blocks editing ui: MDL-19398 permissions checks when deleting a block.

diff --git a/lang/en_utf8/moodle.php b/lang/en_utf8/moodle.php
index c32233df6934963df9a44dd3d6972035ce0d5b72..799660494e03804df379b051ff9d318a85a14ba8 100644 (file)
--- a/lang/en_utf8/moodle.php
+++ b/lang/en_utf8/moodle.php
@@ -403,6 +403,7 @@ $string['defaultcourseteacher'] = 'Teacher';
 $string['defaultcourseteacherdescription'] = 'Teachers can do anything within a course, including changing the activities and grading students.';
 $string['defaultcourseteachers'] = 'Teachers';
 $string['delete'] = 'Delete';
+$string['deleteablock'] = 'Delete a block';
 $string['deleteall'] = 'Delete all';
 $string['deleteallcannotundo'] = 'Delete all - cannot be undone';
 $string['deleteallcomments'] = 'Delete all comments';

diff --git a/lib/blocklib.php b/lib/blocklib.php
index 17686d36df61cd6613c2bfb4f3f06a6b36c33243..46baf109482f20e5e89d173716e6d441d11871a5 100644 (file)
--- a/lib/blocklib.php
+++ b/lib/blocklib.php
@@ -948,8 +948,13 @@ function block_process_url_delete($page) {
 
     confirm_sesskey();
 
-    $instance = $page->blocks->find_instance($blockid);
-    blocks_delete_instance($instance->instance);
+    $block = $page->blocks->find_instance($blockid);
+
+    if (!$block->user_can_edit() || !$page->user_can_edit_blocks() || !$block->user_can_addto($page)) {
+        throw new moodle_exception('nopermissions', '', $page->url->out(), get_string('deleteablock'));
+    }
+
+    blocks_delete_instance($block->instance);
 
     // If the page URL was a guses, it will contain the bui_... param, so we must make sure it is not there.
     $page->ensure_param_not_in_url('bui_deleteid');
@@ -963,7 +968,7 @@ function block_process_url_delete($page) {
  * @return boolean true if anything was done. False if not.
  */
 function block_process_url_show_hide($page) {
-    
+    // TODO MDL-19398
 }
 
 ///**