Closed danmarsden closed 2 years ago
controller.php looks like it needs some capability checks in a few places too.
for example - I see a capability check when someone cancels the form, but I don't actually see a capability check occurring when they post data to the form.
I checked and tested the code. The function for action ===review part of action.php, which you mention, was no longer getting called and irrelevant. I guess we just forgot to remove this. I have done so now in this commit
the action.php file seems to check if the user is logged in and enrolled in the course, but I suspect actions like approve/reject should be wrapped in a has_capability check against mod/cardbox:approvecard or some of your other capabilites.
You should check to make sure the user has the capability required for each action.