blocks: MDL-19399 proper permissions checks for editing blocks.

author tjhunt <tjhunt>

Thu, 30 Jul 2009 03:44:10 +0000 (03:44 +0000)

committer tjhunt <tjhunt>

Thu, 30 Jul 2009 03:44:10 +0000 (03:44 +0000)
author tjhunt <tjhunt>
Thu, 30 Jul 2009 03:44:10 +0000 (03:44 +0000)
committer tjhunt <tjhunt>
Thu, 30 Jul 2009 03:44:10 +0000 (03:44 +0000)
diff --git a/blocks/edit_form.php b/blocks/edit_form.php

index b3d6c5faedbf5361db13c45c7448bcd87df9153d..14bfa5fb8f667cc3e0852307b4a60a7ca8c7bff0 100644 (file)
--- a/blocks/edit_form.php
+++ b/blocks/edit_form.php
@@ -121,6 +121,14 @@ class block_edit_form extends moodleform {
  
          $mform->addElement('select', 'bui_weight', get_string('weight', 'block'), $weightoptions);
  
+        $pagefields = array('bui_visible', 'bui_region', 'bui_weight');
+        if (!$this->block->user_can_edit()) {
+            $mform->hardFreezeAllVisibleExcept($pagefields);
+        }
+        if (!$this->page->user_can_edit_blocks()) {
+            $mform->hardFreeze($pagefields);
+        }
+
          $this->add_action_buttons();
      }
  
diff --git a/blocks/moodleblock.class.php b/blocks/moodleblock.class.php

index 6adf0a7ff9a520803a197b2c652e31ee0965e630..b161989a7a42c4ba39680a0580256163c5f80fa5 100644 (file)
--- a/blocks/moodleblock.class.php
+++ b/blocks/moodleblock.class.php
@@ -649,7 +649,7 @@ class block_base {
       * @return boolean
       */
      function user_can_edit() {
-        return true;
+        return has_capability('moodle/block:edit', $this->context);
      }
  
      /**
@@ -660,11 +660,11 @@ class block_base {
       * @return boolean
       */
      function user_can_addto($page) {
-        return true;
+        return has_capability('moodle/block:edit', $page->context);
      }
  
      function get_extra_capabilities() {
-        return array('moodle/block:view');
+        return array('moodle/block:view', 'moodle/block:edit');
      }
  
      // Methods deprecated in Moodle 2.0 ========================================
diff --git a/lang/en_utf8/role.php b/lang/en_utf8/role.php

index 8dd53a50454adea146fbee9048145fd25bc06610..ed5995df4b580a368b04d72fe6cb8eefcde3812b 100644 (file)
--- a/lang/en_utf8/role.php
+++ b/lang/en_utf8/role.php
@@ -29,6 +29,7 @@ $string['blog:manageentries'] = 'Edit and manage entries';
  $string['blog:manageofficialtags'] = 'Manage official tags';
  $string['blog:managepersonaltags'] = 'Manage personal tags';
  $string['blog:view'] = 'View blog entries';
+$string['block:edit'] = 'Edit a block\'s settings';
  $string['block:view'] = 'View block';
  $string['calendar:manageentries'] = 'Manage any calendar entries';
  $string['calendar:managegroupentries'] = 'Manage group calendar entries';
@@ -218,7 +219,7 @@ $string['site:doclinks'] = 'Show links to offsite docs';
  $string['site:import'] = 'Import other courses into a course';
  $string['site:langeditlocal'] = 'Customize local translation';
  $string['site:langeditmaster'] = 'Edit master language packages';
-$string['site:manageblocks'] = 'Manage site-level blocks';
+$string['site:manageblocks'] = 'Manage blocks on a page';
  $string['site:mnetlogintoremote'] = 'Roam to a remote Moodle';
  $string['site:mnetloginfromremote'] = 'Login from a remote Moodle';
  $string['site:readallmessages'] = 'Read all messages on site';
diff --git a/lib/blocklib.php b/lib/blocklib.php

index 8e3b2488cb0c37db78f934181c562055d2d5f179..d16ab6cfd97e06a140c15a7d97badf073f22aeb2 100644 (file)
--- a/lib/blocklib.php
+++ b/lib/blocklib.php
@@ -821,7 +821,7 @@ class block_manager {
  
          $block = $this->page->blocks->find_instance($blockid);
  
-        if (!$block->user_can_edit() || !$this->page->user_can_edit_blocks()) {
+        if (!$this->page->user_can_edit_blocks()) {
              throw new moodle_exception('nopermissions', '', $this->page->url->out(), get_string('hideshowblocks'));
          }
  
@@ -852,7 +852,7 @@ class block_manager {
  
          $block = $this->find_instance($blockid);
  
-        if (!$block->user_can_edit() || !$this->page->user_can_edit_blocks()) {
+        if (!$block->user_can_edit() && !$this->page->user_can_edit_blocks()) {
              throw new moodle_exception('nopermissions', '', $this->page->url->out(), get_string('editblock'));
          }
  
@@ -1170,7 +1170,7 @@ function block_edit_controls($block, $page) {
                  'icon' => 'i/roles', 'caption' => get_string('assignroles', 'role'));
      }
  
-    if ($block->user_can_edit() && $page->user_can_edit_blocks()) {
+    if ($page->user_can_edit_blocks()) {
          // Show/hide icon.
          if ($block->instance->visible) {
              $controls[] = array('url' => $actionurl . '&bui_hideid=' . $block->instance->id,
@@ -1179,17 +1179,21 @@ function block_edit_controls($block, $page) {
              $controls[] = array('url' => $actionurl . '&bui_showid=' . $block->instance->id,
                      'icon' => 't/show', 'caption' => get_string('show'));
          }
+    }
  
+    if ($page->user_can_edit_blocks() || $block->user_can_edit()) {
          // Edit config icon - always show - needed for positioning UI.
          $controls[] = array('url' => $actionurl . '&bui_editid=' . $block->instance->id,
                  'icon' => 't/edit', 'caption' => get_string('configuration'));
+    }
  
+    if ($page->user_can_edit_blocks() && $block->user_can_edit() && $block->user_can_addto($page)) {
          // Delete icon.
-        if ($block->user_can_addto($page)) {
-            $controls[] = array('url' => $actionurl . '&bui_deleteid=' . $block->instance->id,
+        $controls[] = array('url' => $actionurl . '&bui_deleteid=' . $block->instance->id,
                  'icon' => 't/delete', 'caption' => get_string('delete'));
-        }
+    }
  
+    if ($page->user_can_edit_blocks()) {
          // Move icon.
          $controls[] = array('url' => $page->url->out(false, array('moveblockid' => $block->instance->id)),
                  'icon' => 't/move', 'caption' => get_string('move'));
diff --git a/lib/db/access.php b/lib/db/access.php

index 760fb548086cec373cb1c9052a294792bd468467..8ff7b5c3c5805361d7b05dae20c8c96931ee88cd 100644 (file)
--- a/lib/db/access.php
+++ b/lib/db/access.php
@@ -1322,6 +1322,17 @@ $moodle_capabilities = array(
          )
      ),
  
+    'moodle/block:edit' => array(
+        'riskbitmask' => RISK_SPAM | RISK_XSS,
+
+        'captype' => 'write',
+        'contextlevel' => CONTEXT_BLOCK,
+        'legacy' => array(
+            'editingteacher' => CAP_ALLOW,
+            'coursecreator' => CAP_ALLOW
+        )
+    ),
+
      'moodle/portfolio:export' => array(
          'captype' => 'read',
          'contextlevel' => CONTEXT_SYSTEM,
diff --git a/version.php b/version.php

index db6afe04f55de3c5d3364aa8ef3baa907f4e95e6..5294e9b30d00e7259f80bb084567ce7ad7b54a75 100644 (file)
--- a/version.php
+++ b/version.php
@@ -6,7 +6,7 @@
  // This is compared against the values stored in the database to determine
  // whether upgrades should be performed (see lib/db/*.php)
  
-    $version = 2009072700;  // YYYYMMDD   = date of the last version bump
+    $version = 2009073000;  // YYYYMMDD   = date of the last version bump
                              //         XX = daily increments
  
      $release = '2.0 dev (Build: 20090730)';  // Human-friendly version name
author	tjhunt <tjhunt>
	Thu, 30 Jul 2009 03:44:10 +0000 (03:44 +0000)
committer	tjhunt <tjhunt>
	Thu, 30 Jul 2009 03:44:10 +0000 (03:44 +0000)
blocks/edit_form.php		patch \| blob \| history
blocks/moodleblock.class.php		patch \| blob \| history
lang/en_utf8/role.php		patch \| blob \| history
lib/blocklib.php		patch \| blob \| history
lib/db/access.php		patch \| blob \| history
version.php		patch \| blob \| history