Security issue

[OlenaTatarintseva]

Hello,

First of all I want to say thank you for you work with the plugin.

I reviewed it and found the lack of require_login() and require_course_login() call in files:

• blocks/analytics_graphs/turnitin.php
• blocks/analytics_graphs/timeaccesseschart.php (accessed by not logged users)
• blocks/analytics_graphs/quiz.php
• blocks/analytics_graphs/hotpot.php
• blocks/analytics_graphs/assign.php It should be added according to: https://docs.moodle.org/dev/Security#Authenticate_the_user I tested it for url: blocks/analytics_graphs/timeaccesseschart.php?id=9&days=7 and found it can be displayed without logging. When I clicked on the chart bar it showed the student name and last name - this is security issue.

I noticed also the lack MOODLE_INTERNAL checking:

• blocks/analytics_graphs/classes/provider.php It should be checked according to: https://docs.moodle.org/dev/Coding_style#Require_.2F_include

Best regards, Olena Tatarintseva

[marceloschmitt]

Fixed in Master brach that will be release as 4.2 until August 26.