From: moodler <moodler>
Date: Tue, 13 Feb 2007 08:31:10 +0000 (+0000)
Subject: Fixes so that no-one can "login as" users with "doanything"   MDL-8411
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=42044d0971923166298c3df14eefe944a6a351d9;p=moodle.git

Fixes so that no-one can "login as" users with "doanything"   MDL-8411
---

diff --git a/course/loginas.php b/course/loginas.php
index 11f99b0b30..7fd8e2f135 100644
--- a/course/loginas.php
+++ b/course/loginas.php
@@ -53,6 +53,9 @@
         if (!has_capability('moodle/course:view', $context, $userid, false)) {
             error('This user is not in this course!');
         }
+        if (has_capability('moodle/site:doanything', $context, $userid, false)) {
+            print_error('nologinas');
+        }
     }
 
 /// User must have permissions
diff --git a/lang/en_utf8/error.php b/lang/en_utf8/error.php
index 756ef9a61a..9425c8d511 100644
--- a/lang/en_utf8/error.php
+++ b/lang/en_utf8/error.php
@@ -46,6 +46,7 @@ $string['modulerequirementsnotmet'] = 'Module \"$a->modulename\" ($a->modulevers
 $string['mustbeteacher'] = 'You must be a teacher to look at this page';
 $string['nocontext'] = 'Sorry, but that course is not a valid context';
 $string['noinstances'] = 'There are no instances of $a in this course!';
+$string['nologinas'] = 'You are not allowed to login as that user';
 $string['nonmeaningfulcontent'] = 'Non meaningful content';
 $string['noparticipatorycms'] = 'Sorry, but you have no participatory course modules to report on.';
 $string['nopermissions'] = 'Sorry, but you do not currently have permissions to do that ($a)';
diff --git a/lib/weblib.php b/lib/weblib.php
index a282f3a520..a8a2f832fa 100644
--- a/lib/weblib.php
+++ b/lib/weblib.php
@@ -3199,7 +3199,8 @@ has_capability('moodle/course:viewhiddenuserfields', $context)) {
     if (has_capability('moodle/role:assign', $context, NULL)) {  // Includes admins
         $output .= '<a href="'. $CFG->wwwroot .'/course/unenrol.php?id='. $course->id .'&amp;user='. $user->id .'">'. $string->unenrol .'</a><br />';
     }
-    if ($USER->id != $user->id && has_capability('moodle/user:loginas', $context))  {
+    if ($USER->id != $user->id && has_capability('moodle/user:loginas', $context) &&
+                                 ! has_capability('moodle/site:doanything', $context, $user->id, false)) {
         $output .= '<a href="'. $CFG->wwwroot .'/course/loginas.php?id='. $course->id .'&amp;user='. $user->id .'">'. $string->loginas .'</a><br />';
     }
     $output .= '<a href="'. $CFG->wwwroot .'/user/view.php?id='. $user->id .'&amp;course='. $course->id .'">'. $string->fullprofile .'...</a>';
diff --git a/user/view.php b/user/view.php
index 1907f82ba2..42976165c3 100644
--- a/user/view.php
+++ b/user/view.php
@@ -397,7 +397,8 @@
         }
     }
 
-    if ($USER->id != $user->id  && has_capability('moodle/user:loginas', $coursecontext))  {
+    if ($USER->id != $user->id  && has_capability('moodle/user:loginas', $coursecontext) &&
+                                 ! has_capability('moodle/site:doanything', $coursecontext, $user->id, false)) {
         echo '<form action="'.$CFG->wwwroot.'/course/loginas.php" method="get">';
         echo "<fieldset class='invisiblefieldset'>";
         echo '<input type="hidden" name="id" value="'.$course->id.'" />';