LTI: Added permissions check in ltiregstart.php and several HTML filters

The LTIConsumer creation entry point has been modified to add a user check and an unused get method check has been removed. Added htmlspecialchars to ilObjLTIConsumerProviderList::getTableDataUsedBy in the title and description of the table providers. Added strip_tags to title in ilObjLTIConsumer::registerClient
surlabs · Dec 9, 2024 · 3158f3b · 3158f3b
1 parent 7f412c0
commit 3158f3b
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 8 deletions.
diff --git a/Modules/LTIConsumer/classes/class.ilLTIConsumeProviderList.php b/Modules/LTIConsumer/classes/class.ilLTIConsumeProviderList.php
@@ -390,8 +390,8 @@ public function getTableData(): array
             $tblRow = array();
 
             $tblRow['id'] = $provider->getId();
-            $tblRow['title'] = $provider->getTitle();
-            $tblRow['description'] = $provider->getDescription();
+            $tblRow['title'] = htmlspecialchars($provider->getTitle());
+            $tblRow['description'] = htmlspecialchars($provider->getDescription());
             $tblRow['category'] = $provider->getCategory();
             $tblRow['keywords'] = $this->getKeywordsFormatted($provider->getKeywordsArray());
             $tblRow['outcome'] = $provider->getHasOutcome();

diff --git a/Modules/LTIConsumer/classes/class.ilObjLTIConsumer.php b/Modules/LTIConsumer/classes/class.ilObjLTIConsumer.php
@@ -1272,7 +1272,7 @@ public static function registerClient(array $data, object $tokenObj): array
         $reponseData = $data;
         $provider = new ilLTIConsumeProvider();
         $toolConfig = $data['https://purl.imsglobal.org/spec/lti-tool-configuration'];
-        $provider->setTitle($data['client_name']);
+        $provider->setTitle(strip_tags($data['client_name'], ilObjectGUI::ALLOWED_TAGS_IN_TITLE_AND_DESCRIPTION));
         $provider->setProviderUrl($toolConfig['target_link_uri']);
         $provider->setInitiateLogin($data['initiate_login_uri']);
         $provider->setRedirectionUris(implode(",", $data['redirect_uris']));

diff --git a/Modules/LTIConsumer/ltiregstart.php b/Modules/LTIConsumer/ltiregstart.php
@@ -26,11 +26,8 @@
 ilInitialisation::initILIAS();
 global $DIC;
 
-if (strtoupper($DIC->http()->request()->getMethod()) !== "GET") {
-    $DIC->http()->saveResponse(
-        $DIC->http()->response()
-            ->withStatus(400)
-    );
+if (!$DIC->user()->getId() || !$DIC->access()->checkAccessOfUser($DIC->user()->getId(), 'write', '', 1)) {
+    ilObjLTIConsumer::sendResponseError(401, "unauthorized");
 }
 
 $params = $DIC->http()->wrapper()->query();