress Multisite network as defined in Network Settings → Upload Settings → Max upload file size (default: 1500kb).

Steps to Reproduce

1. Create a new WordPress Multisite network.
2. Verify that the max upload file size is set to 1500kb.
3. Navigate to H5P Content → Add New → Upload.
4. Attempt to upload an H5P file that is larger than 1500kb.

Expected Behaviour

The file upload fails with a descriptive message informing the user that the file is larger than the network's maximum upload file size.

Actual Behaviour

The file uploads, bypassing the network's settings.

[SteelWagstaff]

Seconded!

[fnoks]

Thank you for reporting this. I have created an issue here: https://h5ptechnology.atlassian.net/browse/HFP-2084

[SteelWagstaff]

Looks like a similar issue exists for Moodle as well: https://github.com/h5p/h5p-moodle-plugin/issues/200.

[greatislander]

Specifically, this issue is in https://github.com/h5p/h5p-editor-php-library/blob/master/h5peditor-file.class.php. The upload file size verification in the WordPress plugin admin class handles updating H5P activities via the activity management interface. However since uploading .h5p files and other file types (e.g. videos for the interactive video activity type) uses the more generic H5peditorFile PHP class to handle the AJAX operation, the WordPress (and Moodle) file size restrictions are not applied.

In order to resolve the issue, the H5peditorFile validation routine would need to be modifiable by specific implementations (WordPress, Moodle as per https://github.com/h5p/h5p-moodle-plugin/issues/200) so as to allow additional validation steps.