Commit c8c5235
Security: verify teacher-student relationship before showing tracking
myStudents.php granted access to a student's full tracking profile to any
user holding a tracking-capable role (teacher / course admin) without
checking that the requesting teacher actually teaches the target student,
so a teacher could read the learning records of any student on the
platform by changing the `student` query parameter.
Add a per-student authorization layer after the existing role check:
teachers and course admins must share a course with the target student
(UserManager::isTeacherOfStudent) or be allowed to coach them in a session
(Tracking::is_allowed_to_coach_student). Platform/session admins, HR
managers and student bosses keep their wider tracking scope. This mirrors
the access rule already enforced in lp_tracking.php.
Refs GHSA-rp64-899j-x9f6
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent 996c4f1 commit c8c5235
1 file changed
Lines changed: 15 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
104 | 104 | | |
105 | 105 | | |
106 | 106 | | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
| 116 | + | |
| 117 | + | |
| 118 | + | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
107 | 122 | | |
108 | 123 | | |
109 | 124 | | |
| |||
0 commit comments