missing capability checks.

[danmarsden]

Many files appear to check the user is logged in but do not check any capabilities to see if the user should be able to use the file/download the results etc - this appears to mean that students can download the results for other users, make changes to the wiziq settings.

for example "attendancereport.php" - a login check is made, but no capability check to see if the user is actually allowed to download the report.

The capability is checked in some places before presenting the user with a link to the file - eg: https://github.com/pawanwiziq/moodlenew-mod_wiziq/blob/13b87949e54e8b523035f960c7b71cc4cca4fd1d/view.php#L476

so the user doesn't see the link in the interface. But the attedancereport.php file itself doesn't check to see if the user is allowed to use it.

This appears to be pretty common across a number of files in your plugin - the attendancereport.php example is just one that needs to be fixed.

[pawanwiziq]

Fixed

[danmarsden]

It's still hard to follow and review this.. it would be better for you to use the standard Moodle convention of first checking login and then checking capability access using require_capability where possible - rather than burying a has_capability check around the function that displays some code further in. Typically this is done near the top of your page - I recommend you look at existing Moodle code for examples.

eg: https://github.com/moodle/moodle/blob/master/mod/assign/view.php#L25