MDL-19575 Global Search Adding capability checks to the search and st…

…at pages
eSrem · Sep 29, 2011 · 342f224 · 342f224
1 parent 3973662
commit 342f224
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 9 deletions.
diff --git a/blocks/search/block_search.php b/blocks/search/block_search.php
@@ -46,6 +46,7 @@ function get_content() {
             '<form id="searchquery" method="get" action="'. $CFG->wwwroot .'/search/query.php"><div>'
           . '<label for="block_search_q">' . get_string('searchmoodle', 'block_search') . '</label>'
           . '<input id="block_search_q" type="text" name="query_string" />'
+          . '<input id="block_instance_id" type="hidden" name="block_instanceid" value="' . $this->instance->id . '"/>'
           . '<input type="submit" value="' . s(get_string('go', 'block_search')) . '" />'
           . '</div></form>';
 

diff --git a/lang/en/search.php b/lang/en/search.php
@@ -63,6 +63,7 @@
 $string['score'] = 'Score';
 $string['search'] = 'Search';
 $string['searching'] = 'Searching in ...';
+$string['searchnotpermitted'] = 'You are not allowed to do a search';
 $string['seconds'] = 'seconds';
 $string['solutions'] = 'Solutions';
 $string['statistics'] = 'Statistics';

diff --git a/search/query.php b/search/query.php
@@ -37,13 +37,24 @@
     require_once('../config.php');
     require_once($CFG->dirroot.'/search/lib.php');
 
+    $block_instanceid = required_param('block_instanceid', PARAM_INT);// Block Instance ID
+
     if ($CFG->forcelogin) {
         require_login();
     }
 
     if (empty($CFG->enableglobalsearch)) {
         print_error('globalsearchdisabled', 'search');
     }
+    //Check user's permissions against the block instance from which the user came
+    if (empty($block_instanceid)) {
+        print_error('searchnotpermitted', 'search');
+    }
+    if (!$DB->record_exists('block_instances', array('id' => $block_instanceid, 'blockname' => 'search'))) {
+        print_error('searchnotpermitted', 'search');
+    }
+    $contextblock = get_context_instance(CONTEXT_BLOCK, $block_instanceid);
+    require_capability('moodle/block:view', $contextblock);
 
     $adv = new stdClass();
 
@@ -63,6 +74,7 @@
     if ($advanced) {
         $url->param('a', '1');
     }
+    $url->param('block_instanceid', $block_instanceid);
     $PAGE->set_url($url);
 
 /// discard harmfull searches
@@ -166,8 +178,8 @@
     // print the header
     $site = get_site();
     $PAGE->set_context(get_context_instance(CONTEXT_SYSTEM));
-    $PAGE->navbar->add($strsearch, new moodle_url('/search/index.php'));
-    $PAGE->navbar->add($strquery, new moodle_url('/search/stats.php'));
+    $PAGE->navbar->add($strsearch, new moodle_url('/search/query.php?block_instanceid=' . $block_instanceid));
+    $PAGE->navbar->add($strquery, new moodle_url('/search/stats.php?block_instanceid=' . $block_instanceid));
     $PAGE->set_title($strsearch);
     $PAGE->set_heading($site->fullname);
     echo $OUTPUT->header();
@@ -195,16 +207,18 @@
     <?php
     if (!$advanced) {
     ?>
+        <input type="hidden" name="block_instanceid" value="<?php p($block_instanceid) ?>" />&nbsp;
         <input type="text" name="query_string" length="50" value="<?php p($query_string) ?>" />&nbsp;
         <input type="submit" value="<?php print_string('search', 'search') ?>" /> &nbsp;
-        <a href="query.php?a=1"><?php print_string('advancedsearch', 'search') ?></a> |
-        <a href="stats.php"><?php print_string('statistics', 'search') ?></a>
+        <a href="query.php?a=1&block_instanceid=<?php p($block_instanceid) ?>" ><?php print_string('advancedsearch', 'search') ?></a> |
+        <a href="stats.php?block_instanceid=<?php p($block_instanceid) ?>"><?php print_string('statistics', 'search') ?></a>
     <?php
     }
     else {
         echo $OUTPUT->box_start();
       ?>
         <input type="hidden" name="a" value="<?php p($advanced); ?>"/>
+        <input type="hidden" name="block_instanceid" value="<?php p($block_instanceid) ?>" />
 
         <table border="0" cellpadding="3" cellspacing="3">
 
@@ -269,8 +283,8 @@
           <td colspan="3" align="center">
             <table border="0" cellpadding="0" cellspacing="0">
               <tr>
-                <td><a href="query.php"><?php print_string('normalsearch', 'search') ?></a> |</td>
-                <td>&nbsp;<a href="stats.php"><?php print_string('statistics', 'search') ?></a></td>
+                <td><a href="query.php?block_instanceid=<?php p($block_instanceid) ?>"><?php print_string('normalsearch', 'search') ?></a> |</td>
+                <td>&nbsp;<a href="stats.php?block_instanceid=<?php p($block_instanceid) ?>"><?php print_string('statistics', 'search') ?></a></td>
               </tr>
             </table>
           </td>

diff --git a/search/stats.php b/search/stats.php
@@ -21,6 +21,8 @@
 require_once('../config.php');
 require_once($CFG->dirroot.'/search/lib.php');
 
+$block_instanceid = required_param('block_instanceid', PARAM_INT);// Block Instance ID
+
 /// checks global search is enabled
 
     if ($CFG->forcelogin) {
@@ -30,6 +32,15 @@
     if (empty($CFG->enableglobalsearch)) {
         print_error('globalsearchdisabled', 'search');
     }
+    //Check user's permissions against the block instance from which the user came
+    if (empty($block_instanceid)) {
+        print_error('searchnotpermitted', 'search');
+    }
+    if (!$DB->record_exists('block_instances', array('id' => $block_instanceid, 'blockname' => 'search'))) {
+        print_error('searchnotpermitted', 'search');
+    }
+    $contextblock = get_context_instance(CONTEXT_BLOCK, $block_instanceid);
+    require_capability('moodle/block:view', $contextblock);
 
 /// check for php5, but don't die yet
 
@@ -44,10 +55,13 @@
 
     $site = get_site();
 
-    $PAGE->set_url('/search/stats.php');
+    $url = new moodle_url('/search/stats.php');
+    $url->param('block_instanceid', $block_instanceid);
+    $PAGE->set_url($url);
+
     $PAGE->set_context(get_context_instance(CONTEXT_SYSTEM));
-    $PAGE->navbar->add($strsearch, new moodle_url('/search/index.php'));
-    $PAGE->navbar->add($strquery, new moodle_url('/search/stats.php'));
+    $PAGE->navbar->add($strsearch, new moodle_url('/search/query.php?block_instanceid=' . $block_instanceid));
+    $PAGE->navbar->add($strquery, new moodle_url('/search/stats.php?block_instanceid=' . $block_instanceid));
     $PAGE->set_title($strsearch);
     $PAGE->set_heading($site->fullname);
     echo $OUTPUT->header();