"MDL-20422, check courses category before moving, hideing, showing courses, merged...

diff --git a/course/category.php b/course/category.php
index 5ca6cfa47fea3ad5e647008e9e20899e26123e61..8b47748d033281a455a4ba8cfdbd54ba6b4dee6a 100644 (file)
--- a/course/category.php
+++ b/course/category.php
@@ -85,7 +85,17 @@
             $courses = array();
             foreach ($data as $key => $value) {
                 if (preg_match('/^c\d+$/', $key)) {
-                    array_push($courses, substr($key, 1));
+                    $courseid = substr($key, 1);
+                    array_push($courses, $courseid);
+
+                    // check this course's category
+                    if ($movingcourse = $DB->get_record('course', array('id'=>$courseid))) {
+                        if ($movingcourse->category != $id ) {
+                            print_error('coursedoesnotbelongtocategory');
+                        }
+                    } else {
+                        print_error('cannotfindcourse');
+                    }
                 }
             }
             move_courses($courses, $data->moveto);
@@ -93,7 +103,6 @@
 
     /// Hide or show a course
         if ((!empty($hide) or !empty($show)) and confirm_sesskey()) {
-            require_capability('moodle/course:visibility', $context);
             if (!empty($hide)) {
                 $course = $DB->get_record('course', array('id' => $hide));
                 $visible = 0;
@@ -101,7 +110,10 @@
                 $course = $DB->get_record('course', array('id' => $show));
                 $visible = 1;
             }
+
             if ($course) {
+                $coursecontext = get_context_instance(CONTEXT_COURSE, $course->id);
+                require_capability('moodle/course:visibility', $coursecontext);
                 if (!$DB->set_field('course', 'visible', $visible, array('id' => $course->id))) {
                     print_error('errorupdatingcoursevisibility');
                 }
@@ -127,6 +139,10 @@
                 }
             }
             if ($swapcourse and $movecourse) {
+                // check course's category
+                if ($movecourse->category != $id) {
+                    print_error('coursedoesnotbelongtocategory');
+                }
                 $DB->set_field('course', 'sortorder', $swapcourse->sortorder, array('id' => $movecourse->id));
                 $DB->set_field('course', 'sortorder', $movecourse->sortorder, array('id' => $swapcourse->id));
             }

diff --git a/lang/en_utf8/error.php b/lang/en_utf8/error.php
index e97465349993916653630e61b3cf368f30000113..487dc9d7fc7fdd3901bc4be6cda701f5b0901d64 100644 (file)
--- a/lang/en_utf8/error.php
+++ b/lang/en_utf8/error.php
@@ -59,6 +59,7 @@ $string['cannoteditmasterlang'] = 'You do not have permission to edit the master
 $string['cannotedityourprofile'] = 'Sorry, you cannot edit own profile';
 $string['cannotfindcomponent'] = 'Cannot find component';
 $string['cannotfindcontext'] = 'Could not find context';
+$string['cannotfindcourse'] = 'Cannot find course';
 $string['cannotfindcategory'] = 'Cannot find category record from database by ID - $a';
 $string['cannotfinddocs'] = 'Cannot find \"$a\" language docs files';
 $string['cannotfindgradeitem'] = 'Cannot find grade_item';
@@ -148,6 +149,7 @@ $string['confirmsesskeybad'] = 'Sorry, but your session key could not be confirm
 $string['couldnotassignrole'] = 'A serious but unspecified error occurred while trying to assign a role to you';
 $string['couldnotupdatenoexistinguser'] = 'Cannot update the user - user doesn\'t exist';
 $string['countriesphpempty'] = 'Error: The file countries.php in language pack $a is empty or missing.';
+$string['coursedoesnotbelongtocategory'] = 'The course doesn\'t belong to this category';
 $string['coursegroupunknown'] = 'Course corresponding to group $a not specified';
 $string['courseidnotfound'] = 'Course id doesn\'t exist';
 $string['coursemisconf'] = 'Course is misconfigured';