Skip to content

Commit

Permalink
MDL-30787 fix use of module and section edit capabilities
Browse files Browse the repository at this point in the history
  • Loading branch information
skodak committed Dec 18, 2011
1 parent f89a83b commit af18993
Show file tree
Hide file tree
Showing 9 changed files with 173 additions and 152 deletions.
56 changes: 30 additions & 26 deletions course/lib.php
Original file line number Diff line number Diff line change
Expand Up @@ -3062,25 +3062,30 @@ function moveto_module($mod, $section, $beforemod=NULL) {
* @global core_renderer $OUTPUT
* @staticvar type $str
* @param stdClass $mod The module to produce editing buttons for
* @param bool $absolute If true an absolute link is produced (default true)
* @param bool $absolute_ignored ignored - all links are absolute
* @param bool $moveselect If true a move seleciton process is used (default true)
* @param int $indent The current indenting
* @param int $section The section to link back to
* @return string XHTML for the editing buttons
*/
function make_editing_buttons(stdClass $mod, $absolute = true, $moveselect = true, $indent=-1, $section=-1) {
function make_editing_buttons(stdClass $mod, $absolute_ignored = true, $moveselect = true, $indent=-1, $section=-1) {
global $CFG, $OUTPUT;

static $str;

$coursecontext = get_context_instance(CONTEXT_COURSE, $mod->course);
$modcontext = get_context_instance(CONTEXT_MODULE, $mod->id);

// no permission to edit
if (!has_capability('moodle/course:manageactivities', $modcontext)) {
$editcaps = array('moodle/course:manageactivities', 'moodle/course:activityvisibility', 'moodle/role:assign');
$dupecaps = array('moodle/backup:backuptargetimport', 'moodle/restore:restoretargetimport');

// no permission to edit anything
if (!has_any_capability($editcaps, $modcontext) and !has_all_capabilities($dupecaps, $coursecontext)) {
return false;
}

$hasmanageactivities = has_capability('moodle/course:manageactivities', $modcontext);

if (!isset($str)) {
$str = new stdClass;
$str->assign = get_string("assignroles", 'role');
Expand All @@ -3101,19 +3106,15 @@ function make_editing_buttons(stdClass $mod, $absolute = true, $moveselect = tru
$str->groupsvisible = get_string("groupsvisible");
}

if ($absolute) {
$baseurl = new moodle_url('/course/mod.php', array('sesskey' => sesskey()));
} else {
$baseurl = new moodle_url('mod.php', array('sesskey' => sesskey()));
}
$baseurl = new moodle_url('/course/mod.php', array('sesskey' => sesskey()));

if ($section >= 0) {
$baseurl->param('sr', $section);
}
$actions = array();

// leftright
if (has_capability('moodle/course:update', $coursecontext)) {
if ($hasmanageactivities) {
if (right_to_left()) { // Exchange arrows on RTL
$rightarrow = 't/left';
$leftarrow = 't/right';
Expand Down Expand Up @@ -3141,7 +3142,7 @@ function make_editing_buttons(stdClass $mod, $absolute = true, $moveselect = tru
}

// move
if (has_capability('moodle/course:update', $coursecontext)) {
if ($hasmanageactivities) {
if ($moveselect) {
$actions[] = new action_link(
new moodle_url($baseurl, array('copy' => $mod->id)),
Expand All @@ -3166,15 +3167,16 @@ function make_editing_buttons(stdClass $mod, $absolute = true, $moveselect = tru
}

// Update
$actions[] = new action_link(
new moodle_url($baseurl, array('update' => $mod->id)),
new pix_icon('t/edit', $str->update, 'moodle', array('class' => 'iconsmall')),
null,
array('class' => 'editing_update', 'title' => $str->update)
);
if ($hasmanageactivities) {
$actions[] = new action_link(
new moodle_url($baseurl, array('update' => $mod->id)),
new pix_icon('t/edit', $str->update, 'moodle', array('class' => 'iconsmall')),
null,
array('class' => 'editing_update', 'title' => $str->update)
);
}

// Duplicate (require both target import caps to be able to duplicate, see modduplicate.php)
$dupecaps = array('moodle/backup:backuptargetimport', 'moodle/restore:restoretargetimport');
if (has_all_capabilities($dupecaps, $coursecontext)) {
$actions[] = new action_link(
new moodle_url($baseurl, array('duplicate' => $mod->id)),
Expand All @@ -3185,12 +3187,14 @@ function make_editing_buttons(stdClass $mod, $absolute = true, $moveselect = tru
}

// Delete
$actions[] = new action_link(
new moodle_url($baseurl, array('delete' => $mod->id)),
new pix_icon('t/delete', $str->delete, 'moodle', array('class' => 'iconsmall')),
null,
array('class' => 'editing_delete', 'title' => $str->delete)
);
if ($hasmanageactivities) {
$actions[] = new action_link(
new moodle_url($baseurl, array('delete' => $mod->id)),
new pix_icon('t/delete', $str->delete, 'moodle', array('class' => 'iconsmall')),
null,
array('class' => 'editing_delete', 'title' => $str->delete)
);
}

// hideshow
if (has_capability('moodle/course:activityvisibility', $modcontext)) {
Expand All @@ -3212,7 +3216,7 @@ function make_editing_buttons(stdClass $mod, $absolute = true, $moveselect = tru
}

// groupmode
if ($mod->groupmode !== false) {
if ($hasmanageactivities and $mod->groupmode !== false) {
if ($mod->groupmode == SEPARATEGROUPS) {
$groupmode = 0;
$grouptitle = $str->groupsseparate;
Expand Down Expand Up @@ -3242,7 +3246,7 @@ function make_editing_buttons(stdClass $mod, $absolute = true, $moveselect = tru
}

// Assign
if (has_capability('moodle/course:managegroups', $modcontext)){
if (has_capability('moodle/role:assign', $modcontext)){
$actions[] = new action_link(
new moodle_url('/'.$CFG->admin.'/roles/assign.php', array('contextid' => $modcontext->id)),
new pix_icon('i/roles', $str->assign, 'moodle', array('class' => 'iconsmall')),
Expand Down
112 changes: 51 additions & 61 deletions course/mod.php
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,6 @@
require("../config.php");
require_once("lib.php");

require_login();

$sectionreturn = optional_param('sr', '', PARAM_INT);
$add = optional_param('add', '', PARAM_ALPHA);
$type = optional_param('type', '', PARAM_ALPHA);
Expand Down Expand Up @@ -66,6 +64,8 @@
}
$PAGE->set_url($url);

require_login();

//check if we are adding / editing a module that has new forms using formslib
if (!empty($add)) {
$id = required_param('id', PARAM_INT);
Expand All @@ -76,17 +76,15 @@
redirect("$CFG->wwwroot/course/modedit.php?add=$add&type=$type&course=$id&section=$section&return=$returntomod");

} else if (!empty($update)) {
if (!$cm = get_coursemodule_from_id('', $update, 0, true)) {
print_error('invalidcoursemodule');
}
$cm = get_coursemodule_from_id('', $update, 0, true, MUST_EXIST);
$returntomod = optional_param('return', 0, PARAM_BOOL);
redirect("$CFG->wwwroot/course/modedit.php?update=$update&return=$returntomod");

} else if (!empty($duplicate)) {
$cm = get_coursemodule_from_id('', $duplicate, 0, true, MUST_EXIST);
$course = $DB->get_record('course', array('id' => $cm->course), '*', MUST_EXIST);

require_login($course->id);
require_login($course, false, $cm);
$coursecontext = get_context_instance(CONTEXT_COURSE, $course->id);
$modcontext = get_context_instance(CONTEXT_MODULE, $cm->id);
require_capability('moodle/course:manageactivities', $coursecontext);
Expand Down Expand Up @@ -119,17 +117,13 @@
}

} else if (!empty($delete)) {
if (!$cm = get_coursemodule_from_id('', $delete, 0, true)) {
print_error('invalidcoursemodule');
}
$cm = get_coursemodule_from_id('', $delete, 0, true, MUST_EXIST);
$course = $DB->get_record('course', array('id' => $cm->course), '*', MUST_EXIST);

if (!$course = $DB->get_record('course', array('id'=>$cm->course))) {
print_error('invalidcourseid');
}
require_login($course->id); // needed to setup proper $COURSE
$context = get_context_instance(CONTEXT_COURSE, $course->id);
require_login($course, false, $cm);
$coursecontext = get_context_instance(CONTEXT_COURSE, $course->id);
$modcontext = get_context_instance(CONTEXT_MODULE, $cm->id);
require_capability('moodle/course:manageactivities', $context);
require_capability('moodle/course:manageactivities', $modcontext);

$return = "$CFG->wwwroot/course/view.php?id=$cm->course#section-$cm->sectionnum";

Expand Down Expand Up @@ -203,9 +197,13 @@


if ((!empty($movetosection) or !empty($moveto)) and confirm_sesskey()) {
if (!$cm = get_coursemodule_from_id('', $USER->activitycopy, 0, true)) {
print_error('invalidcoursemodule');
}
$cm = get_coursemodule_from_id('', $USER->activitycopy, 0, true, MUST_EXIST);
$course = $DB->get_record('course', array('id' => $cm->course), '*', MUST_EXIST);

require_login($course, false, $cm);
$coursecontext = get_context_instance(CONTEXT_COURSE, $course->id);
$modcontext = get_context_instance(CONTEXT_MODULE, $cm->id);
require_capability('moodle/course:manageactivities', $modcontext);

if (!empty($movetosection)) {
if (!$section = $DB->get_record('course_sections', array('id'=>$movetosection, 'course'=>$cm->course))) {
Expand All @@ -222,10 +220,6 @@
}
}

require_login($section->course); // needed to setup proper $COURSE
$context = get_context_instance(CONTEXT_COURSE, $section->course);
require_capability('moodle/course:manageactivities', $context);

if (!ismoving($section->course)) {
print_error('needcopy', '', "view.php?id=$section->course");
}
Expand All @@ -246,13 +240,14 @@

} else if (!empty($indent) and confirm_sesskey()) {
$id = required_param('id', PARAM_INT);
if (!$cm = get_coursemodule_from_id('', $id, 0, true)) {
print_error('invalidcoursemodule');
}

require_login($cm->course); // needed to setup proper $COURSE
$context = get_context_instance(CONTEXT_COURSE, $cm->course);
require_capability('moodle/course:manageactivities', $context);
$cm = get_coursemodule_from_id('', $id, 0, true, MUST_EXIST);
$course = $DB->get_record('course', array('id' => $cm->course), '*', MUST_EXIST);

require_login($course, false, $cm);
$coursecontext = get_context_instance(CONTEXT_COURSE, $course->id);
$modcontext = get_context_instance(CONTEXT_MODULE, $cm->id);
require_capability('moodle/course:manageactivities', $modcontext);

$cm->indent += $indent;

Expand All @@ -271,13 +266,13 @@
}

} else if (!empty($hide) and confirm_sesskey()) {
if (!$cm = get_coursemodule_from_id('', $hide, 0, true)) {
print_error('invalidcoursemodule');
}
$cm = get_coursemodule_from_id('', $hide, 0, true, MUST_EXIST);
$course = $DB->get_record('course', array('id' => $cm->course), '*', MUST_EXIST);

require_login($cm->course); // needed to setup proper $COURSE
$context = get_context_instance(CONTEXT_MODULE, $cm->id);
require_capability('moodle/course:activityvisibility', $context);
require_login($course, false, $cm);
$coursecontext = get_context_instance(CONTEXT_COURSE, $course->id);
$modcontext = get_context_instance(CONTEXT_MODULE, $cm->id);
require_capability('moodle/course:activityvisibility', $modcontext);

set_coursemodule_visible($cm->id, 0);

Expand All @@ -290,21 +285,17 @@
}

} else if (!empty($show) and confirm_sesskey()) {
if (!$cm = get_coursemodule_from_id('', $show, 0, true)) {
print_error('invalidcoursemodule');
}
$cm = get_coursemodule_from_id('', $show, 0, true, MUST_EXIST);
$course = $DB->get_record('course', array('id' => $cm->course), '*', MUST_EXIST);

require_login($cm->course); // needed to setup proper $COURSE
$context = get_context_instance(CONTEXT_COURSE, $cm->course);
require_capability('moodle/course:activityvisibility', $context);
require_login($course, false, $cm);
$coursecontext = get_context_instance(CONTEXT_COURSE, $course->id);
$modcontext = get_context_instance(CONTEXT_MODULE, $cm->id);
require_capability('moodle/course:activityvisibility', $modcontext);

if (!$section = $DB->get_record('course_sections', array('id'=>$cm->section))) {
print_error('sectionnotexist');
}
$section = $DB->get_record('course_sections', array('id'=>$cm->section), '*', MUST_EXIST);

if (!$module = $DB->get_record('modules', array('id'=>$cm->module))) {
print_error('moduledoesnotexist');
}
$module = $DB->get_record('modules', array('id'=>$cm->module), '*', MUST_EXIST);

if ($module->visible and ($section->visible or (SITEID == $cm->course))) {
set_coursemodule_visible($cm->id, 1);
Expand All @@ -319,13 +310,14 @@

} else if ($groupmode > -1 and confirm_sesskey()) {
$id = required_param('id', PARAM_INT);
if (!$cm = get_coursemodule_from_id('', $id, 0, true)) {
print_error('invalidcoursemodule');
}

require_login($cm->course); // needed to setup proper $COURSE
$context = get_context_instance(CONTEXT_MODULE, $cm->id);
require_capability('moodle/course:manageactivities', $context);
$cm = get_coursemodule_from_id('', $id, 0, true, MUST_EXIST);
$course = $DB->get_record('course', array('id' => $cm->course), '*', MUST_EXIST);

require_login($course, false, $cm);
$coursecontext = get_context_instance(CONTEXT_COURSE, $course->id);
$modcontext = get_context_instance(CONTEXT_MODULE, $cm->id);
require_capability('moodle/course:manageactivities', $modcontext);

set_coursemodule_groupmode($cm->id, $groupmode);

Expand All @@ -338,17 +330,15 @@
}

} else if (!empty($copy) and confirm_sesskey()) { // value = course module
if (!$cm = get_coursemodule_from_id('', $copy, 0, true)) {
print_error('invalidcoursemodule');
}
$cm = get_coursemodule_from_id('', $copy, 0, true, MUST_EXIST);
$course = $DB->get_record('course', array('id' => $cm->course), '*', MUST_EXIST);

require_login($cm->course); // needed to setup proper $COURSE
$context = get_context_instance(CONTEXT_COURSE, $cm->course);
require_capability('moodle/course:manageactivities', $context);
require_login($course, false, $cm);
$coursecontext = get_context_instance(CONTEXT_COURSE, $course->id);
$modcontext = get_context_instance(CONTEXT_MODULE, $cm->id);
require_capability('moodle/course:manageactivities', $modcontext);

if (!$section = $DB->get_record('course_sections', array('id'=>$cm->section))) {
print_error('sectionnotexist');
}
$section = $DB->get_record('course_sections', array('id'=>$cm->section), '*', MUST_EXIST);

$USER->activitycopy = $copy;
$USER->activitycopycourse = $cm->course;
Expand Down
5 changes: 4 additions & 1 deletion course/modedit.php
Original file line number Diff line number Diff line change
Expand Up @@ -365,7 +365,9 @@
}

// make sure visibility is set correctly (in particular in calendar)
set_coursemodule_visible($fromform->coursemodule, $fromform->visible);
if (has_capability('moodle/course:activityvisibility', $modcontext)) {
set_coursemodule_visible($fromform->coursemodule, $fromform->visible);
}

if (isset($fromform->cmidnumber)) { //label
// set cm idnumber - uniqueness is already verified by form validation
Expand Down Expand Up @@ -477,6 +479,7 @@
$DB->set_field('course_modules', 'section', $sectionid, array('id'=>$fromform->coursemodule));

// make sure visibility is set correctly (in particular in calendar)
// note: allow them to set it even without moodle/course:activityvisibility
set_coursemodule_visible($fromform->coursemodule, $fromform->visible);

if (isset($fromform->cmidnumber)) { //label
Expand Down
6 changes: 6 additions & 0 deletions course/moodleform_mod.php
Original file line number Diff line number Diff line change
Expand Up @@ -422,6 +422,12 @@ function standard_coursemodule_elements(){
}

$mform->addElement('modvisible', 'visible', get_string('visible'));
if (!empty($this->_cm)) {
$context = get_context_instance(CONTEXT_MODULE, $this->_cm->id);
if (!has_capability('moodle/course:activityvisibility', $context)) {
$mform->hardFreeze('visible');
}
}

if ($this->_features->idnumber) {
$mform->addElement('text', 'cmidnumber', get_string('idnumbermod'));
Expand Down
Loading

0 comments on commit af18993

Please sign in to comment.