PhMemmel
commented
4 months ago Whoopsie, that one slipped through. Thank you very much for reporting, fixed by 2540c477b37583fe92c7dfce056a90d6e92abb04.
Closed danmarsden closed 4 months ago
PhMemmel
commented
4 months ago Whoopsie, that one slipped through. Thank you very much for reporting, fixed by 2540c477b37583fe92c7dfce056a90d6e92abb04.
pretty much as soon as possible after your validate parameters calls you should have some validate context and capability checks.
you do have a heklper class which calls various functions but those functions are inconsistent about checking "can this user calling the webservice actually perform this task.
more info on this is here: https://moodledev.io/docs/apis/subsystems/external/writing-a-service#context-and-capability-checks
ideally those checks should sit right in the execute function and not inside your helper class so it's really easy to review from a security perspective.
note this is a blocker for plugins db approval.