From: Marina Glancy <marina@moodle.com>
Date: Wed, 19 Apr 2017 04:04:47 +0000 (+0800)
Subject: MDL-58635 blogs: check edited blog belongs to current user
X-Git-Tag: v3.3.0-rc1~40
X-Git-Url: https://git.moodle.org/gw?p=moodle.git;a=commitdiff_plain;h=b7fcd095825b808228d40f052deccd919e626381

MDL-58635 blogs: check edited blog belongs to current user
---

diff --git a/lang/en/blog.php b/lang/en/blog.php
index 2f5c5c6..9eb4b7a 100644
--- a/lang/en/blog.php
+++ b/lang/en/blog.php
@@ -185,6 +185,7 @@ $string['viewmyentriesaboutcourse'] = 'View my entries about this course';
 $string['viewsiteentries'] = 'View all entries';
 $string['viewuserentries'] = 'View all entries by {$a}';
 $string['worldblogs'] = 'The world can read entries set to be world-accessible';
+$string['wrongexternalid'] = 'Wrong external blog id';
 $string['wrongpostid'] = 'Wrong blog post id';
 $string['page-blog-edit'] = 'Blog editing pages';
 $string['page-blog-index'] = 'Blog listing pages';
--- a/blog/external_blog_edit.php~	2015-05-10 04:39:05.000000000 -0500
+++ b/blog/external_blog_edit.php	2017-05-17 08:05:48.752003415 -0500
@@ -52,11 +52,11 @@
 
 $external = new stdClass();
 
-// Check that this id exists
-if (!empty($id) && !$DB->record_exists('blog_external', array('id' => $id))) {
-    print_error('wrongexternalid', 'blog');
-} elseif (!empty($id)) {
-    $external = $DB->get_record('blog_external', array('id' => $id));
+// Retrieve the external blog record.
+if (!empty($id)) {
+    if (!$external = $DB->get_record('blog_external', array('id' => $id, 'userid' => $USER->id))) {
+        print_error('wrongexternalid', 'blog');
+    }
 }
 
 $strformheading = ($action == 'edit') ? get_string('editexternalblog', 'blog') : get_string('addnewexternalblog', 'blog');