MDL-12635 - Manual grading report does not check capabilites - also, only show the...

diff --git a/lang/en_utf8/quiz_grading.php b/lang/en_utf8/quiz_grading.php
index f006a28ee150142125f405e88bd64e220b21870d..672487e23a07735ecbec47f5f04898c1e48d0e08 100644 (file)
--- a/lang/en_utf8/quiz_grading.php
+++ b/lang/en_utf8/quiz_grading.php
@@ -4,5 +4,6 @@
 
 $string['essayonly'] = 'The following questions need to be graded manually';
 $string['grading'] = 'Manual grading';
+$string['gradingnotallowed'] = 'You do not have permission to manually grade responses in this quiz';
 
 ?>

diff --git a/mod/quiz/report/grading/report.php b/mod/quiz/report/grading/report.php
index e38d10fe49fe37539c1760ecaffb770335188485..3298bcd7ee9b31fa8e05f9bf4264c7bf7debaf18 100644 (file)
--- a/mod/quiz/report/grading/report.php
+++ b/mod/quiz/report/grading/report.php
@@ -34,6 +34,13 @@ class quiz_report extends quiz_default_report {
 
         $this->print_header_and_tabs($cm, $course, $quiz, $reportmode="grading");
 
+        // Check permissions
+        $context = get_context_instance(CONTEXT_MODULE, $cm->id);
+        if (!has_capability('mod/quiz:grade', $context)) {
+            notify(get_string('gradingnotallowed', 'quiz_grading'));
+            return true;
+        }
+
         if (!empty($questionid)) {
             if (! $question = get_record('question', 'id', $questionid)) {
                 error("Question with id $questionid not found");

diff --git a/mod/quiz/tabs.php b/mod/quiz/tabs.php
index 835107ea8168fdf9416b55baaf76a684bd9ebc1c..55d3b96f090095aad80b9a8c7014e2b314442084 100644 (file)
--- a/mod/quiz/tabs.php
+++ b/mod/quiz/tabs.php
@@ -51,9 +51,15 @@ if ($currenttab == 'reports' and isset($mode)) {
     $inactive[] = 'reports';
     $activated[] = 'reports';
 
-    $allreports = get_list_of_plugins("mod/quiz/report");
-    $reportlist = array ('overview', 'regrade', 'grading', 'analysis');   // Standard reports we want to show first
+    // Standard reports we want to show first.
+    $reportlist = array ('overview', 'regrade', 'grading', 'analysis');
+    // Reports that are restricted by capability.
+    $reportrestrictions = array(
+        'regrade' => 'mod/quiz:grade',
+        'grading' => 'mod/quiz:grade'
+    );
 
+    $allreports = get_list_of_plugins("mod/quiz/report");
     foreach ($allreports as $report) {
         if (!in_array($report, $reportlist)) {
             $reportlist[] = $report;
@@ -63,10 +69,12 @@ if ($currenttab == 'reports' and isset($mode)) {
     $row  = array();
     $currenttab = '';
     foreach ($reportlist as $report) {
-        $row[] = new tabobject($report, "$CFG->wwwroot/mod/quiz/report.php?q=$quiz->id&mode=$report",
-                                get_string($report, 'quiz_'.$report));
-        if ($report == $mode) {
-            $currenttab = $report;
+        if (!isset($reportrestrictions[$report]) || has_capability($reportrestrictions[$report], $context)) {
+            $row[] = new tabobject($report, "$CFG->wwwroot/mod/quiz/report.php?q=$quiz->id&mode=$report",
+                                    get_string($report, 'quiz_'.$report));
+            if ($report == $mode) {
+                $currenttab = $report;
+            }
         }
     }
     $tabs[] = $row;