I'm not sure if I should have reported these things by bugtracker but now I'm writing this here.
A student of mine pointed out two cases when he could access other students' information.
The first (and more severe in my oppinion) is an issue with dialogue module. Anyone can read every all posts in moodle! This happens simply by changing cid-value in dialogues.php:s URLs: http://moodlesite.do/moodle/mod/dialogue/dialogues.php?id=138&action=printdialogue&cid=75
I came up with a fix which prevents this. These lines shoud be added in the beginning of dialogues.php:
<code>
if (!$conversation = get_record("dialogue_conversations", "id", $_GET['cid'])) {</code>
error("Confirm close: cannot get conversation record");
}
// Do the user have right to see this conversation?
if (!($conversation->recipientid == $USER->id) && !($conversation->userid == $USER->id)) {
error("Dialogue id incorrect.");
}
Another issue is that if shlasharguments is set on, user can see other student's assignment submissions (and actually all files in moodle data directory). I'm not sure if this is caused by our system configuration or is this a moodle bug.
If user hacks with URL of assignement files, for example,
http://moodle.do//moodle/file.php/17/moddata/assignment/63/54/Viikko3.txt
and just enters http://moodle.do//moodle/file.php/17/moddata/assignment/63/54 without the trailing backslash he can download binary file which shows a listing of all the directorys files if it is opened for example in notepad.
I tried also to fix this, but I don't quite get how this slashargument thing works. When I commented all lines in file.php problem still existed, so altering it doesn't seem to help.
Does enyone have ideas how to prevent this?
- Osku