MDL-63725 core_message: do not allow access to all conversation members
authorMark Nelson <markn@moodle.com>
Thu, 1 Nov 2018 07:47:56 +0000 (15:47 +0800)
committerMark Nelson <markn@moodle.com>
Thu, 1 Nov 2018 07:56:07 +0000 (15:56 +0800)
message/externallib.php
message/tests/externallib_test.php

index dc95f88..7f88e62 100644 (file)
@@ -713,6 +713,11 @@ class core_message_external extends external_api {
             throw new required_capability_exception($context, $capability, 'nopermissions', '');
         }
 
+        // The user needs to be a part of the conversation before querying who the members are.
+        if (!\core_message\api::is_user_in_conversation($userid, $conversationid)) {
+            throw new moodle_exception('You are not a member of this conversation.');
+        }
+
         $params = [
             'userid' => $userid,
             'conversationid' => $conversationid,
index 1282737..3faab60 100644 (file)
@@ -4550,4 +4550,31 @@ class core_message_externallib_testcase extends externallib_advanced_testcase {
         $this->assertEquals($user2->id, $request2->userid);
         $this->assertEquals($user3->id, $request2->requesteduserid);
     }
+
+    /**
+     * Test returning members in a conversation when you are not a member.
+     */
+    public function test_get_conversation_members_not_a_member() {
+        $this->resetAfterTest();
+
+        $user1 = self::getDataGenerator()->create_user();
+        $user2 = self::getDataGenerator()->create_user();
+
+        // This user will not be in the conversation.
+        $user3 = self::getDataGenerator()->create_user();
+
+        $conversation = \core_message\api::create_conversation(
+            \core_message\api::MESSAGE_CONVERSATION_TYPE_GROUP,
+            [
+                $user1->id,
+                $user2->id,
+            ]
+        );
+        $conversationid = $conversation->id;
+
+        $this->setUser($user3);
+
+        $this->expectException('moodle_exception');
+        core_message_external::get_conversation_members($user3->id, $conversationid);
+    }
 }