MDL-47965 tag: Enforcing security of tag auto completion

tag/tag.js

@@ -10,13 +10,13 @@ YUI().use('yui2-autocomplete', 'yui2-datasource', 'yui2-animation', 'yui2-connec
         fieldDelim: "\t"
     };
     myDataSource.maxCacheEntries = 60;
-    myDataSource.minQueryLength = 3;
 
     // Instantiate the AutoComplete
     var myAutoComp = new Y.YUI2.widget.AutoComplete("id_relatedtags", "relatedtags-autocomplete", myDataSource);
     document.getElementById('id_relatedtags').style.width = '30%';
     myAutoComp.allowBrowserAutocomplete = false;
     myAutoComp.maxResultsDisplayed = 20;
+    myAutoComp.minQueryLength = 3;
     myAutoComp.delimChar = [","," "];
     myAutoComp.formatResult = function(oResultData, sQuery, sResultMatch) {
         return (sResultMatch);

tag/tag_autocomplete.php

@@ -27,16 +27,32 @@ define('AJAX_SCRIPT', true);
 require_once('../config.php');
 require_once('lib.php');
 
-require_login();
-
 if (empty($CFG->usetags)) {
-    print_error('tagsaredisabled', 'tag');
+    // Tags are disabled.
+    die();
 }
 
-$query = optional_param('query', '', PARAM_RAW);
+require_login(0, false);
+if (isguestuser()) {
+    // Guests should not be using this.
+    die();
+}
 
-if ($similar_tags = tag_autocomplete($query)) {
+// If a user cannot edit tags, they cannot add related tags which is what this auto complete is for.
-    foreach ($similar_tags as $tag) {
+require_capability('moodle/tag:edit', context_system::instance());
+
+$query = optional_param('query', '', PARAM_TAG);
+
+echo $OUTPUT->header();
+
+// Limit the query to a minimum of 3 characters.
+$similartags = array();
+if (core_text::strlen($query) >= 3) {
+    $similartags = tag_autocomplete($query);
+}
+
+foreach ($similartags as $tag) {
     echo clean_param($tag->name, PARAM_TAG) . "\t" . tag_display_name($tag) . "\n";
-    }
 }
+
+echo $OUTPUT->footer();