Bypass permissions check when generating a static page to fix #263

2026-05-16 21:41:31 +02:00 · 2021-09-02 15:44:37 +10:00
parent 43ff1f9301
commit 94fc6fb540
4 changed files with 123 additions and 32 deletions
--- a/classes/local/controllers/infopage.php
+++ b/classes/local/controllers/infopage.php
@@ -48,6 +48,11 @@ class infopage {
     */
    private $outage;

+    /**
+     * @var bool|null Defines if the page is generated for a static outage page.
+     */
+    private $static;
+
    /**
     * infopage_controller constructor.
     * @param array $params Parameters to use or null to get from Moodle API (request).
@@ -62,11 +67,13 @@ class infopage {
            $params = [
                'id' => optional_param('id', null, PARAM_INT),
                'outage' => null,
+                'static' => optional_param('static', false, PARAM_BOOL),
            ];
        } else {
            $defaults = [
                'id' => null,
                'outage' => null,
+                'static' => false,
            ];
            $params = array_merge($defaults, $params);
        }
@@ -97,10 +104,14 @@ class infopage {
    public function output() {
        global $PAGE, $CFG, $OUTPUT;

-        if (is_null($this->outage) || !has_capability('auth/outage:viewinfo', context_system::instance())) {
+        if (is_null($this->outage)) {
            redirect(new moodle_url('/'));
        }

+        // If it's not static outage page, then check access, then redirect if not allowed.
+        if (!$this->static && !has_capability('auth/outage:viewinfo', context_system::instance())) {
+            redirect(new moodle_url('/'));
+        }
        $PAGE->set_context(context_system::instance());
        $PAGE->set_title($this->outage->get_title());
        $PAGE->set_heading($this->outage->get_title());
@@ -143,5 +154,6 @@ class infopage {
        }

        $this->outage = $params['outage'];
+        $this->static = $params['static'];
    }
 }
--- a/classes/local/controllers/maintenance_static_page.php
+++ b/classes/local/controllers/maintenance_static_page.php
@@ -61,7 +61,7 @@ class maintenance_static_page {
            $html = '<html></html>';
        } else {
            $data = maintenance_static_page_io::file_get_data(
-                $CFG->wwwroot.'/auth/outage/info.php?auth_outage_hide_warning=1&id='.$outage->id);
+                $CFG->wwwroot.'/auth/outage/info.php?auth_outage_hide_warning=1&static=1&id='.$outage->id);
            $html = $data['contents'];
        }