]> git.mjollnir.org Git - moodle.git/commitdiff
projects / moodle.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 717dee1)
Some important changes arrive:
authorstronk7 <stronk7>
Sat, 28 Aug 2004 00:28:56 +0000 (00:28 +0000)
committerstronk7 <stronk7>
Sat, 28 Aug 2004 00:28:56 +0000 (00:28 +0000)
   - 'editalways' applied to comments.
   - some minor notices out.
   - security bug solved:
      + users cannot edit any comment now.
      + users cannot delete any comment now.
      + users cannot edit any entry now.
      + users cannot delete any antry now.

Thanks to skodak, discovering the bug!!!

Merged from MOODLE_14_STABLE

mod/glossary/comment.php patch | blob | history
mod/glossary/deleteentry.php patch | blob | history
mod/glossary/edit.php patch | blob | history
mod/glossary/lib.php patch | blob | history

diff --git a/mod/glossary/comment.php b/mod/glossary/comment.php
index 546141ae2bf8fb7637c77f1e58cea90e5202ee33..bb7c649ce3281ebfcc333ef090e63a695dc2d3b6 100644 (file)
--- a/mod/glossary/comment.php
+++ b/mod/glossary/comment.php
@@ -71,6 +71,9 @@
 /// Input section
 
     if ( $action == "delete" ) {
+        if (($comment->userid <> $USER->id) and !isteacher($glossary->course)) {
+            error("You can't delete other people's comments!");
+        }
         if ( $confirm ) {
             delete_records("glossary_comments","id", $cid);             
 
@@ -105,16 +108,13 @@
         }
     } else {
         if ( $action == "edit" ) {
-            if ( (time() - $comment->timemodified >= $CFG->maxeditingtime or 
-                  $USER->id != $comment->userid) and !isteacher($course->id) ) {
-                echo "<center><strong>";
+            $ineditperiod = ((time() - $comment->timemodified <  $CFG->maxeditingtime) || $glossary->editalways);
+            if ( (!$ineditperiod || $USER->id != $comment->userid) and !isteacher($course->id) ) {
                 if ( $USER->id != $comment->userid ) {
-                    echo get_string("youarenottheauthor","glossary",$CFG->maxeditingtime);
+                    error("You can't edit other people's comments!");
                 } elseif (time() - $comment->timemodified >= $CFG->maxeditingtime ) {
-                    echo get_string("maxtimehaspassed","glossary",$CFG->maxeditingtime);
+                    error("You can't edit this. Time expired!");
                 }
-                echo "</strong></center>";
-                print_footer($course);
                 die;
             }
         }
diff --git a/mod/glossary/deleteentry.php b/mod/glossary/deleteentry.php
index 699dc0a137adc04ee41d004a1700835b32b0d7c5..4cca03d52e06a26fae302a03a2f95a08667de48c 100644 (file)
--- a/mod/glossary/deleteentry.php
+++ b/mod/glossary/deleteentry.php
@@ -45,11 +45,16 @@
                   "", "", true, update_module_button($cm->id, $course->id, $strglossary), 
                   navmenu($course, $cm));
 
+    $entry = get_record("glossary_entries","id", $entry);
+
+    if (($entry->userid <> $USER->id) and !isteacher($course->id)) {
+        error("You can't delete other people's entries!");
+    }
+
 /// If data submitted, then process and store.
     
     if ($confirm) { // the operation was confirmed.
         // if it is an imported entry, just delete the relation
-        $entry = get_record("glossary_entries","id", $entry);
 
         if ( $entry->sourceglossaryid ) {
             $entry->glossaryid = $entry->sourceglossaryid;
@@ -74,7 +79,7 @@
     } else {        // the operation has not been confirmed yet so ask the user to do so
 
         notice_yesno("<b>$entryfields->concept</b><p>$strareyousuredelete</p>",
-                      "deleteentry.php?id=$cm->id&mode=delete&confirm=1&entry=".s($entry)."&prevmode=$prevmode&hook=$hook",
+                      "deleteentry.php?id=$cm->id&mode=delete&confirm=1&entry=".s($entry->concept)."&prevmode=$prevmode&hook=$hook",
                       "view.php?id=$cm->id&mode=$prevmode&hook=$hook");
 
     }
diff --git a/mod/glossary/edit.php b/mod/glossary/edit.php
index 532d19d684ef59acc8b5e78008d7b4e3a7f1d2e5..b1573f196f496b1f98b32de2c2ef52466abc8222 100644 (file)
--- a/mod/glossary/edit.php
+++ b/mod/glossary/edit.php
@@ -192,6 +192,8 @@ if ( $confirm ) {
         $newentry->casesensitive = $form->casesensitive;
         $newentry->fullmatch = $form->fullmatch;
         $newentry->aliases = "";
+        $newentry->userid = $form->userid;
+        $newentry->timemodified = $form->timemodified;
 
         if ( $aliases = get_records("glossary_alias","entryid",$e) ) {
             foreach ($aliases as $alias) {
@@ -232,6 +234,9 @@ if (!isset($newentry->fullmatch)) {
 if (!isset($newentry->definition)) {
     $newentry->definition = "";
 }
+if (!isset($newentry->timemodified)) {
+    $newentry->timemodified = 0;
+}
 $strglossary = get_string("modulename", "glossary");
 $strglossaries = get_string("modulenameplural", "glossary");
 $stredit = get_string("edit");
@@ -247,6 +252,16 @@ print_header_simple(strip_tags("$glossary->name"), "",
               <A HREF=\"view.php?id=$cm->id\">$glossary->name</A> -> $stredit", "",
               "", true, "", navmenu($course, $cm));
 
+$ineditperiod = ((time() - $newentry->timemodified <  $CFG->maxeditingtime) || $glossary->editalways);
+if ( (!$ineditperiod  || $USER->id != $newentry->userid) and !isteacher($course->id) and $e) {
+                if ( $USER->id != $newentry->userid ) {
+                    error("You can't edit other people's entries!");
+                } elseif (!$ineditperiod) {
+                    error("You can't edit this. Time expired!");
+                }
+                die;
+            }
+
     echo '<p align="center"><font size="3"><b>' . stripslashes_safe($glossary->name);
     echo '</b></font></p>';
 
diff --git a/mod/glossary/lib.php b/mod/glossary/lib.php
index 4e038fd8c0826971c22ed89bc432daa828d24ea5..5696500bebd408177c80eaa56268cb6880a5c0d3 100644 (file)
--- a/mod/glossary/lib.php
+++ b/mod/glossary/lib.php
@@ -710,8 +710,8 @@ function glossary_print_entry_icons($course, $cm, $glossary, $entry,$mode="",$ho
         //Decide if an entry is editable:
         // -It isn't a imported entry (so nobody can edit a imported (from secondary to main) entry)) and
         // -The user is teacher or he is a student with time permissions (edit period or editalways defined).
-        $ineditperiod = (time() - $entry->timemodified <  $CFG->maxeditingtime);
-        if ( !$importedentry and ($isteacher or ($entry->userid == $USER->id and ($glossary->editalways or $ineditperiod)))) {
+        $ineditperiod = ((time() - $entry->timemodified <  $CFG->maxeditingtime) || $glossary->editalways);
+        if ( !$importedentry and ($isteacher or ($entry->userid == $USER->id and $ineditperiod))) {
             $return .= " <a title=\"" . get_string("delete") . "\" href=\"deleteentry.php?id=$cm->id&mode=delete&entry=$entry->id&prevmode=$mode&hook=$hook\"><img src=\"";
             $return .= $icon;
             $return .= "\" height=11 width=11 border=0></a> ";
@@ -1556,7 +1556,8 @@ function glossary_print_comment($course, $cm, $glossary, $entry, $comment) {
     echo format_text($comment->comment, $comment->format);
 
     echo "<div align=right><p align=right>";
-    if ( (time() - $comment->timemodified <  $CFG->maxeditingtime and $USER->id == $comment->userid)  or isteacher($course->id) ) {
+    $ineditperiod = ((time() - $comment->timemodified <  $CFG->maxeditingtime) || $glossary->editalways);
+    if ( ($ineditperiod && $USER->id == $comment->userid)  or isteacher($course->id) ) {
         echo "<a href=\"comment.php?id=$cm->id&eid=$entry->id&cid=$comment->id&action=edit\"><img  
                alt=\"" . get_string("edit") . "\" src=\"$CFG->pixpath/t/edit.gif\" height=11 width=11 border=0></a> ";
     }
Unnamed repository; edit this file to name it for gitweb.