From 1ced42b7cfdeee5cf74b4bbaac1f676bbb96b58d Mon Sep 17 00:00:00 2001
From: Justus Dieckmann <justusdieckmann@wwu.de>
Date: Thu, 14 Mar 2024 18:57:56 +0100
Subject: [PATCH] Make sure teachers can't upload videos into arbitrary series.

By only accepting the series param if on $courseid==$SITE->id.
---
 addvideo.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/addvideo.php b/addvideo.php
index 028d3245..80600146 100644
--- a/addvideo.php
+++ b/addvideo.php
@@ -35,7 +35,11 @@
 require_once($CFG->dirroot . '/repository/lib.php');
 
 $courseid = required_param('courseid', PARAM_INT);
-$series = optional_param('series', null, PARAM_ALPHANUMEXT);
+if ($courseid == $SITE->id) {
+    $series = optional_param('series', null, PARAM_ALPHANUMEXT);
+} else {
+    $series = null;
+}
 $ocinstanceid = optional_param('ocinstanceid', settings_api::get_default_ocinstance()->id, PARAM_INT);
 
 $baseurlparams = [