From feca3fd8a7e4ad9a3ccdaf5520eef46793592bbe Mon Sep 17 00:00:00 2001 From: NeillM Date: Mon, 2 Sep 2013 09:36:53 +1200 Subject: [PATCH] Security fix to prevent access to other students attendance --- view.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/view.php b/view.php index 5117605..89c61c8 100644 --- a/view.php +++ b/view.php @@ -63,7 +63,14 @@ $PAGE->navbar->add(get_string('attendancereport', 'attendance')); $output = $PAGE->get_renderer('mod_attendance'); -$userid = isset($pageparams->studentid) ? $pageparams->studentid : $USER->id; +if (isset($pageparams->studentid) && $USER->id != $pageparams->studentid) { + // Only users with proper permissions should be able to see any user's individual report. + require_capability('mod/attendance:viewreports', $PAGE->context); + $userid = $pageparams->studentid; +} else { + // A valid request to see another users report has not been sent, show the user's own. + $userid = $USER->id; +} $userdata = new attendance_user_data($att, $userid); echo $output->header();