Webservice: List issued certificates

There are no checks to see if the user can actually get the list of certificates meaning anyone can get a list of certificates which is a huge security issue.

Author: michallohnisky

classes/external.php

@@ -276,6 +276,9 @@ public static function list_issues($timecreatedfrom = null, $userid = null, $cus
         ];
         self::validate_parameters(self::list_issues_parameters(), $params);
 
+        $context = \context_system::instance();
+        require_capability('mod/customcert:viewallcertificates', $context);
+
         $output = [];
 
         list($namefields, $nameparams) = \core_user\fields::get_sql_fullname();

db/services.php

@@ -55,6 +55,7 @@
         'methodname'  => 'list_issues',
         'classpath'   => '',
         'description' => 'List issued certificates',
+        'capabilities' => 'mod/customcert:viewallcertificates',
         'type'        => 'read',
         'ajax'        => true,
     ],