Commit e02e7f5a authored by Damyon Wiese's avatar Damyon Wiese Committed by David Monllaó
Browse files

MDL-53772 libraries: More context fixes

1. Improve upgrade note
2. Don't abuse $PAGE to get the current course/cm
3. Use validate_context, never $PAGE->set_context()
4. Reset current coursemodule in validate_context().
5. Respect moodlepageclass when calling an external function.
parent e689d68b
......@@ -86,15 +86,15 @@ class course_module_name extends \core\output\inplace_editable {
* @return static
*/
public static function update($itemid, $newvalue) {
global $PAGE;
$context = context_module::instance($itemid);
// Check access.
\external_api::validate_context($context);
require_capability('moodle/course:manageactivities', $context);
// Update value.
set_coursemodule_name($PAGE->cm->id, $newvalue);
set_coursemodule_name($itemid, $newvalue);
$coursemodulerecord = get_coursemodule_from_id('', $itemid, 0, false, MUST_EXIST);
// Return instance.
$cm = get_fast_modinfo($PAGE->course)->get_cm($PAGE->cm->id);
$cm = get_fast_modinfo($coursemodulerecord->course)->get_cm($itemid);
return new static($cm, true);
}
}
......@@ -461,7 +461,7 @@ class core_external extends external_api {
]);
$context = \context::instance_by_id($contextid);
$PAGE->set_context($context);
self::validate_context($context);
return \core\notification::fetch_as_array($PAGE->get_renderer('core'));
}
......
......@@ -202,8 +202,16 @@ class external_api {
$response = array();
try {
$PAGE = new moodle_page();
// Taken straight from from setup.php.
if (!empty($CFG->moodlepageclass)) {
if (!empty($CFG->moodlepageclassfile)) {
require_once($CFG->moodlepageclassfile);
}
$classname = $CFG->moodlepageclass;
} else {
$classname = 'moodle_page';
}
$PAGE = new $classname();
$COURSE = clone($SITE);
if ($ajaxonly && !$externalfunctioninfo->allowed_from_ajax) {
......
......@@ -1568,6 +1568,8 @@ class moodle_page {
$this->_theme = null;
$this->_wherethemewasinitialised = null;
$this->_course = null;
$this->_cm = null;
$this->_module = null;
$this->_context = null;
}
......
......@@ -7,6 +7,7 @@ information provided here is intended especially for developers.
only to courses the user is enrolled in, and are visible to them.
* External functions that are not calling external_api::validate_context are buggy and will now generate
exceptions. Previously they were only generating warnings in the webserver error log.
See https://docs.moodle.org/dev/External_functions_API#Security
* The moodle/blog:associatecourse and moodle/blog:associatemodule capabilities has been removed.
* The following functions has been finally deprecated and can not be used any more:
- profile_display_badges()
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment