From 9aaf4d69d6fbd6f1d9696f9ee51f63cfd209a839 Mon Sep 17 00:00:00 2001 From: NeillM Date: Fri, 30 Aug 2013 09:31:04 +0100 Subject: [PATCH] Security fix changed to use mod/attendance:viewreports capability. Refactored the code. --- view.php | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/view.php b/view.php index 6fd1794..5bd155c 100644 --- a/view.php +++ b/view.php @@ -63,9 +63,14 @@ $PAGE->navbar->add(get_string('attendancereport', 'attendance')); $output = $PAGE->get_renderer('mod_attendance'); -// Only users with proper permissions should be able to see any users individual report. -$userid = (isset($pageparams->studentid) && - ($att->perm->can_manage() || $att->perm->can_take() || $att->perm->can_change())) ? $pageparams->studentid : $USER->id; +if (isset($pageparams->studentid) && has_capability('mod/attendance:viewreports', $PAGE->context)) { + // Only users with proper permissions should be able to see any user's individual report. + $userid = $pageparams->studentid; +} else { + // A valid request to see another users report has not been sent, show the user's own. + $userid = $USER->id; +} + $userdata = new attendance_user_data($att, $userid); echo $output->header();