Merge pull request ILIAS-eLearning#8711 from surlabs/trunk_LTI_019

LTI: Added permissions checking and HTML escaping
srsolutionsag · Dec 12, 2024 · ed3b0cc · ed3b0cc
2 parents dbeee9f + 2877e1d
commit ed3b0cc
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 7 deletions.
diff --git a/components/ILIAS/LTIConsumer/classes/class.ilLTIConsumerAdministrationGUI.php b/components/ILIAS/LTIConsumer/classes/class.ilLTIConsumerAdministrationGUI.php
@@ -1,7 +1,5 @@
 <?php
 
-declare(strict_types=1);
-
 /**
  * This file is part of ILIAS, a powerful learning management system
  * published by ILIAS open source e-Learning e.V.
@@ -18,6 +16,8 @@
  *
  *********************************************************************/
 
+declare(strict_types=1);
+
 use GuzzleHttp\Client;
 use GuzzleHttp\Psr7\Uri;
 
@@ -785,7 +785,7 @@ protected function confirmDeleteProviders(array $providers, string $cancelComman
             $confirmationGUI->addItem(
                 'provider_ids[]',
                 (string) $provider->getId(),
-                $provider->getTitle(),
+                htmlspecialchars($provider->getTitle()),
                 $providerIcon
             );
         }

diff --git a/components/ILIAS/LTIConsumer/classes/class.ilObjLTIConsumer.php b/components/ILIAS/LTIConsumer/classes/class.ilObjLTIConsumer.php
@@ -1313,7 +1313,7 @@ public static function registerClient(array $data, object $tokenObj): array
         $reponseData = $data;
         $provider = new ilLTIConsumeProvider();
         $toolConfig = $data['https://purl.imsglobal.org/spec/lti-tool-configuration'];
-        $provider->setTitle($data['client_name']);
+        $provider->setTitle(strip_tags($data['client_name'], ilObjectGUI::ALLOWED_TAGS_IN_TITLE_AND_DESCRIPTION));
         $provider->setProviderUrl($toolConfig['target_link_uri']);
         $provider->setInitiateLogin($data['initiate_login_uri']);
         $provider->setRedirectionUris(implode(",", $data['redirect_uris']));

diff --git a/components/ILIAS/LTIConsumer/ltiregstart.php b/components/ILIAS/LTIConsumer/ltiregstart.php
@@ -1,7 +1,5 @@
 <?php
 
-declare(strict_types=1);
-
 /**
  * This file is part of ILIAS, a powerful learning management system
  * published by ILIAS open source e-Learning e.V.
@@ -18,13 +16,15 @@
  *
  *********************************************************************/
 
+declare(strict_types=1);
+
 /** @noRector */
 chdir("../../../");
 
 ilInitialisation::initILIAS();
 global $DIC;
 
-if (!$DIC->user()->getId() || $DIC->user()->getId() === ANONYMOUS_USER_ID) {
+if (!$DIC->user()->getId() || !ilLTIConsumerAccess::hasCustomProviderCreationAccess()) {
     ilObjLTIConsumer::sendResponseError(401, "unauthorized");
 }