Commit e02e7f5a authored by Damyon Wiese's avatar Damyon Wiese Committed by David Monllaó
Browse files

MDL-53772 libraries: More context fixes

1. Improve upgrade note
2. Don't abuse $PAGE to get the current course/cm
3. Use validate_context, never $PAGE->set_context()
4. Reset current coursemodule in validate_context().
5. Respect moodlepageclass when calling an external function.
parent e689d68b
...@@ -86,15 +86,15 @@ class course_module_name extends \core\output\inplace_editable { ...@@ -86,15 +86,15 @@ class course_module_name extends \core\output\inplace_editable {
* @return static * @return static
*/ */
public static function update($itemid, $newvalue) { public static function update($itemid, $newvalue) {
global $PAGE;
$context = context_module::instance($itemid); $context = context_module::instance($itemid);
// Check access. // Check access.
\external_api::validate_context($context); \external_api::validate_context($context);
require_capability('moodle/course:manageactivities', $context); require_capability('moodle/course:manageactivities', $context);
// Update value. // Update value.
set_coursemodule_name($PAGE->cm->id, $newvalue); set_coursemodule_name($itemid, $newvalue);
$coursemodulerecord = get_coursemodule_from_id('', $itemid, 0, false, MUST_EXIST);
// Return instance. // Return instance.
$cm = get_fast_modinfo($PAGE->course)->get_cm($PAGE->cm->id); $cm = get_fast_modinfo($coursemodulerecord->course)->get_cm($itemid);
return new static($cm, true); return new static($cm, true);
} }
} }
...@@ -461,7 +461,7 @@ class core_external extends external_api { ...@@ -461,7 +461,7 @@ class core_external extends external_api {
]); ]);
$context = \context::instance_by_id($contextid); $context = \context::instance_by_id($contextid);
$PAGE->set_context($context); self::validate_context($context);
return \core\notification::fetch_as_array($PAGE->get_renderer('core')); return \core\notification::fetch_as_array($PAGE->get_renderer('core'));
} }
......
...@@ -202,8 +202,16 @@ class external_api { ...@@ -202,8 +202,16 @@ class external_api {
$response = array(); $response = array();
try { try {
// Taken straight from from setup.php.
$PAGE = new moodle_page(); if (!empty($CFG->moodlepageclass)) {
if (!empty($CFG->moodlepageclassfile)) {
require_once($CFG->moodlepageclassfile);
}
$classname = $CFG->moodlepageclass;
} else {
$classname = 'moodle_page';
}
$PAGE = new $classname();
$COURSE = clone($SITE); $COURSE = clone($SITE);
if ($ajaxonly && !$externalfunctioninfo->allowed_from_ajax) { if ($ajaxonly && !$externalfunctioninfo->allowed_from_ajax) {
......
...@@ -1568,6 +1568,8 @@ class moodle_page { ...@@ -1568,6 +1568,8 @@ class moodle_page {
$this->_theme = null; $this->_theme = null;
$this->_wherethemewasinitialised = null; $this->_wherethemewasinitialised = null;
$this->_course = null; $this->_course = null;
$this->_cm = null;
$this->_module = null;
$this->_context = null; $this->_context = null;
} }
......
...@@ -7,6 +7,7 @@ information provided here is intended especially for developers. ...@@ -7,6 +7,7 @@ information provided here is intended especially for developers.
only to courses the user is enrolled in, and are visible to them. only to courses the user is enrolled in, and are visible to them.
* External functions that are not calling external_api::validate_context are buggy and will now generate * External functions that are not calling external_api::validate_context are buggy and will now generate
exceptions. Previously they were only generating warnings in the webserver error log. exceptions. Previously they were only generating warnings in the webserver error log.
See https://docs.moodle.org/dev/External_functions_API#Security
* The moodle/blog:associatecourse and moodle/blog:associatemodule capabilities has been removed. * The moodle/blog:associatecourse and moodle/blog:associatemodule capabilities has been removed.
* The following functions has been finally deprecated and can not be used any more: * The following functions has been finally deprecated and can not be used any more:
- profile_display_badges() - profile_display_badges()
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment