Skip to content

Commit c8c5235

Browse files
AngelFQCclaude
andcommitted
Security: verify teacher-student relationship before showing tracking
myStudents.php granted access to a student's full tracking profile to any user holding a tracking-capable role (teacher / course admin) without checking that the requesting teacher actually teaches the target student, so a teacher could read the learning records of any student on the platform by changing the `student` query parameter. Add a per-student authorization layer after the existing role check: teachers and course admins must share a course with the target student (UserManager::isTeacherOfStudent) or be allowed to coach them in a session (Tracking::is_allowed_to_coach_student). Platform/session admins, HR managers and student bosses keep their wider tracking scope. This mirrors the access rule already enforced in lp_tracking.php. Refs GHSA-rp64-899j-x9f6 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 996c4f1 commit c8c5235

1 file changed

Lines changed: 15 additions & 0 deletions

File tree

public/main/my_space/myStudents.php

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,21 @@
104104
api_not_allowed(true);
105105
}
106106

107+
// Beyond holding a tracking-capable role, a teacher / course admin may only
108+
// view the tracking data of a student they actually teach. Platform and session
109+
// admins, HR managers (DRH) and student bosses keep their wider tracking scope.
110+
// Mirrors the per-student access rule already enforced in lp_tracking.php.
111+
if (
112+
!api_is_platform_admin(true, true)
113+
&& !api_is_session_admin()
114+
&& !api_is_drh()
115+
&& !api_is_student_boss()
116+
&& !UserManager::isTeacherOfStudent(api_get_user_id(), $studentId)
117+
&& !Tracking::is_allowed_to_coach_student(api_get_user_id(), $studentId)
118+
) {
119+
api_not_allowed(true);
120+
}
121+
107122
$completeName = UserManager::formatUserFullName($user);
108123

109124
if ($export) {

0 commit comments

Comments
 (0)