MDL-9574 + MDL-9607 Add Change-own-password and Edit-own-profile capa…

…bilities
anovikov · Apr 26, 2007 · 1cb3da3 · 1cb3da3
1 parent 101ed55
commit 1cb3da3
Show file tree

Hide file tree

Showing 10 changed files with 86 additions and 31 deletions.
diff --git a/lang/en_utf8/moodle.php b/lang/en_utf8/moodle.php
@@ -500,6 +500,14 @@
 
 If you need help, please contact the site administrator,
 $a->admin';
+$string['emailpasswordchangeinfodisabled'] = 'Hi $a->firstname,
+
+Someone (probably you) has requested a new password for your
+account on \'$a->sitename\'.
+
+Unfortunately your account on this site is disabled and can not be reset, 
+please contact the site administrator,
+$a->admin';
 $string['emailpasswordchangeinfofail'] = 'Hi $a->firstname,
 
 Someone (probably you) has requested a new password for your

diff --git a/lang/en_utf8/role.php b/lang/en_utf8/role.php
@@ -116,8 +116,10 @@
 $string['site:viewfullnames'] = 'Always see full names of users';
 $string['site:viewparticipants'] = 'View participants';
 $string['site:viewreports'] = 'View reports';
+$string['user:changeownpassword'] = 'Change own password';
 $string['user:create'] = 'Create users';
 $string['user:delete'] = 'Delete users';
+$string['user:editownprofile'] = 'Edit own user profile';
 $string['user:editprofile'] = 'Edit user profile';
 $string['user:loginas'] = 'Login as other users';
 $string['user:readuserblogs'] = 'See all user blogs';

diff --git a/lib/db/access.php b/lib/db/access.php
@@ -719,13 +719,35 @@
 
 	    'riskbitmask' => RISK_SPAM, 	 
 
-	    'captype' => 'read', 	 
+	    'captype' => 'write', 	 
 	    'contextlevel' => CONTEXT_USER, 	 
 	    'legacy' => array( 	 
 	       'admin' => CAP_ALLOW 	 
 	    ) 	 
 	),
 
+    'moodle/user:editownprofile' => array(      
+
+        'captype' => 'write',     
+        'contextlevel' => CONTEXT_SYSTEM,      
+        'legacy' => array(   
+            'guest' => CAP_PROHIBIT,
+            'user' => CAP_ALLOW,
+            'admin' => CAP_ALLOW
+        )    
+    ),
+
+    'moodle/user:changeownpassword' => array(      
+
+        'captype' => 'write',     
+        'contextlevel' => CONTEXT_SYSTEM,      
+        'legacy' => array(   
+            'guest' => CAP_PROHIBIT,
+            'user' => CAP_ALLOW,
+            'admin' => CAP_ALLOW
+        )    
+    ),
+
     // The next 3 might make no sense for some roles, e.g teacher, etc.
     // since the next level up is site. These are more for the parent role
     'moodle/user:readuserposts' => array(

diff --git a/lib/moodlelib.php b/lib/moodlelib.php
@@ -3575,7 +3575,7 @@ function reset_password_and_mail($user) {
     $from = get_admin();
 
     $userauth = get_auth_plugin($user->auth);
-    if (!$userauth->can_reset_password()) {
+    if (!$userauth->can_reset_password() or !is_enabled_auth($user->auth)) {
         trigger_error("Attempt to reset user password for user $user->username with Auth $user->auth.");
         return false;
     }
@@ -3676,23 +3676,31 @@ function send_password_change_info($user) {
 
     $site = get_site();
     $from = get_admin();
+    $systemcontext = get_context_instance(CONTEXT_SYSTEM);
 
     $data = new object();
     $data->firstname = $user->firstname;
     $data->sitename = format_string($site->fullname);
     $data->admin = fullname($from).' ('. $from->email .')';
 
-     $userauth = get_auth_plugin($user->auth);
+    $userauth = get_auth_plugin($user->auth);
+
+    if (!is_enabled_auth($user->auth) or $user->auth == 'nologin') {
+        $message = get_string('emailpasswordchangeinfodisabled', '', $data);
+        $subject = get_string('emailpasswordchangeinfosubject', '', format_string($site->fullname));
+        return email_to_user($user, $from, $subject, $message);
+    }
+
     if ($userauth->can_change_password() and $userauth->change_password_url()) {
-        // we have some external url for password cahnging
+        // we have some external url for password changing
         $data->link .= $userauth->change_password_url();
 
     } else {
         //no way to change password, sorry
         $data->link = '';
     }
 
-    if (!empty($data->link)) {
+    if (!empty($data->link) and has_capability('moodle/user:changeownpassword', $systemcontext, $user->id)) {
         $message = get_string('emailpasswordchangeinfo', '', $data);
         $subject = get_string('emailpasswordchangeinfosubject', '', format_string($site->fullname));
     } else {

diff --git a/login/change_password.php b/login/change_password.php
@@ -14,15 +14,19 @@
         error('No such course!');
     }
 
-    // require proper login; guest can not change password
-    // TODO: add change password capability so that we can prevent participants from changing password
-    if (empty($USER->id) or isguestuser() or has_capability('moodle/legacy:guest', $systemcontext, $USER->id, false)) {
+    // require proper login; guest user can not change password
+    if (empty($USER->id) or isguestuser()) {
         if (empty($SESSION->wantsurl)) {
             $SESSION->wantsurl = $CFG->httpswwwroot.'/login/change_password.php';
         }
         redirect($CFG->httpswwwroot.'/login/index.php');
     }
 
+    // do not require change own password cap if change forced
+    if (!get_user_preferences('auth_forcepasswordchange', false)) {
+        require_capability('moodle/user:changeownpassword', $systemcontext);
+    }
+
     // do not allow "Logged in as" users to change any passwords
     if (!empty($USER->realuser)) {
         error('Can not use this script when "Logged in as"!');

diff --git a/login/forgot_password.php b/login/forgot_password.php
@@ -12,7 +12,7 @@
 
 httpsrequired();
 
-$sitecontext = get_context_instance(CONTEXT_SYSTEM);
+$systemcontext = get_context_instance(CONTEXT_SYSTEM);
 
 // setup text strings
 $strforgotten = get_string('passwordforgotten');
@@ -41,11 +41,13 @@
         // make sure that url relates to a valid user
 
         // check this isn't guest user
-        // TODO: add change password capability so that we can prevent participants to change password
-        if (has_capability('moodle/legacy:guest', $sitecontext, $user->id, false)) {
+        if (isguestuser($user)) {
             error('You cannot reset the guest password');
         }
 
+        // make sure user is allowed to change password
+        require_capability('moodle/user:changeownpassword', $systemcontext, $user->id);
+
         // override email stop and mail new password
         $user->emailstop = 0;
         if (!reset_password_and_mail($user)) {
@@ -97,25 +99,26 @@
     if ($user and !empty($user->confirmed)) {
 
         $userauth = get_auth_plugin($user->auth);
+        if (has_capability('moodle/user:changeownpassword', $systemcontext, $user->id)) {
+            // send email (make sure mail block is off)
+            $user->mailstop = 0;
+        }
 
-        if ($userauth->can_reset_password()) {
-            // reset internal password and notify user
+        if ($userauth->can_reset_password() and is_enabled_auth($user->auth)
+          and has_capability('moodle/user:changeownpassword', $systemcontext, $user->id)) {
+            // send reset password confirmation
 
             // set 'secret' string
             $user->secret = random_string(15);
             if (!set_field('user', 'secret', $user->secret, 'id', $user->id)) {
                 error('error setting user secret string');
             }
 
-            // send email (make sure mail block is off)
-            $user->mailstop = 0;
             if (!send_password_change_confirmation_email($user)) {
                 error('error sending password change confirmation email');
             }
 
         } else {
-            // send email (make sure mail block is off)
-            $user->mailstop = 0;
             if (!send_password_change_info($user)) {
                 error('error sending password change confirmation email');
             }

diff --git a/user/edit.php b/user/edit.php
@@ -24,7 +24,10 @@
         redirect($CFG->httpswwwroot.'/login/index.php');
     }
 
-    if (isguest()) { //TODO: add proper capability to edit own profile
+    $systemcontext   = get_context_instance(CONTEXT_SYSTEM);
+    $personalcontext = get_context_instance(CONTEXT_USER, $user->id);
+
+    if (isguestuser()) {
         print_error('guestnoeditprofile');
     }
 
@@ -38,9 +41,12 @@
     }
 
     // check access control
-    if ($user->id != $USER->id) {
+    if ($user->id == $USER->id) {
+        //editing own profile
+        require_capability('moodle/user:editownprofile', $systemcontext);
+
+    } else {
         // teachers, parents, etc.
-        $personalcontext = get_context_instance(CONTEXT_USER, $user->id);
         require_capability('moodle/user:editprofile', $personalcontext);
         // no editing of guest user account
         if (isguestuser($user->id)) {

diff --git a/user/tabs.php b/user/tabs.php
@@ -102,16 +102,19 @@
         }
 
         $edittype = 'none';
-        if (is_mnet_remote_user($user)) {
+        if (isguestuser($user)) {
+            // guest account can not be edited
+
+        } else if (is_mnet_remote_user($user)) {
             // cannot edit remote users
 
-        } else if (isguest() or !isloggedin()) {
-            // can not edit guest like accounts - TODO: add capability to edit own profile
-            
+        } else if (isguestuser() or !isloggedin()) {
+            // guests and not logged in can not edit own profile
+
         } else if ($USER->id == $user->id) {
             if (has_capability('moodle/user:update', $systemcontext)) {
                 $edittype = 'advanced';
-            } else {
+            } else if (has_capability('moodle/user:editownprofile', $systemcontext)) {
                 $edittype = 'normal';
             }
 

diff --git a/user/view.php b/user/view.php
@@ -31,11 +31,12 @@
     }
 
     if ($course->id == SITEID) {
-        $coursecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);   // SYSTEM context
+        $coursecontext = get_context_instance(CONTEXT_SYSTEM);   // SYSTEM context
     } else {
         $coursecontext = get_context_instance(CONTEXT_COURSE, $course->id);   // Course context
     }
     $usercontext   = get_context_instance(CONTEXT_USER, $user->id);       // User context
+    $systemcontext = get_context_instance(CONTEXT_SYSTEM);   // SYSTEM context
 
     if (!empty($CFG->forcelogin) || $course->id != SITEID) {
         // do not force parents to enrol
@@ -356,10 +357,8 @@
     $userauth = get_auth_plugin($user->auth);
 
     $passwordchangeurl = false;
-    if (/*$currentuser and */$userauth->can_change_password() and !isguest()) { //TODO: add proper capability for password changing
-        if ($userauth->change_password_url()) {
-            $passwordchangeurl = $userauth->change_password_url();
-        } else {
+    if ($currentuser and $userauth->can_change_password() and !isguestuser() and has_capability('moodle/user:changeownpassword', $systemcontext)) {
+        if (!$passwordchangeurl = $userauth->change_password_url()) {
             if (empty($CFG->loginhttps)) {
                 $passwordchangeurl = "$CFG->wwwroot/login/change_password.php";
             } else {

diff --git a/version.php b/version.php
@@ -6,7 +6,7 @@
 // This is compared against the values stored in the database to determine
 // whether upgrades should be performed (see lib/db/*.php)
 
-   $version = 2007042601;  // YYYYMMDD = date
+   $version = 2007042700;  // YYYYMMDD = date
                            //       XY = increments within a single day
 
    $release = '1.9 dev';    // Human-friendly version name