MDL-45760 make sure to check permission before setting header

notes/index.php

@@ -15,6 +15,10 @@
 $filtertype   = optional_param('filtertype', '', PARAM_ALPHA);
 $filterselect = optional_param('filterselect', 0, PARAM_INT);
 
+if (empty($CFG->enablenotes)) {
+    print_error('notesdisabled', 'notes');
+}
+
 $url = new moodle_url('/notes/index.php');
 if ($courseid != SITEID) {
     $url->param('course', $courseid);
@@ -67,6 +71,7 @@
 } else {
     $coursecontext = context_course::instance($course->id);   // Course context
 }
+require_capability('moodle/notes:view', $coursecontext);
 $systemcontext = context_system::instance();   // SYSTEM context
 
 // Trigger event.
@@ -76,10 +81,6 @@
 ));
 $event->trigger();
 
-if (empty($CFG->enablenotes)) {
-    print_error('notesdisabled', 'notes');
-}
-
 $strnotes = get_string('notes', 'notes');
 if ($userid) {
     $PAGE->set_context(context_user::instance($user->id));

user/edit.php

@@ -103,16 +103,6 @@
 $systemcontext   = context_system::instance();
 $personalcontext = context_user::instance($user->id);
 
-$PAGE->set_pagelayout('admin');
-$PAGE->set_context($personalcontext);
-if ($USER->id != $user->id) {
-    $PAGE->navigation->extend_for_user($user);
-} else {
-    if ($node = $PAGE->navigation->find('myprofile', navigation_node::TYPE_ROOTNODE)) {
-        $node->force_open();
-    }
-}
-
 // Check access control.
 if ($user->id == $USER->id) {
     // Editing own profile - require_login() MUST NOT be used here, it would result in infinite loop!
@@ -140,6 +130,16 @@
     die;
 }
 
+$PAGE->set_pagelayout('admin');
+$PAGE->set_context($personalcontext);
+if ($USER->id != $user->id) {
+    $PAGE->navigation->extend_for_user($user);
+} else {
+    if ($node = $PAGE->navigation->find('myprofile', navigation_node::TYPE_ROOTNODE)) {
+        $node->force_open();
+    }
+}
+
 // Process email change cancellation.
 if ($cancelemailchange) {
     cancel_email_update($user->id);