MDL-11951 - supplemental - need capability checks in the outer if of the file too...

diff --git a/admin/settings/frontpage.php b/admin/settings/frontpage.php
index c88928c9b8e2e056495191914180737dd0f2f2e6..4481d6be1e978e5d6307c75028b3300e77ad66e4 100644 (file)
--- a/admin/settings/frontpage.php
+++ b/admin/settings/frontpage.php
@@ -5,12 +5,19 @@
 if (get_site()) { //do not use during installation
     $frontpagecontext = get_context_instance(CONTEXT_COURSE, SITEID);
 
-    if ($hassiteconfig
-     or has_capability('moodle/course:update',      $frontpagecontext)
-     or has_capability('moodle/role:assign',        $frontpagecontext)
-     or has_capability('moodle/site:restore',       $frontpagecontext)
-     or has_capability('moodle/site:backup',        $frontpagecontext)
-     or has_capability('moodle/course:managefiles', $frontpagecontext)) {
+    if ($hassiteconfig or has_any_capability(array(
+            'moodle/course:update',
+            'moodle/role:assign',
+            'moodle/site:restore',
+            'moodle/site:backup',
+            'moodle/course:managefiles',
+            'moodle/question:add',
+            'moodle/question:editmine',
+            'moodle/question:editall',
+            'moodle/question:viewmine',
+            'moodle/question:viewall',
+            'moodle/question:movemine',
+            'moodle/question:moveall'), $frontpagecontext)) {
 
         // "frontpage" settingpage
         $temp = new admin_settingpage('frontpagesettings', get_string('frontpagesettings','admin'), 'moodle/course:update', false, $frontpagecontext);

diff --git a/lib/accesslib.php b/lib/accesslib.php
index 4f36f5a99441c49db59ca48202947719728cf8cc..bf9eb1b6cfacf8aa796262fa3b99b86e33c749df 100755 (executable)
--- a/lib/accesslib.php
+++ b/lib/accesslib.php
@@ -429,6 +429,28 @@ function has_capability($capability, $context, $userid=NULL, $doanything=true) {
     return has_capability_in_accessdata($capability, $context, $ACCESS[$userid], $doanything);
 }
 
+/**
+ * This function returns whether the current user has any of the capabilities in the
+ * $capabilities array. This is a simple wrapper around has_capability for convinience.
+ *
+ * There are probably tricks that could be done to improve the performance here, for example,
+ * check the capabilities that are already cached first.
+ *
+ * @param array $capabilities - an array of capability names.
+ * @param object $context - a context object (record from context table)
+ * @param integer $userid - a userid number, empty if current $USER
+ * @param bool $doanything - if false, ignore do anything
+ * @return bool
+ */
+function has_any_capability($capabilities, $context, $userid=NULL, $doanything=true) {
+    foreach ($capabilities as $capability) {
+        if (has_any_capability($capability, $context, $userid, $doanything)) {
+            return true;
+        }
+    }
+    return false;
+}
+
 /**
  * Uses 1 DB query to answer whether a user is an admin at the sitelevel.
  * It depends on DB schema >=1.7 but does not depend on the new datastructures