fix: use correct course-id for capability check;

delete.php

@@ -28,7 +28,7 @@
 require_login();
 require_sesskey();
 
-$coursecontext = context_course::instance($COURSE->id);
+$coursecontext = context_course::instance($_GET['courseid']);
 if (!has_capability('atto/edusharing:visible', $coursecontext)) {
     trigger_error(get_string('error_deleting_capability', 'editor_edusharing'), E_USER_WARNING);
     header('', true, 500);

fetch.php

@@ -28,15 +28,18 @@
 
 require_login();
 
-$coursecontext = context_course::instance($COURSE->id);
-if (!has_capability('atto/edusharing:visible', $coursecontext)) {
+$jsonstr = file_get_contents('php://input');
+$jsonobj = json_decode($jsonstr, true);
+
+$coursecontext = context_course::instance($jsonobj['courseid']);
+if (!has_capability('moodle/course:update', $coursecontext)) {
     trigger_error(get_string('error_fetching_capability', 'editor_edusharing'), E_USER_WARNING);
+    error_log('error_fetching_capability');
     header('', true, 500);
     exit();
 }
 
-$jsonstr = file_get_contents('php://input');
-$jsonobj = json_decode($jsonstr, true);
+
 
 switch ($jsonobj['useCase']) {
     case 'getTicket':

insert.php

@@ -28,7 +28,7 @@
 require_login();
 require_sesskey();
 
-$coursecontext = context_course::instance($COURSE->id);
+$coursecontext = context_course::instance($_GET['courseid']);
 if (!has_capability('atto/edusharing:visible', $coursecontext)) {
     trigger_error(get_string('error_insert_capability', 'editor_edusharing'), E_USER_WARNING);
     header('', true, 500);

version.php

@@ -24,7 +24,7 @@
 
 defined('MOODLE_INTERNAL') || die();
 
-$plugin->version = 2020061502;        // The current plugin version (Date: YYYYMMDDXX).
+$plugin->version = 2020061603;        // The current plugin version (Date: YYYYMMDDXX).
 $plugin->requires = 2013110500;        // Requires this Moodle version.
 $plugin->component = 'atto_edusharing';  // Full name of the plugin (used for diagnostics).
 $plugin->maturity = MATURITY_STABLE;

yui/build/moodle-atto_edusharing-button/moodle-atto_edusharing-button-debug.js

@@ -502,6 +502,7 @@ Y.namespace('M.atto_edusharing').Button = Y.Base.create('button', Y.M.editor_att
 
         var fetchUrl = M.cfg.wwwroot + '/lib/editor/atto/plugins/edusharing/fetch.php';
         var repoUrl = this.get('repourl');
+        var courseid = this.get('courseid');
 
         // Fetch ticket
         fetch(fetchUrl, {
@@ -512,7 +513,8 @@ Y.namespace('M.atto_edusharing').Button = Y.Base.create('button', Y.M.editor_att
                 'Accept':       'application/json' // Expected data sent back
             },
             body: JSON.stringify({
-                useCase: 'getTicket'
+                useCase: 'getTicket',
+                courseid: courseid
             })
         })
             .then(function(response) {
@@ -759,9 +761,10 @@ edusharingObject.prototype.importNode = function importNode(searchParams) {
  * @return bool
  */
 edusharingObject.prototype.link = function link(node) {
-    // Helper-url.
 
-    var helper_url = M.cfg.wwwroot + '/lib/editor/atto/plugins/edusharing/insert.php?sesskey=' + M.cfg.sesskey;
+    // Helper-url.
+    var helper_url = M.cfg.wwwroot + '/lib/editor/atto/plugins/edusharing/insert.php?sesskey=' +
+        M.cfg.sesskey + '&courseid=' + this.course;
 
     // Bind object for context.
     var object = this;
@@ -826,7 +829,8 @@ edusharingObject.prototype.link = function link(node) {
  */
 edusharingObject.prototype.unlink = function unlink(node) {
     // Tell moodle about deleted object.
-    var helper_url = M.cfg.wwwroot + '/lib/editor/atto/plugins/edusharing/delete.php?sesskey=' + M.cfg.sesskey;
+    var helper_url = M.cfg.wwwroot + '/lib/editor/atto/plugins/edusharing/delete.php?sesskey=' + M.cfg.sesskey  +
+        '&courseid=' + this.course;
 
     // Bind object for context.
     var object = this;

yui/build/moodle-atto_edusharing-button/moodle-atto_edusharing-button.js

@@ -502,6 +502,7 @@ Y.namespace('M.atto_edusharing').Button = Y.Base.create('button', Y.M.editor_att
 
         var fetchUrl = M.cfg.wwwroot + '/lib/editor/atto/plugins/edusharing/fetch.php';
         var repoUrl = this.get('repourl');
+        var courseid = this.get('courseid');
 
         // Fetch ticket
         fetch(fetchUrl, {
@@ -512,7 +513,8 @@ Y.namespace('M.atto_edusharing').Button = Y.Base.create('button', Y.M.editor_att
                 'Accept':       'application/json' // Expected data sent back
             },
             body: JSON.stringify({
-                useCase: 'getTicket'
+                useCase: 'getTicket',
+                courseid: courseid
             })
         })
             .then(function(response) {
@@ -759,9 +761,10 @@ edusharingObject.prototype.importNode = function importNode(searchParams) {
  * @return bool
  */
 edusharingObject.prototype.link = function link(node) {
-    // Helper-url.
 
-    var helper_url = M.cfg.wwwroot + '/lib/editor/atto/plugins/edusharing/insert.php?sesskey=' + M.cfg.sesskey;
+    // Helper-url.
+    var helper_url = M.cfg.wwwroot + '/lib/editor/atto/plugins/edusharing/insert.php?sesskey=' +
+        M.cfg.sesskey + '&courseid=' + this.course;
 
     // Bind object for context.
     var object = this;
@@ -826,7 +829,8 @@ edusharingObject.prototype.link = function link(node) {
  */
 edusharingObject.prototype.unlink = function unlink(node) {
     // Tell moodle about deleted object.
-    var helper_url = M.cfg.wwwroot + '/lib/editor/atto/plugins/edusharing/delete.php?sesskey=' + M.cfg.sesskey;
+    var helper_url = M.cfg.wwwroot + '/lib/editor/atto/plugins/edusharing/delete.php?sesskey=' + M.cfg.sesskey  +
+        '&courseid=' + this.course;
 
     // Bind object for context.
     var object = this;

yui/src/button/js/button.js

@@ -500,6 +500,7 @@ Y.namespace('M.atto_edusharing').Button = Y.Base.create('button', Y.M.editor_att
 
         var fetchUrl = M.cfg.wwwroot + '/lib/editor/atto/plugins/edusharing/fetch.php';
         var repoUrl = this.get('repourl');
+        var courseid = this.get('courseid');
 
         // Fetch ticket
         fetch(fetchUrl, {
@@ -510,7 +511,8 @@ Y.namespace('M.atto_edusharing').Button = Y.Base.create('button', Y.M.editor_att
                 'Accept':       'application/json' // Expected data sent back
             },
             body: JSON.stringify({
-                useCase: 'getTicket'
+                useCase: 'getTicket',
+                courseid: courseid
             })
         })
             .then(function(response) {
@@ -757,9 +759,10 @@ edusharingObject.prototype.importNode = function importNode(searchParams) {
  * @return bool
  */
 edusharingObject.prototype.link = function link(node) {
-    // Helper-url.
 
-    var helper_url = M.cfg.wwwroot + '/lib/editor/atto/plugins/edusharing/insert.php?sesskey=' + M.cfg.sesskey;
+    // Helper-url.
+    var helper_url = M.cfg.wwwroot + '/lib/editor/atto/plugins/edusharing/insert.php?sesskey=' +
+        M.cfg.sesskey + '&courseid=' + this.course;
 
     // Bind object for context.
     var object = this;
@@ -824,7 +827,8 @@ edusharingObject.prototype.link = function link(node) {
  */
 edusharingObject.prototype.unlink = function unlink(node) {
     // Tell moodle about deleted object.
-    var helper_url = M.cfg.wwwroot + '/lib/editor/atto/plugins/edusharing/delete.php?sesskey=' + M.cfg.sesskey;
+    var helper_url = M.cfg.wwwroot + '/lib/editor/atto/plugins/edusharing/delete.php?sesskey=' + M.cfg.sesskey  +
+        '&courseid=' + this.course;
 
     // Bind object for context.
     var object = this;