MDL-11267 - Anywone who can view quiz reports can delete student attempts. Merged...

diff --git a/lang/en_utf8/quiz.php b/lang/en_utf8/quiz.php
index 81e870a17386d49e518d6cb8ec7be3018c6be83e..1b2205b62423b4448413e9c14a3db323045bb5dc 100644 (file)
--- a/lang/en_utf8/quiz.php
+++ b/lang/en_utf8/quiz.php
@@ -445,6 +445,7 @@ $string['regrade'] = 'Regrade all attempts';
 $string['regradecomplete'] = 'All attempts have been regraded';
 $string['regradecount'] = '$a->changed out of $a->attempt grades were changed';
 $string['regradedisplayexplanation'] = 'Attempts that change during regrading are displayed as hyperlinks to the question review window';
+$string['regradenotallowed'] = 'You do not have permission to regrade this quiz';
 $string['regradingquestion'] = 'Regrading \"$a\".';
 $string['regradingquiz'] = 'Regrading Quiz \"$a\"';
 $string['relative'] = 'Relative';

diff --git a/mod/quiz/db/access.php b/mod/quiz/db/access.php
index 251ec22e1c08d6b244346d184a79fd5832a82184..2c9b71d1d0a03ad5a331e8871256bac65bab8e79 100644 (file)
--- a/mod/quiz/db/access.php
+++ b/mod/quiz/db/access.php
@@ -54,7 +54,7 @@ $mod_quiz_capabilities = array(
         )
     ),
 
-    // Manually grade and comment on student attempts at a question.
+    // Manually grade and comment on student attempts at a question, and regrade quizzes.
     'mod/quiz:grade' => array(
 
         'captype' => 'write',

diff --git a/mod/quiz/locallib.php b/mod/quiz/locallib.php
index 3c22841c0ea6d002de7741aa986f79ddd65233cd..46f55563403163187a9e0b48a36af662c71fefc5 100644 (file)
--- a/mod/quiz/locallib.php
+++ b/mod/quiz/locallib.php
@@ -144,6 +144,8 @@ function quiz_delete_attempt($attempt, $quiz) {
     } else {
         quiz_save_best_grade($quiz, $userid);
     }
+
+    quiz_update_grades($quiz, $userid);
 }
 
 /// Functions to do with quiz layout and pages ////////////////////////////////

diff --git a/mod/quiz/report/overview/report.php b/mod/quiz/report/overview/report.php
index e8181e418068d8f8171961de05f821700573e0b2..b892c070d4b177ced9b57cbafb2fa5072ed64e53 100644 (file)
--- a/mod/quiz/report/overview/report.php
+++ b/mod/quiz/report/overview/report.php
@@ -23,6 +23,8 @@ class quiz_report extends quiz_default_report {
         $strtimeformat = get_string('strftimedatetime');
         $strreviewquestion = get_string('reviewresponse', 'quiz');
 
+        $context = get_context_instance(CONTEXT_MODULE, $cm->id);
+
         // Only print headers if not asked to download data
         if (!$download = optional_param('download', NULL)) {
             $this->print_header_and_tabs($cm, $course, $quiz, $reportmode="overview");
@@ -33,11 +35,12 @@ class quiz_report extends quiz_default_report {
 
         switch($action) {
             case 'delete': // Some attempts need to be deleted
+                require_capability('mod/quiz:deleteattempts', $context);
                 $attemptids = optional_param('attemptid', array(), PARAM_INT);
 
                 foreach($attemptids as $attemptid) {
+                    add_to_log($course->id, 'quiz', 'delete attempt', 'report.php?id=' . $cm->id, $attemptid, $cm->id);
                     quiz_delete_attempt($attemptid, $quiz);
-                    quiz_update_grades($quiz, $USER->id);
                 }
             break;
         }
@@ -497,14 +500,19 @@ class quiz_report extends quiz_default_report {
                 // Print table
                 $table->print_html();
 
+                // Prepare list of available options.
+                $options = array();
+                if (has_capability('mod/quiz:deleteattempts', $context)) {
+                    $options['delete'] = get_string('delete');
+                }
+
                 // Print "Select all" etc.
-                if (!empty($attempts)) {
+                if (!empty($attempts) && !empty($options)) {
                     echo '<table id="commands">';
                     echo '<tr><td>';
                     echo '<a href="javascript:select_all_in(\'DIV\',null,\'tablecontainer\');">'.get_string('selectall', 'quiz').'</a> / ';
                     echo '<a href="javascript:deselect_all_in(\'DIV\',null,\'tablecontainer\');">'.get_string('selectnone', 'quiz').'</a> ';
                     echo '&nbsp;&nbsp;';
-                    $options = array('delete' => get_string('delete'));
                     echo choose_from_menu($options, 'action', '', get_string('withselected', 'quiz'), 'if(this.selectedIndex > 0) submitFormById(\'attemptsform\');', '', true);
                     echo '<noscript id="noscriptmenuaction" style="display: inline;"><div>';
                     echo '<input type="submit" value="'.get_string('go').'" /></div></noscript>';

diff --git a/mod/quiz/report/regrade/report.php b/mod/quiz/report/regrade/report.php
index 3743dc6c223a7ad0f1e5e6f9885685de838b4503..2c0ea4d2b00d3bbe7d6f6699f5f12e974ba2ca37 100644 (file)
--- a/mod/quiz/report/regrade/report.php
+++ b/mod/quiz/report/regrade/report.php
@@ -11,6 +11,13 @@ class quiz_report extends quiz_default_report {
         // Print header
         $this->print_header_and_tabs($cm, $course, $quiz, $reportmode="regrade");
 
+        // Check permissions
+        $context = get_context_instance(CONTEXT_MODULE, $cm->id);
+        if (!has_capability('mod/quiz:grade', $context)) {
+            notify(get_string('regradenotallowed', 'quiz'));
+            return true;
+        }
+
         // Fetch all attempts
         if (!$attempts = get_records_select('quiz_attempts', "quiz = '$quiz->id' AND preview = 0")) {
             print_heading(get_string('noattempts', 'quiz'));