MDL-25122 Quiz review page does not check and enforce separate groups…

… mode.
ragusa87 · Feb 18, 2011 · 8032cd7 · 8032cd7
1 parent 05d2a8b
commit 8032cd7
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 48 deletions.
diff --git a/mod/quiz/attemptlib.php b/mod/quiz/attemptlib.php
@@ -576,6 +576,29 @@ public function is_own_attempt() {
                 (!$this->is_preview_user() || $this->attempt->preview);
     }
 
+    /**
+     * Is the current user allowed to review this attempt. This applies when
+     * {@link is_own_attempt()} returns false.
+     * @return bool whether the review should be allowed.
+     */
+    public function is_review_allowed() {
+        if (!$this->has_capability('mod/quiz:viewreports')) {
+            return false;
+        }
+
+        $cm = $this->get_cm();
+        if ($this->has_capability('moodle/site:accessallgroups') ||
+                groups_get_activity_groupmode($cm) != SEPARATEGROUPS) {
+            return true;
+        }
+
+        // Check the users have at least one group in common.
+        $teachersgroups = groups_get_activity_allowed_groups($cm);
+        $studentsgroups = groups_get_all_groups($cm->course, $this->attempt->userid, $cm->groupingid);
+        return $teachersgroups && $studentsgroups &&
+                array_intersect(array_keys($teachersgroups), array_keys($studentsgroups));
+    }
+
     /**
      * Get the overall feedback corresponding to a particular mark.
      * @param $grade a particular grade.

diff --git a/mod/quiz/lang/en/quiz.php b/mod/quiz/lang/en/quiz.php
@@ -490,6 +490,7 @@
 $string['noquestionsonpage'] = 'Empty page';
 $string['noresponse'] = 'No response';
 $string['noreview'] = 'You are not allowed to review this quiz';
+$string['noreviewattempt'] = 'You are not allowed to review this attempt.';
 $string['noreviewshort'] = 'Not permitted';
 $string['noreviewuntil'] = 'You are not allowed to review this quiz until {$a}';
 $string['noreviewuntilshort'] = 'Available {$a}';

diff --git a/mod/quiz/review.php b/mod/quiz/review.php
@@ -54,21 +54,17 @@
 $accessmanager = $attemptobj->get_access_manager(time());
 $options = $attemptobj->get_display_options(true);
 
-// Permissions checks for normal users who do not have quiz:viewreports capability.
-if (!$attemptobj->has_capability('mod/quiz:viewreports')) {
-    // Can't review other users' attempts.
-    if (!$attemptobj->is_own_attempt()) {
-        throw new moodle_quiz_exception($attemptobj->get_quizobj(), 'notyourattempt');
-    }
-    // Can't review during the attempt - send them back to the attempt page.
+// Check permissions.
+if ($attemptobj->is_own_attempt()) {
     if (!$attemptobj->is_finished()) {
         redirect($attemptobj->attempt_url(0, $page));
-    }
-    // Can't review unless Students may review -> Responses option is turned on.
-    if (!$options->attempt) {
+    } else if (!$options->attempt) {
         $accessmanager->back_to_view_page($attemptobj->is_preview_user(),
                 $accessmanager->cannot_review_message($attemptobj->get_attempt_state()));
     }
+
+} else if (!$attemptobj->is_review_allowed()) {
+    throw new moodle_quiz_exception($attemptobj->get_quizobj(), 'noreviewattempt');
 }
 
 // Load the questions and states needed by this page.

diff --git a/mod/quiz/reviewquestion.php b/mod/quiz/reviewquestion.php
@@ -47,58 +47,25 @@
 require_login($attemptobj->get_courseid(), false, $attemptobj->get_cm());
 $attemptobj->check_review_capability();
 
-// Permissions checks for normal users who do not have quiz:viewreports capability.
-if (!$attemptobj->has_capability('mod/quiz:viewreports')) {
-    // Can't review during the attempt - send them back to the attempt page.
+// Check permissions.
+if ($attemptobj->is_own_attempt()) {
     if (!$attemptobj->is_finished()) {
         echo $OUTPUT->header();
         echo $OUTPUT->notification(get_string('cannotreviewopen', 'quiz'));
         echo $OUTPUT->close_window_button();
         echo $OUTPUT->footer();
         die;
-    }
-    // Can't review other users' attempts.
-    if (!$attemptobj->is_own_attempt()) {
-        echo $OUTPUT->header();
-        echo $OUTPUT->notification(get_string('notyourattempt', 'quiz'));
-        echo $OUTPUT->close_window_button();
-        echo $OUTPUT->footer();
-        die;
-    }
-
-    // Can't review unless Students may review -> Responses option is turned on.
-    if (!$options->responses) {
+    } else if (!$options->responses) {
         $accessmanager = $attemptobj->get_access_manager(time());
         echo $OUTPUT->header();
         echo $OUTPUT->notification($accessmanager->cannot_review_message($attemptobj->get_review_options()));
         echo $OUTPUT->close_window_button();
         echo $OUTPUT->footer();
         die;
     }
-}
 
-// Log this review.
-add_to_log($attemptobj->get_courseid(), 'quiz', 'review', 'reviewquestion.php?attempt=' .
-        $attemptobj->get_attemptid() . '&slot=' . $slot . ($seq ? '&step=' . $seq : ''),
-        $attemptobj->get_quizid(), $attemptobj->get_cmid());
-
-// Print the page header
-$attemptobj->get_question_html_head_contributions($slot);
-$PAGE->set_title($attemptobj->get_course()->shortname . ': '.format_string($attemptobj->get_quiz_name()));
-$PAGE->set_heading($COURSE->fullname);
-echo $OUTPUT->header();
-
-// Print infobox
-$rows = array();
-
-// User picture and name.
-if ($attemptobj->get_userid() <> $USER->id) {
-    // Print user picture and name
-    $student = $DB->get_record('user', array('id' => $attemptobj->get_userid()));
-    $picture = $OUTPUT->user_picture($student, array('courseid'=>$attemptobj->get_courseid()));
-    $rows[] = '<tr><th scope="row" class="cell">' . $picture . '</th><td class="cell"><a href="' .
-            $CFG->wwwroot . '/user/view.php?id=' . $student->id . '&amp;course=' . $attemptobj->get_courseid() . '">' .
-            fullname($student, true) . '</a></td></tr>';
+} else if (!$attemptobj->is_review_allowed()) {
+    throw new moodle_quiz_exception($attemptobj->get_quizobj(), 'noreviewattempt');
 }
 
 // Quiz name.