Skip to content

Commit

Permalink
security fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
@sokunthearithmakara
sokunthearithmakara committed Jan 25, 2024
1 parent 7dfb4ce commit b6279ab
Show file tree
Hide file tree
Showing 13 changed files with 222 additions and 83 deletions.
117 changes: 117 additions & 0 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
name: Moodle Plugin CI

on: [push, pull_request]

jobs:
test:
runs-on: ubuntu-22.04

services:
postgres:
image: postgres:13
env:
POSTGRES_USER: 'postgres'
POSTGRES_HOST_AUTH_METHOD: 'trust'
ports:
- 5432:5432
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 3

mariadb:
image: mariadb:10
env:
MYSQL_USER: 'root'
MYSQL_ALLOW_EMPTY_PASSWORD: "true"
MYSQL_CHARACTER_SET_SERVER: "utf8mb4"
MYSQL_COLLATION_SERVER: "utf8mb4_unicode_ci"
ports:
- 3306:3306
options: --health-cmd="mysqladmin ping" --health-interval 10s --health-timeout 5s --health-retries 3

strategy:
fail-fast: false
matrix:
php: ['7.4', '8.0', '8.1']
moodle-branch: ['MOODLE_401_STABLE']
database: [pgsql, mariadb]

steps:
- name: Check out repository code
uses: actions/checkout@v3
with:
path: plugin

- name: Setup PHP ${{ matrix.php }}
uses: shivammathur/setup-php@v2
with:
php-version: ${{ matrix.php }}
extensions: ${{ matrix.extensions }}
ini-values: max_input_vars=5000
# If you are not using code coverage, keep "none". Otherwise, use "pcov" (Moodle 3.10 and up) or "xdebug".
# If you try to use code coverage with "none", it will fallback to phpdbg (which has known problems).
coverage: none

- name: Initialise moodle-plugin-ci
run: |
composer create-project -n --no-dev --prefer-dist moodlehq/moodle-plugin-ci ci ^4
echo $(cd ci/bin; pwd) >> $GITHUB_PATH
echo $(cd ci/vendor/bin; pwd) >> $GITHUB_PATH
sudo locale-gen en_AU.UTF-8
echo "NVM_DIR=$HOME/.nvm" >> $GITHUB_ENV
- name: Install moodle-plugin-ci
run: moodle-plugin-ci install --plugin ./plugin --db-host=127.0.0.1
env:
DB: ${{ matrix.database }}
MOODLE_BRANCH: ${{ matrix.moodle-branch }}
# Uncomment this to run Behat tests using the Moodle App.
# MOODLE_APP: 'true'

- name: PHP Lint
if: ${{ !cancelled() }}
run: moodle-plugin-ci phplint

- name: PHP Copy/Paste Detector
continue-on-error: true # This step will show errors but will not fail
if: ${{ !cancelled() }}
run: moodle-plugin-ci phpcpd

- name: PHP Mess Detector
continue-on-error: true # This step will show errors but will not fail
if: ${{ !cancelled() }}
run: moodle-plugin-ci phpmd

- name: Moodle Code Checker
if: ${{ !cancelled() }}
run: moodle-plugin-ci phpcs --max-warnings 0

- name: Moodle PHPDoc Checker
if: ${{ !cancelled() }}
run: moodle-plugin-ci phpdoc --max-warnings 0

- name: Validating
if: ${{ !cancelled() }}
run: moodle-plugin-ci validate

- name: Check upgrade savepoints
if: ${{ !cancelled() }}
run: moodle-plugin-ci savepoints

- name: Mustache Lint
if: ${{ !cancelled() }}
run: moodle-plugin-ci mustache

- name: Grunt
if: ${{ !cancelled() }}
run: moodle-plugin-ci grunt --max-lint-warnings 0

- name: PHPUnit tests
if: ${{ !cancelled() }}
run: moodle-plugin-ci phpunit --fail-on-warning

- name: Behat features
if: ${{ !cancelled() }}
run: moodle-plugin-ci behat --profile chrome

- name: Mark cancelled jobs as failed.
if: ${{ cancelled() }}
run: exit 1
4 changes: 3 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
# Apply #

A Moodle plugin that allows students to apply for a course.
TODO Describe the plugin shortly here.

TODO Provide more detailed description here.

## Installing via uploaded ZIP file ##

Expand Down
42 changes: 27 additions & 15 deletions ajax.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,13 @@
require_once($CFG->libdir . '/enrollib.php');
require_once($CFG->dirroot . '/group/lib.php');
require_login();
require_sesskey();

$action = required_param('action', PARAM_TEXT);
$id = required_param('id', PARAM_INT);
$instance = $DB->get_record('enrol', array('id' => $id), '*', MUST_EXIST);
$courseid = $instance->courseid;


$context = context_course::instance($courseid);

$PAGE->set_context($context);
Expand All @@ -48,14 +48,14 @@
if ($action == "approve") {
$ids = required_param('ids', PARAM_TEXT);
$ids = explode(',', $ids);

$ids = array_map('intval', $ids); // Sanitize the input values
// Get records from enrol_gapply where id in ids.
$records = $DB->get_records_list('enrol_gapply', 'id', $ids);

$message = new stdClass();
$course = $DB->get_record('course', array('id' => $courseid));
$message->subject = get_string('applicationapproved', 'enrol_gapply', $course->fullname);
$message->text = get_string('applicationapproved', 'enrol_gapply', $course->fullname);
$message->subject = get_string('applicationapproved', 'enrol_gapply', format_text($course->fullname, FORMAT_HTML));
$message->text = get_string('applicationapproved', 'enrol_gapply', format_text($course->fullname, FORMAT_HTML));
$message->contexturl = new moodle_url('/course/view.php', array('id' => $courseid));
$message->contexturlname = get_string('viewcourse', 'enrol_gapply');

Expand All @@ -78,15 +78,17 @@
die;
} else if ($action == "waitlist" || $action == "reject") {
$ids = required_param('ids', PARAM_TEXT);
$ids = explode(',', $ids);
$ids = array_map('intval', $ids); // Sanitize the input values
// Update records from enrol_gapply where id in ids to status waitlisted.
$DB->set_field_select('enrol_gapply', 'status', $action . 'ed', 'id IN (' . $ids . ')');
$DB->set_field_select('enrol_gapply', 'status', $action . 'ed', 'id IN (' . implode(',', $ids) . ')');
$message = new stdClass();
$course = $DB->get_record('course', array('id' => $courseid));
$message->subject = get_string('application' . $action, 'enrol_gapply', $course->fullname);
$message->text = get_string('application' . $action, 'enrol_gapply', $course->fullname);
$message->subject = get_string('application' . $action, 'enrol_gapply', format_text($course->fullname, FORMAT_HTML));
$message->text = get_string('application' . $action, 'enrol_gapply', format_text($course->fullname, FORMAT_HTML));
$message->contexturl = new moodle_url('/course/view.php', array('id' => $courseid));
$message->contexturlname = get_string('viewcourse', 'enrol_gapply');
$records = $DB->get_records_list('enrol_gapply', 'id', explode(',', $ids));
$records = $DB->get_records_list('enrol_gapply', 'id', $ids);
foreach ($records as $record) {
$user = $DB->get_record('user', array('id' => $record->userid));
$enrol->send_notification($user, $USER, $message);
Expand All @@ -96,6 +98,7 @@
$ids = required_param('ids', PARAM_TEXT);
$ids = explode(',', $ids);
// Get userid from enrol_gapply where id in ids.
$ids = array_map('intval', $ids); // Sanitize the input values
$userid = $DB->get_fieldset_select('enrol_gapply', 'userid', 'id IN (' . implode(',', $ids) . ')');
// Delete records from enrol_gapply where id in ids.
$DB->delete_records_list('enrol_gapply', 'id', $ids);
Expand All @@ -106,10 +109,11 @@
}
die;
} else if ($action == "getuserbyid") {
require_sesskey();
$userid = required_param('userid', PARAM_INT);
require_once($CFG->dirroot . '/user/profile/lib.php');
$showuseridentity = explode(',', ('firstname,lastname,' . $instance->customtext3));
// Remove empty element.
$showuseridentity = array_filter($showuseridentity);
// Remove picture from array.
$showuseridentity = array_diff($showuseridentity, array('picture'));
$corefields = [];
Expand All @@ -125,9 +129,11 @@

$corefield = 'id, firstaccess, lastaccess, ' . implode(', ', $corefields);
$user = $DB->get_record('user', array('id' => $userid), $corefield);
profile_load_custom_fields($user);
if (!empty($customfields)) {
profile_load_custom_fields($user);
}

$user->picture = $OUTPUT->user_picture($user, array('size' => 64));
$user->picture = $OUTPUT->user_picture($user, array('size' => 64, 'class' => 'mr-2', 'link' => false));
$user->fullname = fullname($user);
$user->membersince = userdate($user->firstaccess, get_string('strftimedate'));
$user->lastaccess = userdate($user->lastaccess, get_string('strftimedate'));
Expand Down Expand Up @@ -161,10 +167,12 @@
// Get records from enrol_gapply table where 'instance' = $id and 'status' is not 'approved'.
$sql = "SELECT * FROM {enrol_gapply} WHERE instance = ? AND status = ?";
$records = $DB->get_records_sql($sql, array($id, $tab));

if ($records) {
$fs = get_file_storage();
require_once($CFG->dirroot . '/user/profile/lib.php');
$showuseridentity = explode(',', ('firstname,lastname,' . $instance->customtext3));
// Remove empty array.
$showuseridentity = array_filter($showuseridentity);
// Remove picture from array.
$showuseridentity = array_diff($showuseridentity, array('picture'));
$corefields = [];
Expand All @@ -180,6 +188,8 @@

$corefield = 'id, ' . implode(', ', $corefields);

$fs = get_file_storage();

foreach ($records as $record) {
// Create an array for attachments.
$attachments = array();
Expand All @@ -202,15 +212,17 @@
}
$record->attachments = $attachments;
$record->user = $DB->get_record('user', array('id' => $record->userid), $corefield);
// Load profile fields data to user object.
profile_load_custom_fields($record->user);
// Load profile fields data to user object if there is any.
if (!empty($customfields)) {
profile_load_custom_fields($record->user);
}
}

$table = new stdClass();
$table->data = [];

foreach ($records as $record) {
$userpicture = $OUTPUT->user_picture($record->user, array('size' => 30));
$userpicture = $OUTPUT->user_picture($record->user, array('size' => 30, 'class' => 'mr-2', 'link' => false));
$fullname = fullname($record->user);
$applicationtext = $record->applytext;
$attachments = '';
Expand Down
2 changes: 1 addition & 1 deletion amd/build/custom.min.js
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion amd/build/custom.min.js.map
View file

Large diffs are not rendered by default.

Loading

0 comments on commit b6279ab

Please sign in to comment.