From a9bccc9dbcd209809e471c25413723975c2d75db Mon Sep 17 00:00:00 2001
From: Amaia Anabitarte <amaia@moodle.com>
Date: Wed, 16 Sep 2020 17:10:39 +0200
Subject: [PATCH] MDL-69672 core_contentbank: Check used context level

---
 contentbank/classes/contentbank.php | 14 ++++++++++++++
 contentbank/edit.php                |  6 ++++++
 contentbank/index.php               |  6 +++++-
 contentbank/upload.php              |  6 +++++-
 lang/en/contentbank.php             |  1 +
 5 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/contentbank/classes/contentbank.php b/contentbank/classes/contentbank.php
index 307b94938db..01b5f782180 100644
--- a/contentbank/classes/contentbank.php
+++ b/contentbank/classes/contentbank.php
@@ -36,6 +36,10 @@ use context;
  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
 class contentbank {
+
+    /** @var array All the context levels allowed in the content bank */
+    private const ALLOWED_CONTEXT_LEVELS = [CONTEXT_SYSTEM, CONTEXT_COURSECAT, CONTEXT_COURSE];
+
     /** @var array Enabled content types. */
     private $enabledcontenttypes = null;
 
@@ -334,4 +338,14 @@ class contentbank {
 
         return $contenttypes;
     }
+
+    /**
+     * Whether the context is allowed.
+     *
+     * @param context $context Context to check.
+     * @return bool
+     */
+    public function is_context_allowed(context $context): bool {
+        return in_array($context->contextlevel, self::ALLOWED_CONTEXT_LEVELS);
+    }
 }
diff --git a/contentbank/edit.php b/contentbank/edit.php
index cdddcd4fd78..6d0c58d9643 100644
--- a/contentbank/edit.php
+++ b/contentbank/edit.php
@@ -30,6 +30,12 @@ $contextid = required_param('contextid', PARAM_INT);
 $pluginname = required_param('plugin', PARAM_PLUGIN);
 $id = optional_param('id', null, PARAM_INT);
 $context = context::instance_by_id($contextid, MUST_EXIST);
+
+$cb = new \core_contentbank\contentbank();
+if (!$cb->is_context_allowed($context)) {
+    print_error('contextnotallowed', 'core_contentbank');
+}
+
 require_capability('moodle/contentbank:access', $context);
 
 $returnurl = new \moodle_url('/contentbank/view.php', ['id' => $id]);
diff --git a/contentbank/index.php b/contentbank/index.php
index 33eff295d36..c4d22428d9f 100644
--- a/contentbank/index.php
+++ b/contentbank/index.php
@@ -30,6 +30,11 @@ $contextid    = optional_param('contextid', \context_system::instance()->id, PAR
 $search = optional_param('search', '', PARAM_CLEAN);
 $context = context::instance_by_id($contextid, MUST_EXIST);
 
+$cb = new \core_contentbank\contentbank();
+if (!$cb->is_context_allowed($context)) {
+    print_error('contextnotallowed', 'core_contentbank');
+}
+
 require_capability('moodle/contentbank:access', $context);
 
 $statusmsg = optional_param('statusmsg', '', PARAM_ALPHANUMEXT);
@@ -47,7 +52,6 @@ $PAGE->set_heading($title);
 $PAGE->set_pagetype('contentbank');
 
 // Get all contents managed by active plugins where the user has permission to render them.
-$cb = new \core_contentbank\contentbank();
 $contenttypes = [];
 $enabledcontenttypes = $cb->get_enabled_content_types();
 foreach ($enabledcontenttypes as $contenttypename) {
diff --git a/contentbank/upload.php b/contentbank/upload.php
index 00cc40cbf07..ab8031bc583 100644
--- a/contentbank/upload.php
+++ b/contentbank/upload.php
@@ -32,6 +32,11 @@ require_login();
 $contextid = optional_param('contextid', \context_system::instance()->id, PARAM_INT);
 $context = context::instance_by_id($contextid, MUST_EXIST);
 
+$cb = new \core_contentbank\contentbank();
+if (!$cb->is_context_allowed($context)) {
+    print_error('contextnotallowed', 'core_contentbank');
+}
+
 require_capability('moodle/contentbank:upload', $context);
 
 $title = get_string('contentbank');
@@ -55,7 +60,6 @@ if (has_capability('moodle/user:ignoreuserquota', $context)) {
     $maxareabytes = FILE_AREA_MAX_BYTES_UNLIMITED;
 }
 
-$cb = new \core_contentbank\contentbank();
 $accepted = $cb->get_supported_extensions_as_string($context);
 
 $data = new stdClass();
diff --git a/lang/en/contentbank.php b/lang/en/contentbank.php
index f614161c111..6d0fd871a5c 100644
--- a/lang/en/contentbank.php
+++ b/lang/en/contentbank.php
@@ -33,6 +33,7 @@ $string['contentrenamed'] = 'The content has been renamed.';
 $string['contentsmoved'] = 'Content bank contents moved to {$a}.';
 $string['contenttypenoaccess'] = 'You cannot view this {$a} instance.';
 $string['contenttypenoedit'] = 'You can not edit this content';
+$string['contextnotallowed'] = 'Context is not allowed';
 $string['emptynamenotallowed'] = 'Empty name is not allowed';
 $string['eventcontentcreated'] = 'Content created';
 $string['eventcontentdeleted'] = 'Content deleted';
-- 
2.11.4.GIT