MDL-14591 - better security when reawakening an interupted export

ralferlebach · Aug 20, 2008 · beb4ac1 · beb4ac1
1 parent 349242a
commit beb4ac1
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 2 deletions.
diff --git a/lang/en_utf8/portfolio.php b/lang/en_utf8/portfolio.php
@@ -56,6 +56,7 @@
 $string['nonprimative'] = 'A non primative value was passed as a callback argument to portfolio_add_button.  Refusing to continue.  The key was $a->key and the value was $a->value';
 $string['notexportable'] = 'Sorry, but the type of content you are trying to export is not exportable';
 $string['notimplemented'] = 'Sorry, but you are trying to export content in some format that is not yet implemented ($a)';
+$string['notyours'] = 'You are trying to resume a portfolio export that doesn\'t belong to you!';
 $string['nouploaddirectory'] = 'Could not create a temporary directory to package your data into';
 $string['portfolio'] = 'Portfolio';
 $string['portfolios'] = 'Portfolios';

diff --git a/lib/portfoliolib.php b/lib/portfoliolib.php
@@ -1795,6 +1795,8 @@ final class portfolio_exporter {
     */
     private $id;
 
+    private $sesskey;
+
     /**
     * construct a new exporter for use
     *
@@ -1826,7 +1828,7 @@ public function get($field) {
             return $this->{$field};
         }
         $a = (object)array('property' => $field, 'class' => get_class($this));
-        throw new portfolio_export_exception($this, 'invalidproperty', 'portfolio', $a);
+        throw new portfolio_export_exception($this, 'invalidproperty', 'portfolio', '', $a);
     }
 
     /**
@@ -2306,6 +2308,15 @@ private function new_file_record_base($name) {
         );
     }
 
+    public function verify_rewaken() {
+        global $USER;
+        if ($this->get('user')->id != $USER->id) {
+            throw new portfolio_exception('notyours', 'portfolio');
+        }
+        if (!confirm_sesskey($this->get('sesskey'))) {
+            throw new portfolio_exception('confirmsesskeybad');
+        }
+    }
 }
 
 /**

diff --git a/portfolio/add.php b/portfolio/add.php
@@ -10,13 +10,14 @@
 $exporter = null;
 $dataid = 0;
 
-if (!$dataid = optional_param('id') ) {
+if (!$dataid = optional_param('id', '', PARAM_INT) ) {
     if (isset($SESSION->portfolioexport)) {
         $dataid = $SESSION->portfolioexport;
     }
 }
 if ($dataid) {
     $exporter = portfolio_exporter::rewaken_object($dataid);
+    $exporter->verify_rewaken();
     if ($cancel = optional_param('cancel', 0, PARAM_RAW)) {
         $exporter->cancel_request();
     }
@@ -32,6 +33,7 @@
             }
             $instance->set('user', $USER);
             $exporter->set('instance', $instance);
+            $exporter->set('sesskey', sesskey());
             $exporter->save();
         }
     }