MDL-28126 webservices : should not able to create token if user is deleted,unconfirmed,suspended or guest.

admin/webservice/forms.php

@@ -179,7 +179,7 @@ class external_service_functions_form extends moodleform {
 class web_service_token_form extends moodleform {
 
     function definition() {
-        global $USER, $DB;
+        global $USER, $DB, $CFG;
 
         $mform = $this->_form;
         $data = $this->_customdata;
@@ -188,10 +188,12 @@ class web_service_token_form extends moodleform {
 
         if (empty($data->nouserselection)) {
             //user searchable selector - get all users (admin and guest included)
+            //user must be confirmed, not deleted, not suspended, not guest
             $sql = "SELECT u.id, u.firstname, u.lastname
             FROM {user} u
+            WHERE u.deleted = 0 AND u.confirmed = 1 AND u.suspended = 0 AND u.id != ?
             ORDER BY u.lastname";
-            $users = $DB->get_records_sql($sql, array());
+            $users = $DB->get_records_sql($sql, array($CFG->siteguest));
             $options = array();
             foreach ($users as $userid => $user) {
                 $options[$userid] = $user->firstname . " " . $user->lastname;

admin/webservice/tokens.php

@@ -71,6 +71,12 @@ switch ($action) {
                 }
             }
 
+            //check if the user is deleted. unconfirmed, suspended or guest
+            $user = $DB->get_record('user', array('id' => $data->user));
+            if ($user->id == $CFG->siteguest or $user->deleted or !$user->confirmed or $user->suspended) {
+                throw new moodle_exception('forbiddenwsuser', 'webservice');
+            }
+
             //process the creation
             if (empty($errormsg)) {
                 //TODO improvement: either move this function from externallib.php to webservice/lib.php