CONTRIB-9602: access checks for meeting URL (#630)

blindsidenetworks-ps · Jun 21, 2024 · 182d83c · 182d83c
1 parent 840bc68
commit 182d83c
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/classes/external/get_join_url.php b/classes/external/get_join_url.php
@@ -59,6 +59,7 @@ public static function execute_parameters(): external_function_parameters {
      * @param int $cmid the bigbluebuttonbn course module id
      * @param null|int $groupid
      * @return array (empty array for now)
+     * @throws restricted_context_exception
      */
     public static function execute(
         int $cmid,
@@ -85,7 +86,11 @@ public static function execute(
         }
         $instance->set_group_id($groupid);
 
+        // Validate that the user has access to this activity and to join the meeting.
         self::validate_context($instance->get_context());
+        if (!$instance->can_join()) {
+            throw new restricted_context_exception();
+        }
 
         try {
             $result['join_url'] = meeting::join_meeting($instance);

diff --git a/tests/external/get_join_url_test.php b/tests/external/get_join_url_test.php
@@ -16,7 +16,9 @@
 
 namespace mod_bigbluebuttonbn\external;
 
+use context_course;
 use external_api;
+use restricted_context_exception;
 use mod_bigbluebuttonbn\instance;
 use mod_bigbluebuttonbn\local\config;
 use mod_bigbluebuttonbn\test\testcase_helper_trait;
@@ -87,6 +89,28 @@ public function test_execute_without_login() {
         $this->get_join_url($instance->get_cm_id());
     }
 
+    /**
+     * Test execution with a user who doesn't have the capability to join the meeting
+     */
+    public function test_execute_without_capability(): void {
+        global $DB;
+
+        $this->resetAfterTest();
+
+        $course = $this->getDataGenerator()->create_course();
+        $record = $this->getDataGenerator()->create_module('bigbluebuttonbn', ['course' => $course->id]);
+        $instance = instance::get_from_instanceid($record->id);
+
+        $user = $this->getDataGenerator()->create_and_enrol($course);
+        $this->setUser($user);
+
+        $student = $DB->get_field('role', 'id', ['shortname' => 'student'], MUST_EXIST);
+        assign_capability('mod/bigbluebuttonbn:join', CAP_PROHIBIT, $student, context_course::instance($course->id), true);
+
+        $this->expectException(restricted_context_exception::class);
+        $this->get_join_url($instance->get_cm_id());
+    }
+
     /**
      * Test execute API CALL with invalid login
      */