From 4485f7c549645e787e23ad6be03c222b323b7bec Mon Sep 17 00:00:00 2001
From: Juan Leyva <juanleyvadelgado@gmail.com>
Date: Wed, 23 Sep 2015 11:00:32 +0200
Subject: [PATCH] MDL-49821 webservice: Add active user checks in external
 functions

---
 completion/classes/external.php   |  7 +++++--
 grade/report/user/externallib.php |  9 ++-------
 group/externallib.php             | 12 ++++--------
 message/externallib.php           |  3 ++-
 mod/scorm/classes/external.php    | 18 +++++++++---------
 notes/externallib.php             | 14 ++++----------
 user/externallib.php              |  9 +--------
 7 files changed, 27 insertions(+), 45 deletions(-)

diff --git a/completion/classes/external.php b/completion/classes/external.php
index dcbad6b9c3ce8..c32b0b13486da 100644
--- a/completion/classes/external.php
+++ b/completion/classes/external.php
@@ -152,7 +152,8 @@ public static function get_activities_completion_status($courseid, $userid) {
         $params = self::validate_parameters(self::get_activities_completion_status_parameters(), $arrayparams);
 
         $course = get_course($params['courseid']);
-        $user = core_user::get_user($params['userid'], 'id', MUST_EXIST);
+        $user = core_user::get_user($params['userid'], '*', MUST_EXIST);
+        core_user::require_active_user($user);
 
         $context = context_course::instance($course->id);
         self::validate_context($context);
@@ -270,7 +271,9 @@ public static function get_course_completion_status($courseid, $userid) {
         $params = self::validate_parameters(self::get_course_completion_status_parameters(), $arrayparams);
 
         $course = get_course($params['courseid']);
-        $user = core_user::get_user($params['userid'], 'id', MUST_EXIST);
+        $user = core_user::get_user($params['userid'], '*', MUST_EXIST);
+        core_user::require_active_user($user);
+
         $context = context_course::instance($course->id);
         self::validate_context($context);
 
diff --git a/grade/report/user/externallib.php b/grade/report/user/externallib.php
index 3b9c9d743e7a8..40c5bb998886d 100644
--- a/grade/report/user/externallib.php
+++ b/grade/report/user/externallib.php
@@ -92,6 +92,7 @@ public static function get_grades_table($courseid, $userid = 0) {
             require_capability('moodle/grade:viewall', $context);
         } else {
             $user = core_user::get_user($userid, '*', MUST_EXIST);
+            core_user::require_active_user($user);
         }
 
         $access = false;
@@ -301,13 +302,7 @@ public static function view_grade_report($courseid, $userid = 0) {
             $userid = $USER->id;
         } else {
             $user = core_user::get_user($userid, '*', MUST_EXIST);
-            if ($user->deleted) {
-                throw new moodle_exception('userdeleted');
-            }
-            if (isguestuser($user)) {
-                // Can not view profile of guest - thre is nothing to see there.
-                throw new moodle_exception('invaliduserid');
-            }
+            core_user::require_active_user($user);
         }
 
         $access = false;
diff --git a/group/externallib.php b/group/externallib.php
index 9c44f0a2e5694..9d54e7c36d2f9 100644
--- a/group/externallib.php
+++ b/group/externallib.php
@@ -1224,7 +1224,8 @@ public static function get_course_user_groups($courseid, $userid, $groupingid =
 
         // Validate course and user. get_course throws an exception if the course does not exists.
         $course = get_course($courseid);
-        $user = core_user::get_user($userid, 'id', MUST_EXIST);
+        $user = core_user::get_user($userid, '*', MUST_EXIST);
+        core_user::require_active_user($user);
 
         // Security checks.
         $context = context_course::instance($course->id);
@@ -1348,13 +1349,8 @@ public static function get_activity_allowed_groups($cmid, $userid = 0) {
             $userid = $USER->id;
         }
 
-        $user = core_user::get_user($userid, 'id, deleted', MUST_EXIST);
-        if ($user->deleted) {
-            throw new moodle_exception('userdeleted');
-        }
-        if (isguestuser($user)) {
-            throw new moodle_exception('invaliduserid');
-        }
+        $user = core_user::get_user($userid, '*', MUST_EXIST);
+        core_user::require_active_user($user);
 
          // Check if we have permissions for retrieve the information.
         if ($user->id != $USER->id) {
diff --git a/message/externallib.php b/message/externallib.php
index 77b4d309c3f7a..7614bfa81851a 100644
--- a/message/externallib.php
+++ b/message/externallib.php
@@ -885,7 +885,8 @@ public static function get_blocked_users($userid) {
             throw new moodle_exception('disabled', 'message');
         }
 
-        $user = core_user::get_user($userid, 'id', MUST_EXIST);
+        $user = core_user::get_user($userid, '*', MUST_EXIST);
+        core_user::require_active_user($user);
 
         // Check if we have permissions for retrieve the information.
         if ($userid != $USER->id and !has_capability('moodle/site:readallmessages', $context)) {
diff --git a/mod/scorm/classes/external.php b/mod/scorm/classes/external.php
index ef13478e482cc..2457ac3c35cc9 100644
--- a/mod/scorm/classes/external.php
+++ b/mod/scorm/classes/external.php
@@ -147,18 +147,18 @@ public static function get_scorm_attempt_count($scormid, $userid, $ignoremissing
         $context = context_module::instance($cm->id);
         self::validate_context($context);
 
-        // Validate the user obtaining the context, it will fail if the user doesn't exists or have been deleted.
-        context_user::instance($params['userid']);
+        $user = core_user::get_user($params['userid'], '*', MUST_EXIST);
+        core_user::require_active_user($user);
 
         // Extra checks so only users with permissions can view other users attempts.
-        if ($USER->id != $params['userid']) {
+        if ($USER->id != $user->id) {
             require_capability('mod/scorm:viewreport', $context);
         }
 
         // If the SCORM is not open this function will throw exceptions.
         scorm_require_available($scorm);
 
-        $attemptscount = scorm_get_attempt_count($params['userid'], $scorm, false, $params['ignoremissingcompletion']);
+        $attemptscount = scorm_get_attempt_count($user->id, $scorm, false, $params['ignoremissingcompletion']);
 
         $result = array();
         $result['attemptscount'] = $attemptscount;
@@ -536,21 +536,21 @@ public static function get_scorm_sco_tracks($scoid, $userid, $attempt = 0) {
         $context = context_module::instance($cm->id);
         self::validate_context($context);
 
-        // Validate the user obtaining the context, it will fail if the user doesn't exists or have been deleted.
-        context_user::instance($params['userid']);
+        $user = core_user::get_user($params['userid'], '*', MUST_EXIST);
+        core_user::require_active_user($user);
 
         // Extra checks so only users with permissions can view other users attempts.
-        if ($USER->id != $params['userid']) {
+        if ($USER->id != $user->id) {
             require_capability('mod/scorm:viewreport', $context);
         }
 
         scorm_require_available($scorm, true, $context);
 
         if (empty($params['attempt'])) {
-            $params['attempt'] = scorm_get_last_attempt($scorm->id, $params['userid']);
+            $params['attempt'] = scorm_get_last_attempt($scorm->id, $user->id);
         }
 
-        if ($scormtracks = scorm_get_tracks($sco->id, $params['userid'], $params['attempt'])) {
+        if ($scormtracks = scorm_get_tracks($sco->id, $user->id, $params['attempt'])) {
             foreach ($scormtracks as $element => $value) {
                 $tracks[] = array(
                     'element' => $element,
diff --git a/notes/externallib.php b/notes/externallib.php
index fab1f22f20bad..81a378b8c02a5 100644
--- a/notes/externallib.php
+++ b/notes/externallib.php
@@ -526,7 +526,8 @@ public static function get_course_notes($courseid, $userid = 0) {
         }
         $user = null;
         if (!empty($params['userid'])) {
-            $user = core_user::get_user($params['userid'], 'id', MUST_EXIST);
+            $user = core_user::get_user($params['userid'], '*', MUST_EXIST);
+            core_user::require_active_user($user);
         }
 
         $course = get_course($params['courseid']);
@@ -680,15 +681,8 @@ public static function view_notes($courseid, $userid = 0) {
         require_capability('moodle/notes:view', $context);
 
         if (!empty($params['userid'])) {
-            $user = core_user::get_user($params['userid'], 'id, deleted', MUST_EXIST);
-
-            if ($user->deleted) {
-                throw new moodle_exception('userdeleted');
-            }
-
-            if (isguestuser($user)) {
-                throw new moodle_exception('invaliduserid');
-            }
+            $user = core_user::get_user($params['userid'], '*', MUST_EXIST);
+            core_user::require_active_user($user);
 
             if ($course->id != SITEID and !is_enrolled($context, $user, '', true)) {
                 throw new moodle_exception('notenrolledprofile');
diff --git a/user/externallib.php b/user/externallib.php
index 728f23c11f81b..d21cc0db99676 100644
--- a/user/externallib.php
+++ b/user/externallib.php
@@ -1389,14 +1389,7 @@ public static function view_user_profile($userid, $courseid = 0) {
 
         $course = get_course($params['courseid']);
         $user = core_user::get_user($params['userid'], '*', MUST_EXIST);
-
-        if ($user->deleted) {
-            throw new moodle_exception('userdeleted');
-        }
-        if (isguestuser($user)) {
-            // Can not view profile of guest - thre is nothing to see there.
-            throw new moodle_exception('invaliduserid');
-        }
+        core_user::require_active_user($user);
 
         if ($course->id == SITEID) {
             $coursecontext = context_system::instance();;