MDL-40854 fix mod/...:view capabilities

Prior to the fix, if you did not have a capability like mod/page:view, then you woulds still see the link to the Page activity in the course section, but when you clicked on it, you would run into a require_capability error. It is a principle that we never show users a link to a page they are not allowed to access, therefore, when users do not have mod/...:view, they should not see the link on the course page. This patch implements this in the cm_info class, in a similar way to how access restrictions by groups works. It does not assume that the mod/...:view capability exists. If the capability does not exist, then users are not prevented from seeing the link.
nealpowell · Jul 26, 2013 · 9e1fe42 · 9e1fe42
1 parent bdd045c
commit 9e1fe42
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/grade/report/user/lib.php b/grade/report/user/lib.php
@@ -365,7 +365,8 @@ private function fill_table_recursive(&$element) {
                     $cm = $instances[$grade_object->iteminstance];
                     if (!$cm->uservisible) {
                         // Further checks are required to determine whether the activity is entirely hidden or just greyed out.
-                        if ($cm->is_user_access_restricted_by_group() || $cm->is_user_access_restricted_by_conditional_access()) {
+                        if ($cm->is_user_access_restricted_by_group() || $cm->is_user_access_restricted_by_conditional_access() ||
+                                $cm->is_user_access_restricted_by_capability()) {
                             $hide = true;
                         }
                     }

diff --git a/lib/modinfolib.php b/lib/modinfolib.php
@@ -1203,7 +1203,8 @@ private function update_user_visible() {
         }
 
         // Check group membership.
-        if ($this->is_user_access_restricted_by_group()) {
+        if ($this->is_user_access_restricted_by_group() ||
+                $this->is_user_access_restricted_by_capability()) {
 
              $this->uservisible = false;
             // Ensure activity is completely hidden from the user.
@@ -1234,6 +1235,23 @@ public function is_user_access_restricted_by_group() {
         return false;
     }
 
+    /**
+     * Checks whether mod/...:view capability restricts the current user's access.
+     *
+     * @return bool True if the user access is restricted.
+     */
+    public function is_user_access_restricted_by_capability() {
+        $capability = 'mod/' . $this->modname . ':view';
+        $capabilityinfo = get_capability_info($capability);
+        if (!$capabilityinfo) {
+            // Capability does not exist, no one is prevented from seeing the activity.
+            return false;
+        }
+
+        // You are blocked if you don't have the capability.
+        return !has_capability($capability, context_module::instance($this->id));
+    }
+
     /**
      * Checks whether the module's conditional access settings mean that the user cannot see the activity at all
      *