Security and testing fixes

classes/external.php

@@ -64,8 +64,15 @@ class external extends external_api {
      * @throws dml_exception
      */
     public static function set_order(string $hash, int $sortorder) : array {
+        global $USER;
+
+        require_capability('block/user_favorites:edit', context_user::instance($USER->id), $USER);
+
+        // Parameter validation.
+        $params = self::validate_parameters(self::set_order_parameters(), array('hash' => $hash, 'sortorder' => $sortorder));
+
         $favorites = new favorites();
-        $favorites->set_order($hash, $sortorder);
+        $favorites->set_order($params['hash'], $params['sortorder']);
 
         return [
             'result_code' => self::RESPONSE_CODE_SUCCESS,
@@ -115,23 +122,26 @@ public static function set_order_returns() : external_single_structure {
     public static function set_url(string $hash, string $title, int $blockid, array $optional) : array {
         global $USER;
 
-        require_capability('block/user_favorites:add', context_block::instance($blockid), $USER);
+        // Parameter validation.
+        $params = self::validate_parameters(self::set_url_parameters(), array('hash' => $hash, 'title' => $title, 'blockid' => $blockid, 'optional' => $optional));
+
+        require_capability('block/user_favorites:add', context_block::instance($params['blockid']), $USER);
         $favorites = new favorites();
-        if (!empty($optional['url'])) {
+        if (!empty($params['optional']['url'])) {
 
-            if (!filter_var($optional['url'], FILTER_VALIDATE_URL)) {
+            if (!filter_var($params['optional']['url'], FILTER_VALIDATE_URL)) {
                 throw new moodle_exception('Incorrect url.');
             }
 
-            $favorites->set_by_url($optional['url'], $title);
+            $favorites->set_by_url($params['optional']['url'], $params['title']);
 
             return [
                 'result_code' => self::RESPONSE_CODE_SUCCESS,
             ];
         }
 
         // Update url title.
-        $favorites->set_title($hash, $title);
+        $favorites->set_title($params['hash'], $params['title']);
 
         return [
             'result_code' => self::RESPONSE_CODE_SUCCESS,
@@ -183,10 +193,13 @@ public static function set_url_returns() : external_single_structure {
     public static function delete_url(string $hash, int $blockid) : array {
         global $USER;
 
-        require_capability('block/user_favorites:delete', context_block::instance($blockid), $USER);
+        // Parameter validation.
+        $params = self::validate_parameters(self::delete_url_parameters(), array('hash' => $hash, 'blockid' => $blockid));
+
+        require_capability('block/user_favorites:delete', context_block::instance($params['blockid']), $USER);
 
         $favorites = new favorites();
-        $favorites->delete_by_hash($hash);
+        $favorites->delete_by_hash($params['hash']);
 
         return [
             'result_code' => self::RESPONSE_CODE_SUCCESS,
@@ -230,15 +243,19 @@ public static function delete_url_returns() : external_single_structure {
      */
     public static function get_content(string $url, int $blockid) : array {
         global $PAGE, $USER;
-        $context = context_block::instance($blockid);
+
+        // Parameter validation.
+        $params = self::validate_parameters(self::get_content_parameters(), array('url' => $url, 'blockid' => $blockid));
+
+        $context = context_block::instance($params['blockid']);
         require_capability('block/user_favorites:view', $context, $USER);
 
         $favorites = new favorites();
         $PAGE->set_context($context);
         $renderer = $PAGE->get_renderer('block_user_favorites');
 
         return [
-            'content' => $renderer->render_favorites(new output_favorites($favorites, $url)),
+            'content' => $renderer->render_favorites(new output_favorites($favorites, $params['url'])),
             'result_code' => self::RESPONSE_CODE_SUCCESS,
         ];
     }

db/access.php

@@ -63,6 +63,19 @@
         ],
     ],
 
+    'block/user_favorites:edit' => [
+        'riskbitmask' => RISK_SPAM | RISK_XSS,
+        'captype' => 'write',
+        'contextlevel' => CONTEXT_BLOCK,
+        'archetypes' => [
+            'teacher' => CAP_ALLOW,
+            'editingteacher' => CAP_ALLOW,
+            'manager' => CAP_ALLOW,
+            'student' => CAP_ALLOW,
+            'user' => CAP_ALLOW,
+        ],
+    ],
+
     'block/user_favorites:delete' => [
         'riskbitmask' => RISK_SPAM | RISK_XSS,
 

db/install.xml

@@ -1,25 +1,25 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <XMLDB PATH="blocks/user_favorites/db" VERSION="20190624" COMMENT="XMLDB file for Moodle blocks/user_favorites"
-       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:noNamespaceSchemaLocation="../../../lib/xmldb/xmldb.xsd"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="../../../lib/xmldb/xmldb.xsd"
 >
-    <TABLES>
-        <TABLE NAME="block_user_favorites" COMMENT="User favourites">
-            <FIELDS>
-                <FIELD NAME="id" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="true"/>
-                <FIELD NAME="userid" TYPE="int" LENGTH="11" NOTNULL="false" SEQUENCE="false"/>
-                <FIELD NAME="title" TYPE="char" LENGTH="100" NOTNULL="true" SEQUENCE="false"/>
-                <FIELD NAME="url" TYPE="char" LENGTH="255" NOTNULL="true" SEQUENCE="false"/>
-                <FIELD NAME="hash" TYPE="char" LENGTH="33" NOTNULL="true" SEQUENCE="false"/>
-                <FIELD NAME="sortorder" TYPE="int" LENGTH="11" NOTNULL="false" SEQUENCE="false"/>
-                <FIELD NAME="created_at" TYPE="int" LENGTH="11" NOTNULL="true" SEQUENCE="false"/>
-            </FIELDS>
-            <KEYS>
-                <KEY NAME="primary" TYPE="primary" FIELDS="id"/>
-            </KEYS>
-            <INDEXES>
-                <INDEX NAME="userid" UNIQUE="false" FIELDS="userid"/>
-            </INDEXES>
-        </TABLE>
-    </TABLES>
-</XMLDB>
+  <TABLES>
+    <TABLE NAME="block_user_favorites" COMMENT="User favourites">
+      <FIELDS>
+        <FIELD NAME="id" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="true"/>
+        <FIELD NAME="userid" TYPE="int" LENGTH="11" NOTNULL="false" SEQUENCE="false"/>
+        <FIELD NAME="title" TYPE="char" LENGTH="100" NOTNULL="true" SEQUENCE="false"/>
+        <FIELD NAME="url" TYPE="char" LENGTH="255" NOTNULL="true" SEQUENCE="false"/>
+        <FIELD NAME="hash" TYPE="char" LENGTH="33" NOTNULL="true" SEQUENCE="false"/>
+        <FIELD NAME="sortorder" TYPE="int" LENGTH="11" NOTNULL="false" SEQUENCE="false"/>
+        <FIELD NAME="created_at" TYPE="int" LENGTH="11" NOTNULL="true" SEQUENCE="false"/>
+      </FIELDS>
+      <KEYS>
+        <KEY NAME="primary" TYPE="primary" FIELDS="id"/>
+      </KEYS>
+      <INDEXES>
+        <INDEX NAME="userid" UNIQUE="false" FIELDS="userid"/>
+      </INDEXES>
+    </TABLE>
+  </TABLES>
+</XMLDB>

lang/en/block_user_favorites.php

@@ -33,6 +33,7 @@
 $string['user_favorites:add'] = 'Add favourite';
 $string['user_favorites:delete'] = 'Delete favourite';
 $string['user_favorites:view'] = 'View favorites';
+$string['user_favorites:edit'] = 'Edit favorites';
 
 // Buttons.
 $string['btn:delete'] = 'Delete favourite';

lang/nl/block_user_favorites.php

@@ -33,6 +33,7 @@
 $string['user_favorites:add'] = 'Favoriet toevoegen';
 $string['user_favorites:delete'] = 'Verwijder favoriet';
 $string['user_favorites:view'] = 'Bekijk favoriet';
+$string['user_favorites:edit'] = 'Bewerk favoriet';
 
 // Buttons.
 $string['btn:delete'] = 'Verwijder favoriet';

version.php

@@ -26,7 +26,7 @@
 
 defined('MOODLE_INTERNAL') || die;
 
-$plugin->version = 2023050900;
+$plugin->version = 2023091300;
 $plugin->requires = 2017111300;
 $plugin->component = 'block_user_favorites';
 $plugin->release = '4.1.2';