G'day everyone,
Yesterday the e-lane fellows (Luis de la Fuente in particular) has shown me a potential security problem with LORS 0.4d. If a random striker (student) knows the exact URL for certain administration pages, he could potentially get access and change some of the LORS' course parameters (disable/enable, shared, etc).
I just committed the changes to prevent this to happen. Basically added:
# Permissions
dotlrn::require_user_admin_community -user_id $user_id -community_id $community_id
Additionally:
- Exporting/Importing courses with "()" characters on them, now are working (bug
- Curly brackets causing error in menu.tcl (Bug # 2100): fixed.
- LORS not displaying CSS with HTML pages: fixed
If you are using LORS, it is higly recommended for you to check out the new changes. No DB upgrade required.
Thanks,
Ernie
