From: skodak Date: Thu, 26 Apr 2007 21:41:08 +0000 (+0000) Subject: MDL-9574 + MDL-9607 Add Change-own-password and Edit-own-profile capabilities X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=1cb3da36135b25b9eac2e07593da4462b10cd61e;p=moodle.git MDL-9574 + MDL-9607 Add Change-own-password and Edit-own-profile capabilities --- diff --git a/lang/en_utf8/moodle.php b/lang/en_utf8/moodle.php index 34db40ad16..e2d2b0ace4 100644 --- a/lang/en_utf8/moodle.php +++ b/lang/en_utf8/moodle.php @@ -500,6 +500,14 @@ line at the top of your web browser window. If you need help, please contact the site administrator, $a->admin'; +$string['emailpasswordchangeinfodisabled'] = 'Hi $a->firstname, + +Someone (probably you) has requested a new password for your +account on \'$a->sitename\'. + +Unfortunately your account on this site is disabled and can not be reset, +please contact the site administrator, +$a->admin'; $string['emailpasswordchangeinfofail'] = 'Hi $a->firstname, Someone (probably you) has requested a new password for your diff --git a/lang/en_utf8/role.php b/lang/en_utf8/role.php index 851f1210c5..813464c325 100644 --- a/lang/en_utf8/role.php +++ b/lang/en_utf8/role.php @@ -116,8 +116,10 @@ $string['site:uploadusers'] = 'Upload new users from file'; $string['site:viewfullnames'] = 'Always see full names of users'; $string['site:viewparticipants'] = 'View participants'; $string['site:viewreports'] = 'View reports'; +$string['user:changeownpassword'] = 'Change own password'; $string['user:create'] = 'Create users'; $string['user:delete'] = 'Delete users'; +$string['user:editownprofile'] = 'Edit own user profile'; $string['user:editprofile'] = 'Edit user profile'; $string['user:loginas'] = 'Login as other users'; $string['user:readuserblogs'] = 'See all user blogs'; diff --git a/lib/db/access.php b/lib/db/access.php index fb2284bae9..185cf34cf2 100644 --- a/lib/db/access.php +++ b/lib/db/access.php @@ -719,13 +719,35 @@ $moodle_capabilities = array( 'riskbitmask' => RISK_SPAM, - 'captype' => 'read', + 'captype' => 'write', 'contextlevel' => CONTEXT_USER, 'legacy' => array( 'admin' => CAP_ALLOW ) ), + 'moodle/user:editownprofile' => array( + + 'captype' => 'write', + 'contextlevel' => CONTEXT_SYSTEM, + 'legacy' => array( + 'guest' => CAP_PROHIBIT, + 'user' => CAP_ALLOW, + 'admin' => CAP_ALLOW + ) + ), + + 'moodle/user:changeownpassword' => array( + + 'captype' => 'write', + 'contextlevel' => CONTEXT_SYSTEM, + 'legacy' => array( + 'guest' => CAP_PROHIBIT, + 'user' => CAP_ALLOW, + 'admin' => CAP_ALLOW + ) + ), + // The next 3 might make no sense for some roles, e.g teacher, etc. // since the next level up is site. These are more for the parent role 'moodle/user:readuserposts' => array( diff --git a/lib/moodlelib.php b/lib/moodlelib.php index 3df079b095..0a98799af5 100644 --- a/lib/moodlelib.php +++ b/lib/moodlelib.php @@ -3575,7 +3575,7 @@ function reset_password_and_mail($user) { $from = get_admin(); $userauth = get_auth_plugin($user->auth); - if (!$userauth->can_reset_password()) { + if (!$userauth->can_reset_password() or !is_enabled_auth($user->auth)) { trigger_error("Attempt to reset user password for user $user->username with Auth $user->auth."); return false; } @@ -3676,15 +3676,23 @@ function send_password_change_info($user) { $site = get_site(); $from = get_admin(); + $systemcontext = get_context_instance(CONTEXT_SYSTEM); $data = new object(); $data->firstname = $user->firstname; $data->sitename = format_string($site->fullname); $data->admin = fullname($from).' ('. $from->email .')'; - $userauth = get_auth_plugin($user->auth); + $userauth = get_auth_plugin($user->auth); + + if (!is_enabled_auth($user->auth) or $user->auth == 'nologin') { + $message = get_string('emailpasswordchangeinfodisabled', '', $data); + $subject = get_string('emailpasswordchangeinfosubject', '', format_string($site->fullname)); + return email_to_user($user, $from, $subject, $message); + } + if ($userauth->can_change_password() and $userauth->change_password_url()) { - // we have some external url for password cahnging + // we have some external url for password changing $data->link .= $userauth->change_password_url(); } else { @@ -3692,7 +3700,7 @@ function send_password_change_info($user) { $data->link = ''; } - if (!empty($data->link)) { + if (!empty($data->link) and has_capability('moodle/user:changeownpassword', $systemcontext, $user->id)) { $message = get_string('emailpasswordchangeinfo', '', $data); $subject = get_string('emailpasswordchangeinfosubject', '', format_string($site->fullname)); } else { diff --git a/login/change_password.php b/login/change_password.php index 6a6b938b72..525f02db8c 100644 --- a/login/change_password.php +++ b/login/change_password.php @@ -14,15 +14,19 @@ error('No such course!'); } - // require proper login; guest can not change password - // TODO: add change password capability so that we can prevent participants from changing password - if (empty($USER->id) or isguestuser() or has_capability('moodle/legacy:guest', $systemcontext, $USER->id, false)) { + // require proper login; guest user can not change password + if (empty($USER->id) or isguestuser()) { if (empty($SESSION->wantsurl)) { $SESSION->wantsurl = $CFG->httpswwwroot.'/login/change_password.php'; } redirect($CFG->httpswwwroot.'/login/index.php'); } + // do not require change own password cap if change forced + if (!get_user_preferences('auth_forcepasswordchange', false)) { + require_capability('moodle/user:changeownpassword', $systemcontext); + } + // do not allow "Logged in as" users to change any passwords if (!empty($USER->realuser)) { error('Can not use this script when "Logged in as"!'); diff --git a/login/forgot_password.php b/login/forgot_password.php index 4de7199224..6244ace64e 100644 --- a/login/forgot_password.php +++ b/login/forgot_password.php @@ -12,7 +12,7 @@ $p_username = optional_param('s', false, PARAM_RAW); httpsrequired(); -$sitecontext = get_context_instance(CONTEXT_SYSTEM); +$systemcontext = get_context_instance(CONTEXT_SYSTEM); // setup text strings $strforgotten = get_string('passwordforgotten'); @@ -41,11 +41,13 @@ if ($p_secret !== false) { // make sure that url relates to a valid user // check this isn't guest user - // TODO: add change password capability so that we can prevent participants to change password - if (has_capability('moodle/legacy:guest', $sitecontext, $user->id, false)) { + if (isguestuser($user)) { error('You cannot reset the guest password'); } + // make sure user is allowed to change password + require_capability('moodle/user:changeownpassword', $systemcontext, $user->id); + // override email stop and mail new password $user->emailstop = 0; if (!reset_password_and_mail($user)) { @@ -97,9 +99,14 @@ if ($mform->is_cancelled()) { if ($user and !empty($user->confirmed)) { $userauth = get_auth_plugin($user->auth); + if (has_capability('moodle/user:changeownpassword', $systemcontext, $user->id)) { + // send email (make sure mail block is off) + $user->mailstop = 0; + } - if ($userauth->can_reset_password()) { - // reset internal password and notify user + if ($userauth->can_reset_password() and is_enabled_auth($user->auth) + and has_capability('moodle/user:changeownpassword', $systemcontext, $user->id)) { + // send reset password confirmation // set 'secret' string $user->secret = random_string(15); @@ -107,15 +114,11 @@ if ($mform->is_cancelled()) { error('error setting user secret string'); } - // send email (make sure mail block is off) - $user->mailstop = 0; if (!send_password_change_confirmation_email($user)) { error('error sending password change confirmation email'); } } else { - // send email (make sure mail block is off) - $user->mailstop = 0; if (!send_password_change_info($user)) { error('error sending password change confirmation email'); } diff --git a/user/edit.php b/user/edit.php index a34776e2c9..c726127285 100644 --- a/user/edit.php +++ b/user/edit.php @@ -24,7 +24,10 @@ redirect($CFG->httpswwwroot.'/login/index.php'); } - if (isguest()) { //TODO: add proper capability to edit own profile + $systemcontext = get_context_instance(CONTEXT_SYSTEM); + $personalcontext = get_context_instance(CONTEXT_USER, $user->id); + + if (isguestuser()) { print_error('guestnoeditprofile'); } @@ -38,9 +41,12 @@ } // check access control - if ($user->id != $USER->id) { + if ($user->id == $USER->id) { + //editing own profile + require_capability('moodle/user:editownprofile', $systemcontext); + + } else { // teachers, parents, etc. - $personalcontext = get_context_instance(CONTEXT_USER, $user->id); require_capability('moodle/user:editprofile', $personalcontext); // no editing of guest user account if (isguestuser($user->id)) { diff --git a/user/tabs.php b/user/tabs.php index 5d71c422c0..f2c0be8220 100644 --- a/user/tabs.php +++ b/user/tabs.php @@ -102,16 +102,19 @@ } $edittype = 'none'; - if (is_mnet_remote_user($user)) { + if (isguestuser($user)) { + // guest account can not be edited + + } else if (is_mnet_remote_user($user)) { // cannot edit remote users - } else if (isguest() or !isloggedin()) { - // can not edit guest like accounts - TODO: add capability to edit own profile - + } else if (isguestuser() or !isloggedin()) { + // guests and not logged in can not edit own profile + } else if ($USER->id == $user->id) { if (has_capability('moodle/user:update', $systemcontext)) { $edittype = 'advanced'; - } else { + } else if (has_capability('moodle/user:editownprofile', $systemcontext)) { $edittype = 'normal'; } diff --git a/user/view.php b/user/view.php index 03cc1b38aa..6f59476217 100644 --- a/user/view.php +++ b/user/view.php @@ -31,11 +31,12 @@ } if ($course->id == SITEID) { - $coursecontext = get_context_instance(CONTEXT_SYSTEM, SITEID); // SYSTEM context + $coursecontext = get_context_instance(CONTEXT_SYSTEM); // SYSTEM context } else { $coursecontext = get_context_instance(CONTEXT_COURSE, $course->id); // Course context } $usercontext = get_context_instance(CONTEXT_USER, $user->id); // User context + $systemcontext = get_context_instance(CONTEXT_SYSTEM); // SYSTEM context if (!empty($CFG->forcelogin) || $course->id != SITEID) { // do not force parents to enrol @@ -356,10 +357,8 @@ $userauth = get_auth_plugin($user->auth); $passwordchangeurl = false; - if (/*$currentuser and */$userauth->can_change_password() and !isguest()) { //TODO: add proper capability for password changing - if ($userauth->change_password_url()) { - $passwordchangeurl = $userauth->change_password_url(); - } else { + if ($currentuser and $userauth->can_change_password() and !isguestuser() and has_capability('moodle/user:changeownpassword', $systemcontext)) { + if (!$passwordchangeurl = $userauth->change_password_url()) { if (empty($CFG->loginhttps)) { $passwordchangeurl = "$CFG->wwwroot/login/change_password.php"; } else { diff --git a/version.php b/version.php index aa3f3f92e0..1f934a65f2 100644 --- a/version.php +++ b/version.php @@ -6,7 +6,7 @@ // This is compared against the values stored in the database to determine // whether upgrades should be performed (see lib/db/*.php) - $version = 2007042601; // YYYYMMDD = date + $version = 2007042700; // YYYYMMDD = date // XY = increments within a single day $release = '1.9 dev'; // Human-friendly version name