From: moodler Date: Tue, 8 Aug 2006 05:13:06 +0000 (+0000) Subject: ROLES AND PERMISSIONS - FIRST CHECK-IN X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=bbbf2d401564ade2548592853586005a7bcde900;p=moodle.git ROLES AND PERMISSIONS - FIRST CHECK-IN ======================================= WARNING: DEV IS CURRENTLY VERY UNSTABLE. This is a mega-checkin of the new Roles system. A lot of changes have been made in core and modules. Currently there are a lot of rough edges and known problems. We are working hard on these .. .the reason for getting this into HEAD at this stage is enable us to move faster (our branch was diverging from HEAD too much). Please keep an eye on http://docs.moodle.org/en/Roles for current status and information for developers on how to use the new Roles system. --- diff --git a/admin/blocks.php b/admin/blocks.php index 3db1aba55b..895fb111d2 100644 --- a/admin/blocks.php +++ b/admin/blocks.php @@ -117,6 +117,8 @@ } } } + // Delete the capabilities that were defined by this block + capabilities_cleanup('block/'.$block->name); $a->block = $strblockname; $a->directory = $CFG->dirroot.'/blocks/'.$block->name; diff --git a/admin/config.php b/admin/config.php index 9c396dd1a2..0f49a3c928 100644 --- a/admin/config.php +++ b/admin/config.php @@ -7,7 +7,8 @@ if ($site = get_site()) { // If false then this is a new installation require_login(); - if (!isadmin()) { + $context = get_context_instance(CONTEXT_SYSTEM, SITEID); + if (!has_capability('moodle/site:config', $context->id)) { error('Only the admin can use this page'); } } @@ -23,7 +24,7 @@ if ($config = data_submitted($match)) { - if (!empty($USER->id)) { // Additional identity check + if (!empty($USER->id)) { // Additional identity check if (!confirm_sesskey()) { error(get_string('confirmsesskeybad', 'error')); } diff --git a/admin/configure.php b/admin/configure.php index e2d8a796cf..1ba23bcbf7 100644 --- a/admin/configure.php +++ b/admin/configure.php @@ -4,8 +4,9 @@ require_login(); - if (!isadmin()) { - error('Only admins can access this page'); + $context = get_context_instance(CONTEXT_SYSTEM, SITEID); + if (!has_capability('moodle/site:config', $context->id)) { + error('Only the admin can use this page'); } if (!$site = get_site()) { diff --git a/admin/index.php b/admin/index.php index 2bbd5d71ef..ff563380eb 100644 --- a/admin/index.php +++ b/admin/index.php @@ -28,9 +28,8 @@ $confirmupgrade = optional_param('confirmupgrade', 0, PARAM_BOOL); $agreelicence = optional_param('agreelicence',0, PARAM_BOOL); - /// check upgrade status first - upgrade_check_running("Upgrade already running, please wait!", 10); + #upgrade_check_running("Upgrade already running, please wait!", 10); /// Check some PHP server settings @@ -79,6 +78,12 @@ $CFG->version = ""; } +/// Turn off time limits and try to flush everything all the time, sometimes upgrades can be slow. + + @set_time_limit(0); + @ob_implicit_flush(true); + @ob_end_flush(); + /// Check if the main tables have been installed yet or not. if (! $tables = $db->Metatables() ) { // No tables yet at all. @@ -165,6 +170,12 @@ print_heading($strdatabasechecking); $db->debug=true; if (main_upgrade($CFG->version)) { + if (empty($CFG->rolesactive)) { + moodle_upgrade_roles_system_17(); + } + if (!update_capabilities()) { + error('Had trouble upgrading the core capabilities for Roles'); + } $db->debug=false; if (set_config("version", $version)) { remove_dir($CFG->dataroot . '/cache', true); // flush cache @@ -240,6 +251,7 @@ redirect("config.php"); } + /// Find and check all main modules and load them up or upgrade them if necessary upgrade_activity_modules("$CFG->wwwroot/$CFG->admin/index.php"); // Return here afterwards @@ -304,7 +316,10 @@ /// Check for valid admin user require_login(); - if (!isadmin()) { + $context = get_context_instance(CONTEXT_SYSTEM, SITEID); + + if (!isadmin()) { + //if (!has_capability('moodle/site:config', $context->id)) { error("You need to be an admin user to use this page.", "$CFG->wwwroot/login/index.php"); } @@ -416,6 +431,12 @@ get_string('addnewuser').' - '.get_string('adminhelpaddnewuser').''; $userdata .= '
'. get_string('uploadusers').' - '.get_string('adminhelpuploadusers').'
'; + $userdata .= '
'. + get_string('manageroles').' - '.get_string('adminmanageroles'). + '
'; + $userdata .= '
'. + get_string('assignroles').' - '.get_string('adminassignroles'). + '
'; $table->data[] = array(''.get_string('users').'', $userdata); @@ -423,17 +444,25 @@ ' - '.get_string('adminhelpcourses').''; $coursedata .= '
'.get_string('enrolmentplugins'). ' - '.get_string('adminhelpenrolments').'
'; - $coursedata .= '
'. - get_string('assignstudents').' - '.get_string('adminhelpassignstudents').'
'; - $coursedata .= '
'. - get_string('assignteachers').' - '.get_string('adminhelpassignteachers'). - '
'; - $coursedata .= '
'.get_string('assigncreators'). - ' - '.get_string('adminhelpassigncreators').'
'; - $coursedata .= '
'.get_string('assignadmins'). - ' - '.get_string('adminhelpassignadmins').'
'; + $table->data[] = array(''.get_string('courses').'', $coursedata); + + $table->data[] = array(''.get_string('sitefiles').'', + '
'.get_string('adminhelpsitefiles').'
'); + $table->data[] = array(''.get_string('stickyblocks','admin').'', + '
'.get_string('adminhelpstickyblocks').'
'); + $table->data[] = array(''.get_string('reports').'', + '
'.get_string('adminhelpreports').'
'); + + $testingdata = '
'.get_string('environment', 'admin'). + ' - '.get_string('adminhelpenvironment').'
'; + + $testingdata .= '
'.get_string('simpletest', 'admin'). + ' - '.get_string('adminhelpsimpletest').'
'; + + $table->data[] = array(''.get_string('tests','admin').'', + $testingdata); $miscdata = '
'.get_string('sitefiles'). ' - '.get_string('adminhelpsitefiles').'
'; diff --git a/admin/modules.php b/admin/modules.php index c88787af78..25d9492a09 100644 --- a/admin/modules.php +++ b/admin/modules.php @@ -126,8 +126,10 @@ } } } - - //rebuild_course_cache(); // Because things have changed + // Delete the capabilities that were defined by this module + capabilities_cleanup('mod/'.$module->name); + + // rebuild_course_cache(); // Because things have changed $coursesaffected = true; $a->module = $strmodulename; diff --git a/admin/roles/assign.html b/admin/roles/assign.html new file mode 100755 index 0000000000..389dcf7eff --- /dev/null +++ b/admin/roles/assign.html @@ -0,0 +1,99 @@ + +
+ + + + + + + + + + + + + + + +
+ count = count($contextusers); + $a->items = $strexistingusers; + print_string('counteditems', '', $a); + ?> + + count = $usercount; + $a->items = $strpotentialusers; + print_string('counteditems', '', $a); + ?> +
+ +
+ +
+ +
+ 		+ +
+ + + '."\n"; + } + ?> +
+
+ + diff --git a/admin/roles/assign.php b/admin/roles/assign.php new file mode 100755 index 0000000000..0d82b8b349 --- /dev/null +++ b/admin/roles/assign.php @@ -0,0 +1,164 @@ +wwwroot/$CFG->admin/index.php"); + } + + if (! $context = get_record("context", "id", $contextid)) { + error("Context ID was incorrect (can't find it)"); + } + + /* permission check to see whether this user can assign people to this role + * needs to be: + * 1) has the capability to assign + * 2) not in role_deny_grant + * end of permission checking + */ + +/* + if ($course->metacourse) { + redirect("$CFG->wwwroot/course/importstudents.php?id=$course->id"); + } +*/ + require_login($course->id); + + if (!isteacheredit($course->id)) { + error("You must be an editing teacher in this course, or an admin"); + } + + $strassignusers = get_string('assignusers'); + $strpotentialusers = get_string('potentialusers'); + $strexistingusers = get_string('existingusers'); + $strsearch = get_string('search'); + $strshowall = get_string('showall'); +/* + if ($course && $course->id != SITEID) { // course header + print_header("$course->shortname: $strassignusers", + "$site->fullname", + "id\">$course->shortname -> $strassignusers"); + } else { // site header + print_header("$site->shortname: $strassignusers", + "$site->fullname", + "$strassignusers"); + } + */ + $straction = get_string('roleassignment'); + $context = get_record('context', 'id', $contextid); + $currenttab = ''; + $tabsmode = 'assign'; + include_once('tabs.php'); + +/// Don't allow restricted teachers to even see this page (because it contains +/// a lot of email addresses and access to all student on the server + + check_for_restricted_user($USER->username, "$CFG->wwwroot/course/view.php?id=$course->id"); + +/// Print a help notice about the need to use this page + + if (!$frm = data_submitted()) { + +/// A form was submitted so process the input + + } else { + if ($add and !empty($frm->addselect) and confirm_sesskey()) { + //$timestart = ???? + // time end = ???? + $timemodified = time(); + foreach ($frm->addselect as $adduser) { + $adduser = clean_param($adduser, PARAM_INT); + if (! role_assign($roleid, $adduser, 0, $contextid, $timestart, $timeend, $hidden)) { + error("Could not add user with id $adduser to this role!"); + } + } + } else if ($remove and !empty($frm->removeselect) and confirm_sesskey()) { + foreach ($frm->removeselect as $removeuser) { + $removeuser = clean_param($removeuser, PARAM_INT); + if (! role_unassign($roleid, $removeuser, 0, $contextid)) { + error("Could not remove user with id $removeuser from this role!"); + } + } + } else if ($showall) { + $searchtext = ''; + $previoussearch = 0; + } + } + + +/// Get all existing students and teachers for this course. + $existinguserarray = array(); + + $SQL = "select u.* from {$CFG->prefix}role_assignments r, {$CFG->prefix}user u where contextid = $contextid and roleid = $roleid and u.id = r.userid"; // join now so that we can just use fullname() later + if (!$contextusers = get_records_sql($SQL)) { + $contextusers = array(); + } + + foreach ($contextusers as $contextuser) { + $existinguserarray[] = $contextuser->id; + } + + $existinguserlist = implode(',', $existinguserarray); + unset($existinguserarray); + +/// Get search results excluding any users already in this course + if (($searchtext != '') and $previoussearch) { + $searchusers = get_users(true, $searchtext, true, $existinguserlist, 'firstname ASC, lastname ASC', + '', '', 0, 99999, 'id, firstname, lastname, email'); + $usercount = get_users(false, '', true, $existinguserlist); + } + +/// If no search results then get potential students for this course excluding users already in course + if (empty($searchusers)) { + + $usercount = get_users(false, '', true, $existinguserlist, 'firstname ASC, lastname ASC', '', '', + 0, 99999, 'id, firstname, lastname, email') ; + $users = array(); + + if ($usercount <= MAX_USERS_PER_PAGE) { + $users = get_users(true, '', true, $existinguserlist, 'firstname ASC, lastname ASC', '', '', + 0, 99999, 'id, firstname, lastname, email'); + } + + } + + // this needs to check capability too + $role = get_records('role'); + foreach ($role as $rolex) { + $options[$rolex->id] = $rolex->name; + } + + // prints a form to swap roles + print ('
'); + print ('
Current Context: '.print_context_name($contextid).'
'); + print ('Select a Role: '); + choose_from_menu ($options, 'roleid', $roleid, 'choose', $script='rolesform.submit()'); + print ('
'); + + if ($roleid) { + + print_simple_box_start("center"); + + include('assign.html'); + + print_simple_box_end(); + + } + print_footer($course); + +?> diff --git a/admin/roles/manage.html b/admin/roles/manage.html new file mode 100755 index 0000000000..8338c45046 --- /dev/null +++ b/admin/roles/manage.html @@ -0,0 +1,60 @@ +
+ + + +
Role Name: +
Role Description: + +

+ + + + + component != $component or $capability->contextlevel != $contextlevel) { + echo (''); + } + + // these 2 are used to see to group same mod/core capabilities together + $contextlevel = $capability->contextlevel; + $component = $capability->component; + + // check the capability override for this cap, this role in this context + + $SQL = "select * from {$CFG->prefix}role_capabilities where + roleid = $roleid and capability = '$capability->name' and contextid = $contextid"; + + $localoverride = get_record_sql($SQL); + + if (isset($r_caps[$capability->name])) { + $isallow = $r_caps[$capability->name] > 0; + $isprevent = $r_caps[$capability->name] < 0 && $r_caps[$capability->name] > -500; + $isprohibit = $r_caps[$capability->name] <= -500; + } else { + $isallow = 0; + $isprevent = 0; + $isprohibit = 0; + } + + ?> + + + + + + + + + + +
Capability NameInheritAllowPreventProhibit
'.get_component_string($capability->component, $capability->contextlevel).'
name); ?>permission) || $localoverride->permission==0){ echo 'checked="checked"'; }?>>permission) && $localoverride->permission==1){ echo 'checked="checked"'; }?>>permission) && $localoverride->permission==-1){ echo 'checked="checked"'; }?>>permission) && $localoverride->permission==-1000){ echo 'checked="checked"'; }?>>
+

+
+
diff --git a/admin/roles/manage.php b/admin/roles/manage.php new file mode 100755 index 0000000000..146052b2f8 --- /dev/null +++ b/admin/roles/manage.php @@ -0,0 +1,187 @@ +id; + + if (!isadmin()) { + error('Only admins can access this page'); + } + + if (!$site = get_site()) { + redirect('index.php'); + } + + $stradministration = get_string('administration'); + $strmanageroles = get_string('manageroles'); + + print_header("$site->shortname: $strmanageroles", + "$site->fullname", + "$stradministration -> $strmanageroles"); + + // form processing, editting a role, adding a role or deleting a role + if ($action && confirm_sesskey()) { + + switch ($action) { + case 'add': + + $newrole = create_role($name, $description); + + $ignore = array('roleid', 'sesskey', 'action', 'name', 'description', 'contextid'); + + $data = data_submitted(); + + foreach ($data as $capname => $value) { + if (in_array($capname, $ignore)) { + continue; + } + + assign_capability($capname, $value, $newrole, $contextid); + + } + + break; + + case 'edit': + + $ignore = array('roleid', 'sesskey', 'action', 'name', 'description', 'contextid'); + + $data = data_submitted(); + + foreach ($data as $capname => $value) { + if (in_array($capname, $ignore)) { + continue; + } + + // edit default caps + $SQL = "select * from {$CFG->prefix}role_capabilities where + roleid = $roleid and capability = '$capname' and contextid = $contextid"; + + $localoverride = get_record_sql($SQL); + + if ($localoverride) { // update current overrides + + if ($value == 0) { // inherit = delete + + unassign_capability($capname, $roleid, $contextid); + + } else { + + $localoverride->permission = $value; + $localoverride->timemodified = time(); + $localoverride->modifierid = $USER->id; + update_record('role_capabilities', $localoverride); + + } + + } else { // insert a record + + assign_capability($capname, $value, $roleid, $contextid); + + } + + } + + // update normal role settings + + $role->id = $roleid; + $role->name = $name; + $role->description = $description; + + update_record('role', $role); + + break; + + case 'delete': + if ($confirm) { // deletes a role + echo ('deleting...'); + + // check for depedencies + + // delete all associated role-assignments? + delete_records('role', 'id', $roleid); + + } else { + echo ('
'); + echo (''); + echo (''); + echo (''); + echo (''); + echo ('are you sure?'); + echo (''); + print_footer($course); + exit; + + // prints confirmation form + } + + break; + + /// add possible positioning switch here + + default: + break; + + } + + } + + if ($roleid) { // load the role if id is present + $role = get_record('role', 'id', $roleid); + $action = 'edit'; + } else { + $role->name=''; + $role->description=''; + $action = 'add'; + } + + $roles = get_records('role'); + + foreach ($roles as $rolex) { + $options[$rolex->id] = $rolex->name; + } + + // prints a form to swap roles + print (''); + print ('
Select a Role: '); + choose_from_menu ($options, 'roleid', $roleid, 'choose', $script='rolesform1.submit()'); + print ('
'); + + $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID); + $contextid = $sitecontext->id; + + // this is the array holding capabilities of this role sorted till this context + $r_caps = role_context_capabilities($roleid, $sitecontext->id); + + // this is the available capabilities assignable in this context + $capabilities = fetch_context_capabilities($sitecontext->id); + + if (!$roleid) { + $action='add'; + } else { + $action='edit'; + } + + print_simple_box_start(); + include_once('manage.html'); + print_simple_box_end(); + /************************************************* + * List all roles and link them to override page * + *************************************************/ + + foreach ($roles as $role) { + echo ('
'.$role->name.' delete'); + } + + print_footer($course); +?> diff --git a/admin/roles/override.html b/admin/roles/override.html new file mode 100755 index 0000000000..bb4b8cbec3 --- /dev/null +++ b/admin/roles/override.html @@ -0,0 +1,54 @@ +
+ + + + + + + component != $component or $capability->contextlevel != $contextlevel) { + echo (''); + } + + // these 2 are used to see to group same mod/core capabilities together + $contextlevel = $capability->contextlevel; + $component = $capability->component; + + // check the capability override for this cap, this role in this context + + $SQL = "select * from {$CFG->prefix}role_capabilities where + roleid = $roleid and capability = '$capability->name' and contextid = $contextid"; + + $localoverride = get_record_sql($SQL); + + if (isset($r_caps[$capability->name])) { + $isallow = $r_caps[$capability->name] > 0; + $isprevent = $r_caps[$capability->name] < 0 && $r_caps[$capability->name] > -500; + $isprohibit = $r_caps[$capability->name] <= -500; + } else { + $isallow = 0; + $isprevent = 0; + $isprohibit = 0; + } + + ?> + + + + + + + + + + +
Capability NameInheritAllowPreventProhibit
'.get_component_string($capability->component, $capability->contextlevel).'
name); ?>permission) || $localoverride->permission==0){ echo 'checked="checked"';} if ($isprohibit || islegacy($capability->name)) {echo 'disabled="disabled"'; }?>>>permission) && $localoverride->permission==1){ echo 'checked="checked"'; } if ($isprohibit || islegacy($capability->name)) {echo 'disabled="disabled"'; }?>>>permission) && $localoverride->permission==-1){ echo 'checked="checked"'; } if ($isprohibit || islegacy($capability->name)) {echo 'disabled="disabled"'; }?>>>permission) && $localoverride->permission==-1000){ echo 'checked="checked"'; } if ($isprohibit || islegacy($capability->name)) {echo 'disabled="disabled"'; }?>>
+ +
diff --git a/admin/roles/override.php b/admin/roles/override.php new file mode 100755 index 0000000000..f5f531b8d3 --- /dev/null +++ b/admin/roles/override.php @@ -0,0 +1,119 @@ + id) { + error ('can not override base role capabilities'); + } + + if (! $site = get_site()) { + redirect("$CFG->wwwroot/$CFG->admin/index.php"); + } + + $stroverrides = get_string('roleoverries'); +/* + if ($course && $course->id != SITEID) { // course header + print_header("$course->shortname: $stroverrides", + "$site->fullname", + "id\">$course->shortname -> $stroverrides"); + } else { // site header + print_header("$site->shortname: $stroverrides", + "$site->fullname", + "$stroverrides"); + } +*/ + $context = get_record('context', 'id', $contextid); + $straction = get_string('editoverride'); + $currenttab = ''; + $tabsmode = 'override'; + include_once('tabs.php'); + /************************* + * form processing here * + *************************/ + if ($data = data_submitted()) { + // add or update + foreach ($data as $capname => $value) { + // ignore contextid and roleid + if ($capname == "contextid" || $capname == "roleid") { + continue; + } + + $SQL = "select * from {$CFG->prefix}role_capabilities where + roleid = $roleid and capability = '$capname' and contextid = $contextid"; + + $localoverride = get_record_sql($SQL); + + if ($localoverride) { // update current overrides + + if ($value == 0) { // inherit = delete + + delete_records('role_capabilities', 'roleid', $roleid, 'contextid', $contextid, 'capability', $capname); + + } else { + + $localoverride->permission = $value; + $localoverride->timemodified = time(); + $localoverride->modifierid = $USER->id; + update_record('role_capabilities', $localoverride); + + } + + } else { // insert a record + + $override->capability = $capname; + $override->contextid = $contextid; + $override->roleid = $roleid; + $override->permission = $value; + $override->timemodified = time(); + $override->modifierid = $USER->id; + insert_record('role_capabilities', $override); + } + + } + + } + + /***************************************** + * drop down for swapping between roles * + *****************************************/ + + // this needs to check capability too + $role = get_records('role'); + foreach ($role as $rolex) { + $options[$rolex->id] = $rolex->name; + } + + print ('
'); + print ('
Current Context: '.print_context_name($contextid).'
'); + print ('Select a Role: '); + choose_from_menu ($options, 'roleid', $roleid, 'choose', $script='rolesform.submit()'); + print ('
'); + + /************************************** + * print html for editting overrides * + **************************************/ + + if ($roleid) { + + // this is the array holding capabilities of this role sorted till this context + $r_caps = role_context_capabilities($roleid, $contextid); + + // this is the available capabilities assignable in this context + $capabilities = fetch_context_capabilities($contextid); + + print_simple_box_start("center"); + + include_once('override.html'); + + print_simple_box_end(); + + } + + print_footer($course); + +?> diff --git a/admin/roles/tabs.php b/admin/roles/tabs.php new file mode 100755 index 0000000000..04824627e8 --- /dev/null +++ b/admin/roles/tabs.php @@ -0,0 +1,116 @@ +level) { + + case CONTEXT_SYSTEM: + print_header($site->fullname, "$site->fullname","$straction"); + break; + + case CONTEXT_PERSONAL: + break; + + case CONTEXT_USERID: + break; + + case CONTEXT_COURSECAT: + $category = get_record('course_categories', 'id', $context->instanceid); + $strcategories = get_string("categories"); + $strcategory = get_string("category"); + $strcourses = get_string("courses"); + print_header("$site->shortname: $category->name", "$site->fullname: $strcourses", + "wwwroot/course/index.php\">$strcategories -> wwwroot/course/category.php?id=$category->id\">$category->name -> $straction", "", "", true); + break; + + case CONTEXT_COURSE: + $streditcoursesettings = get_string("editcoursesettings"); + + $course = get_record('course', 'id', $context->instanceid); + print_header($streditcoursesettings, "$course->fullname", + "wwwroot/course/view.php?id=$course->id\">$course->shortname + -> wwwroot/course/edit.php?id=$course->id\">$streditcoursesettings -> $straction"); + break; + + case CONTEXT_GROUP: + break; + + case CONTEXT_MODULE: + // get module type? + $cm = get_record('course_modules','id',$context->instanceid); + $module = get_record('modules','id',$cm->module); //$module->name; + $course = get_record('course','id',$cm->course); + + if (! $form = get_record($module->name, "id", $cm->instance)) { + error("The required instance of this module doesn't exist"); + } + + $strnav = "wwwroot/mod/$module->name/view.php?id=$cm->id\">$form->name ->"; + $fullmodulename = get_string("modulename", $module->name); + $streditinga = get_string("editinga", "moodle", $fullmodulename); + $strmodulenameplural = get_string("modulenameplural", $module->name); + + if ($module->name == "label") { + $focuscursor = ""; + } else { + $focuscursor = "form.name"; + } + + print_header_simple($streditinga, '', + "wwwroot/mod/$module->name/index.php?id=$course->id\">$strmodulenameplural -> + $strnav wwwroot/course/mod.php?update=$cm->id&sesskey=".sesskey()."\">$streditinga -> $straction", $focuscursor, "", false); + + break; + + case CONTEXT_BLOCK: + print_header(); + break; + + default: + error ('This is an unknown context!'); + return false; + + } +} + + + // Printing the tabs + if ($context->level == CONTEXT_MODULE) { // only show update button if module? + + $toprow[] = new tabobject('update', $CFG->wwwroot.'/course/mod.php?update='.$context->instanceid.'&return=true&sesskey='.sesskey(), get_string('update')); + + } + + $toprow[] = new tabobject('roles', $CFG->wwwroot.'/admin/roles/assign.php?contextid='.$context->id, get_string('roles')); + + if (isset($tabsmode)) { + $inactive[] = 'roles'; + + $secondrow[] = new tabobject('assign', $CFG->wwwroot.'/admin/roles/assign.php?contextid='.$context->id, get_string('roleassignments')); + + if ($context->level == CONTEXT_SYSTEM) { + $secondrow[] = new tabobject('override', '', get_string('roleoverrides')); + } else { + $secondrow[] = new tabobject('override', $CFG->wwwroot.'/admin/roles/override.php?contextid='.$context->id, get_string('roleoverrides')); + } + + if ($tabsmode == 'override') { + $currenttab = 'override'; + } elseif ($tabsmode == 'assign') { + $currenttab = 'assign'; + } + + } else { + $inactive[] = ''; + } + + if (!empty($secondrow)) { + $tabs = array($toprow, $secondrow); + } else { + $tabs = array($toprow); + } + + print_tabs($tabs, $currenttab, $inactive); + + +?> diff --git a/admin/user.php b/admin/user.php index 01814b820c..1ac78d8ceb 100644 --- a/admin/user.php +++ b/admin/user.php @@ -20,6 +20,8 @@ $admin = new object(); $teacher = new object(); + $context = get_context_instance(CONTEXT_SYSTEM, SITEID); + if (! record_exists("user_admins")) { // No admin user yet $user->firstname = get_string("admin"); @@ -138,7 +140,7 @@ notify(get_string("usernotconfirmed", "", fullname($user, true))); } - } else if ($delete and confirm_sesskey()) { // Delete a selected user, after confirmation + } else if ($delete and confirm_sesskey() and has_capability('moodle/user:delete', $context->id)) { // Delete a selected user, after confirmation if (!$user = get_record("user", "id", "$delete")) { error("No such user!"); } @@ -307,7 +309,10 @@ if ($user->id == $USER->id or $user->username == "changeme") { $deletebutton = ""; } else { - $deletebutton = "id&sesskey=$USER->sesskey\">$strdelete"; + if (has_capability('moodle/user:delete', $context->id)) { + $deletebutton = "id&sesskey=$USER->sesskey\">$strdelete"; } else { + $deletebutton =""; + } } if ($user->lastaccess) { $strlastaccess = format_time(time() - $user->lastaccess); @@ -320,7 +325,10 @@ $confirmbutton = ""; } $fullname = fullname($user, true); - $table->data[] = array ("id&course=$site->id\">$fullname", + + if (has_capability('moodle/user:edit', $context->id)) { + + $table->data[] = array ("id&course=$site->id\">$fullname", "$user->email", "$user->city", "$user->country", @@ -328,6 +336,16 @@ "id&course=$site->id\">$stredit", $deletebutton, $confirmbutton); + } else { + $table->data[] = array ("id&course=$site->id\">$fullname", + "$user->email", + "$user->city", + "$user->country", + $strlastaccess, + $deletebutton, + $confirmbutton); + + } } } @@ -340,14 +358,18 @@ } echo ""; echo ""; - print_heading("sesskey\">".get_string("addnewuser").""); - + + if (has_capability('moodle/user:create', $context->id)) { + print_heading("sesskey\">".get_string("addnewuser").""); + } if (!empty($table)) { print_table($table); print_paging_bar($usercount, $page, $perpage, "user.php?sort=$sort&dir=$dir&perpage=$perpage". "&firstinitial=$firstinitial&lastinitial=$lastinitial&search=".urlencode(stripslashes($search))."&"); - print_heading("sesskey\">".get_string("addnewuser").""); + if (has_capability('moodle/user:create', $context->id)) { + print_heading("sesskey\">".get_string("addnewuser").""); + } } diff --git a/admin/users.php b/admin/users.php index ca30960f1c..093baf3d69 100644 --- a/admin/users.php +++ b/admin/users.php @@ -11,7 +11,7 @@ if (!$site = get_site()) { redirect("index.php"); } - + $context = get_context_instance(CONTEXT_SYSTEM, SITEID); $stradministration = get_string("administration"); $strusers = get_string("users"); @@ -24,12 +24,33 @@ $table->data[] = array("sesskey\">".get_string("authentication")."", get_string("adminhelpauthentication")); - $table->data[] = array("".get_string("edituser")."", + + if (has_capability('moodle/user:update', $context->id)) { + $table->data[] = array("".get_string("edituser")."", get_string("adminhelpedituser")); - $table->data[] = array("wwwroot/$CFG->admin/user.php?newuser=true&sesskey=$USER->sesskey\">".get_string("addnewuser")."", + } + + if (has_capability('moodle/user:create', $context->id)) { + $table->data[] = array("wwwroot/$CFG->admin/user.php?newuser=true&sesskey=$USER->sesskey\">".get_string("addnewuser")."", get_string("adminhelpaddnewuser")); - $table->data[] = array("wwwroot/$CFG->admin/uploaduser.php?sesskey=$USER->sesskey\">".get_string("uploadusers")."", + } + + if (has_capability('moodle/user:create', $context->id)) { + $table->data[] = array("wwwroot/$CFG->admin/uploaduser.php?sesskey=$USER->sesskey\">".get_string("uploadusers")."", get_string("adminhelpuploadusers")); + } + + $table->data[] = array('', '
'); + $table->data[] = array("sesskey\">".get_string("enrolmentplugins")."", + get_string("adminhelpenrolments")); + $table->data[] = array("sesskey\">".get_string("assignstudents")."", + get_string("adminhelpassignstudents")); + $table->data[] = array("sesskey\">".get_string("assignteachers")."", + get_string("adminhelpassignteachers")." \"\""); + $table->data[] = array("sesskey\">".get_string("assigncreators")."", + get_string("adminhelpassigncreators")); + $table->data[] = array("sesskey\">".get_string("assignadmins")."", + get_string("adminhelpassignadmins")); print_table($table); diff --git a/admin/utfdbmigrate.php b/admin/utfdbmigrate.php index e351e6ec96..065264f598 100755 --- a/admin/utfdbmigrate.php +++ b/admin/utfdbmigrate.php @@ -1,7 +1,7 @@ libdir.'/adminlib.php'); require_once($CFG->libdir.'/environmentlib.php'); diff --git a/blocks/admin/block_admin.php b/blocks/admin/block_admin.php index f481c8b5a9..90ae5f3024 100644 --- a/blocks/admin/block_admin.php +++ b/blocks/admin/block_admin.php @@ -31,17 +31,25 @@ class block_admin extends block_list { function load_content_for_site() { global $CFG, $USER; + + $context = get_context_instance(CONTEXT_SYSTEM, SITEID); + if (has_capability('moodle/site:config', $context->id)) { - if (isadmin()) { $this->content->items[] = ''.get_string('configuration').''; $this->content->icons[] = ''; - + } + + if (isadmin()) { $this->content->items[] = ''.get_string('users').''; $this->content->icons[] = ''; - + } + + if (has_capability('moodle/site:backup', $context->id)) { $this->content->items[]=''.get_string('backup').''; $this->content->icons[]=''; - + } + + if (has_capability('moodle/site:restore', $context->id)) { $this->content->items[]=''.get_string('restore').''; $this->content->icons[]=''; } @@ -83,6 +91,7 @@ class block_admin extends block_list { function load_content_for_course() { global $CFG, $USER; + $context = get_context_instance(CONTEXT_COURSE, $this->instance->pageid); require_once($CFG->dirroot.'/mod/forum/lib.php'); @@ -102,7 +111,8 @@ class block_admin extends block_list { $isteacheredit = isteacheredit($this->instance->pageid); - if ($isteacheredit) { + if (has_capability('moodle/course:update', $context->id)) { + //if (isteacheredit($this->instance->pageid)) { $this->content->icons[]=''; if (isediting($this->instance->pageid)) { $this->content->items[]=''.get_string('turneditingoff').''; @@ -112,66 +122,65 @@ class block_admin extends block_list { $this->content->items[]=''.get_string('settings').''; $this->content->icons[]=''; - - - $fullname = fullname($USER, true); - $editmyprofile = ''.get_string('editmyprofile').''; - if (empty($USER->description)) { - //Accessibility: replace non-standard with CSS ( makes title visible in IE). - $text = get_string('profile').' '.get_string('missingdescription'); - $this->content->items[]= $editmyprofile.' *'.$text.''; - } else { - $this->content->items[]= $editmyprofile; + } + + $fullname = fullname($USER, true); + $editmyprofile = ''.get_string('editmyprofile').''; + if (empty($USER->description)) { + //Accessibility: replace non-standard with CSS ( makes title visible in IE). + $text = get_string('profile').' '.get_string('missingdescription'); + $this->content->items[]= $editmyprofile.' *'.$text.''; + } else { + $this->content->items[]= $editmyprofile; + } + $this->content->icons[]=''; + + /// always need a role assignment link + if (has_capability('moodle/role:assign', $context->id)) { + $this->content->items[]=''.get_string('assignusers', 'roles').''; + $this->content->icons[]=''; + } + + if ($course->metacourse) { + $strchildcourses = get_string('childcourses'); + $this->content->items[]=''.$strchildcourses.''; + $this->content->icons[]=''; + } + if ($course->groupmode || !$course->groupmodeforce) { + $strgroups = get_string('groups'); + $this->content->items[]=''.$strgroups.''; + $this->content->icons[]=''; } - $this->content->icons[]=''; - - - if (iscreator() || !empty($CFG->teacherassignteachers)) { - if (!$course->teachers) { - $course->teachers = get_string('defaultcourseteachers'); - } - $this->content->items[]=''.$course->teachers.''; - $this->content->icons[]=''; - } - - if (!$course->students) { - $course->students = get_string('defaultcoursestudents'); - } - if (!$course->metacourse) { - $this->content->items[]=''.$course->students.''; - $this->content->icons[]=''; - } else { - $strchildcourses = get_string('childcourses'); - $this->content->items[]=''.$strchildcourses.''; - $this->content->icons[]=''; - } - if ($course->groupmode || !$course->groupmodeforce) { - $strgroups = get_string('groups'); - $this->content->items[]=''.$strgroups.''; - $this->content->icons[]=''; - } - - $this->content->items[]=''.get_string('backup').''; - $this->content->icons[]=''; - - $this->content->items[]=''.get_string('restore').''; - $this->content->icons[]=''; - - $this->content->items[]=''.get_string('import').''; - $this->content->icons[]=''; - $this->content->items[]=''.get_string('reset').''; - $this->content->icons[]=''; - $this->content->items[]=''.get_string('reports').''; - $this->content->icons[]=''; - - $this->content->items[]=''.get_string('questions', 'quiz').''; - $this->content->icons[]=''; - - $this->content->items[]=''.get_string('scales').''; - $this->content->icons[]=''; + if (has_capability('moodle/site:backup', $context->id)) { + $this->content->items[]=''.get_string('backup').''; + $this->content->icons[]=''; + } + + if (has_capability('moodle/site:restore', $context->id)) { + $this->content->items[]=''.get_string('restore').''; + $this->content->icons[]=''; + } + + $this->content->items[]=''.get_string('import').''; + $this->content->icons[]=''; + + if (has_capability('moodle/site:import', $context->id)) { + $this->content->items[]=''.get_string('reset').''; + $this->content->icons[]=''; } + + $this->content->items[]=''.get_string('reports').''; + $this->content->icons[]=''; + + $this->content->items[]=''.get_string('questions', 'quiz').''; + $this->content->icons[]=''; + if (has_capability('moodle/course:managescales', $context->id)) { + $this->content->items[]=''.get_string('scales').''; + $this->content->icons[]=''; + } + $this->content->items[]=''.get_string('grades').''; $this->content->icons[]=''; diff --git a/blocks/moodleblock.class.php b/blocks/moodleblock.class.php index a6ffbdca4c..e3c170b178 100644 --- a/blocks/moodleblock.class.php +++ b/blocks/moodleblock.class.php @@ -281,8 +281,34 @@ class block_base { * @todo complete documenting this function. Define $options. */ function _add_edit_controls($options) { + global $CFG, $USER; - + + // this is the context relevant to this particular block instance + $blockcontext = get_context_instance(CONTEXT_BLOCK, $this->instance->id); + + // context for site or course, i.e. participant list etc + // check to see if user can edit site or course blocks. + // blocks can appear on other pages such as mod and blog pages... + + switch ($this->instance->pagetype) { + case 'course-view': + if ($this->instance->pageid == SITEID) { + $context = get_context_instance(CONTEXT_SYSTEM, $this->instance->pageid); + } else { + $context = get_context_instance(CONTEXT_COURSE, $this->instance->pageid); + } + + if (!has_capability('moodle/site:manageblocks', $context->id)) { + return null; + } + break; + default: + + break; + } + + if (!isset($this->str)) { $this->str->delete = get_string('delete'); $this->str->moveup = get_string('moveup'); @@ -310,6 +336,10 @@ class block_base { $page = page_create_object($this->instance->pagetype, $this->instance->pageid); $script = $page->url_get_full(array('instanceid' => $this->instance->id, 'sesskey' => $USER->sesskey)); + // place holder for roles button + $movebuttons .= '' . + ''.get_string('roles').''; + $movebuttons .= '' . ''.$title.''; diff --git a/blocks/participants/block_participants.php b/blocks/participants/block_participants.php index da124328c3..db666b641c 100644 --- a/blocks/participants/block_participants.php +++ b/blocks/participants/block_participants.php @@ -7,7 +7,25 @@ class block_participants extends block_list { } function get_content() { + global $USER, $CFG; + + // the following 3 lines is need to pass _self_test(); + if (!$this->instance->pageid) { + return ''; + } + + // only 2 possible contexts, site or course + if ($this->instance->pageid == SITEID) { // site context + $context = get_context_instance(CONTEXT_SYSTEM, SITEID); + } else { // course context + $context = get_context_instance(CONTEXT_COURSE, $this->instance->pageid); + } + + if (!has_capability('moodle/course:viewparticipants', $context->id)) { + $this->context = ''; + return $this->content; + } if ($this->content !== NULL) { return $this->content; @@ -33,7 +51,7 @@ class block_participants extends block_list { isteacher(SITEID)) { $this->content->items[] = ''.get_string('participants').''; + $CFG->wwwroot.'/user/index.php?id='.$this->instance->pageid.'&contextid='.$context->id.'">'.get_string('participants').''; $this->content->icons[] = ''; } diff --git a/blog/edit.php b/blog/edit.php index 31c7256a2e..171304946f 100755 --- a/blog/edit.php +++ b/blog/edit.php @@ -16,29 +16,31 @@ if (!$referrer = optional_param('referrer','', PARAM_URL)) { } } -//first verify that user is not a guest -if (isguest()) { - error(get_string('noguestpost', 'blog'), $referrer); + +$context = get_context_instance(CONTEXT_SYSTEM, SITEID); +if (!has_capability('moodle/blog:readentries', $context->id)) { + error(get_string('nopost', 'blog'), $referrer); } -// make sure that the person trying to edit have access right + +// Make sure that the person trying to edit have access right if ($editid = optional_param('editid', 0, PARAM_INT)) { $blogEntry = get_record('post', 'id', $editid); - if (!blog_user_can_edit_post($blogEntry)) { - error( get_string('notallowedtoedit', 'blog'), $CFG->wwwroot .'/login/index.php'); + if (!blog_user_can_edit_post($blogEntry, $context->id)) { + error( get_string('notallowedtoedit', 'blog'), $CFG->wwwroot .'/login/index.php'); } } -//check to see if there is a requested blog to edit +// Check to see if there is a requested blog to edit if (isloggedin() && !isguest()) { $userid = $USER->id; } else { error(get_string('noblogspecified', 'blog') .'' .get_string('viewentries', 'blog') .''); } -// if we are trying to delete an non-existing blog entry +// If we are trying to delete an non-existing blog entry if (isset($act) && ($act == 'del') && (empty($blogEntry))) { error ('the entry you are trying to delete does not exist'); } @@ -153,7 +155,7 @@ function do_delete($postid) { // check ownership $blogEntry = get_record('post','id',$postid); - if (blog_user_can_edit_post($blogEntry)) { + if (blog_user_can_edit_post($blogEntry, $context->id)) { if (delete_records('post','id',$postid)) { //echo "bloginfo_arg:"; //debug diff --git a/blog/header.php b/blog/header.php index ae361a059f..ba97373cb7 100755 --- a/blog/header.php +++ b/blog/header.php @@ -237,6 +237,3 @@ if (blocks_have_content($pageblocks, BLOCK_POS_LEFT) || $editing) { print '' . "\n"; print ''; ?> - - -'; echo '
diff --git a/blog/index.php b/blog/index.php index d4dc1eaba2..845ea209f1 100755 --- a/blog/index.php +++ b/blog/index.php @@ -26,6 +26,8 @@ $postid = optional_param('postid',0,PARAM_INT); $filtertype = optional_param('filtertype', '', PARAM_ALPHA); $filterselect = optional_param('filterselect', 0, PARAM_INT); + + /// overwrite filter code here if ($filtertype) { @@ -48,7 +50,6 @@ if ($filtertype) { } $userid =0; $groupid = 0; - break; case 'group': @@ -61,7 +62,6 @@ if ($filtertype) { $groupid = 0; } $userid = 0; - break; case 'user': @@ -69,13 +69,12 @@ if ($filtertype) { $userid = $filterselect; } $groupid = 0; - break; default: break; } -} else if ($userid) { //default to user +} else if ($userid) { // default to user $filtertype = 'user'; $filterselect = $userid; } else { @@ -83,43 +82,53 @@ if ($filtertype) { $filterselect = ''; } -/// rights checking + + +/// Rights checking. switch ($filtertype) { case 'site': - if ($CFG->bloglevel < BLOG_SITE_LEVEL && (!isadmin())) { - error ('site blogs is not enabled'); + $context = get_context_instance(CONTEXT_SYSTEM, SITEID); + if ($CFG->bloglevel < BLOG_SITE_LEVEL && + !has_capability('moodle/site:config', $context->id)) { + error('Site blogs is not enabled'); } else if ($CFG->bloglevel < BLOG_GLOBAL_LEVEL) { require_login(); } break; case 'course': - if ($CFG->bloglevel < BLOG_COURSE_LEVEL && (!isadmin())) { - error ('course blogs is not enabled'); + $context = get_context_instance(CONTEXT_COURSE, $courseid); + if ($CFG->bloglevel < BLOG_COURSE_LEVEL && + !has_capability('moodle/course:update', $context->id)) { + error('Course blogs is not enabled'); } - - if (!isstudent($filterselect) && !isteacher($filterselect)) { - error ('you must be a student in this course to view course blogs'); + if (!has_capability('moodle/blog:readentry', $context->id)) { + error('You do not have the required permissions to to view course blogs'); } - /// check if viewer is student break; case 'group': - if ($CFG->bloglevel < BLOG_GROUP_LEVEL && (!isadmin())) { - error ('group blogs is not enabled'); + $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID); + $coursecontext = get_context_instance(CONTEXT_COURSE, $courseid); + if ($CFG->bloglevel < BLOG_GROUP_LEVEL && + !has_capability('moodle/site:config', $sitecontext->id)) { + error ('Group blogs is not enabled'); } - if (!isteacheredit($course) and (groupmode($course) == SEPARATEGROUPS)) { + if (!has_capability('moodle/course:update', $coursecontext->id) && + groupmode($course) == SEPARATEGROUPS) { if (!ismember($filterselect)) { - error ('you are not in this group'); + error ('You are not a member of this group'); } } /// check if user is editting teacher, or if spg, is member break; case 'user': - if ($CFG->bloglevel < BLOG_USER_LEVEL && (!isadmin())) { + $context = get_context_instance(CONTEXT_SYSTEM, $context->id); + if ($CFG->bloglevel < BLOG_USER_LEVEL && + !has_capability('moodle/site:config', SITEID)) { error ('Blogs is not enabled'); } - - if ($CFG->bloglevel == BLOG_USER_LEVEL and $USER->id != $filterselect and !isadmin()) { + if ($CFG->bloglevel == BLOG_USER_LEVEL && $USER->id != $filterselect && + !has_capability('moodle/site:config', $context->id)) { error ('Under this setting, you can only view your own blogs'); } @@ -134,12 +143,20 @@ switch ($filtertype) { // first set the start and end day equal to the day argument passed in from the get vars if ($limit == 'none') { - $limit = get_user_preferences('blogpagesize',10); + $limit = get_user_preferences('blogpagesize', 10); } include($CFG->dirroot .'/blog/header.php'); -$blogpage = optional_param('blogpage',0,PARAM_INT); +// prints the tabs +$currenttab = 'blogs'; +$user = $USER; +if (!$course) { + $course = get_record('course', 'id', optional_param('courseid', SITEID, PARAM_INT)); +} +require_once($CFG->dirroot .'/user/tabs.php'); + +$blogpage = optional_param('blogpage', 0, PARAM_INT); blog_print_html_formatted_entries($userid, $postid, $limit, ($blogpage * $limit) ,$filtertype, $filterselect, $tagid, $tag, $filtertype, $filterselect); diff --git a/blog/lib.php b/blog/lib.php index 776f9028c3..216bee9060 100755 --- a/blog/lib.php +++ b/blog/lib.php @@ -3,19 +3,22 @@ /** * Library of functions and constants for blog */ - require_once($CFG->libdir .'/blocklib.php'); require_once($CFG->libdir .'/pagelib.php'); require_once('rsslib.php'); require_once($CFG->dirroot .'/blog/blogpage.php'); - /* blog access level constant declaration */ + + /** + * Blog access level constant declaration + */ define ('BLOG_USER_LEVEL', 1); define ('BLOG_GROUP_LEVEL', 2); define ('BLOG_COURSE_LEVEL', 3); define ('BLOG_SITE_LEVEL', 4); define ('BLOG_GLOBAL_LEVEL', 5); + /** * Definition of blogcourse page type (blog page with course id present). */ @@ -25,15 +28,18 @@ $BLOG_YES_NO_MODES = array ( '0' => get_string('no'), '1' => get_string('yes') ); - //set default setting for $CFG->blog_* vars used by blog's blocks - //if they are not already. Otherwise errors are thrown - //when an attempt is made to use an empty var. + // Set default setting for $CFG->blog_* vars used by blog's blocks. + // If they are not already. Otherwise errors are thrown when an attempt + // is made to use an empty var. if (empty($SESSION->blog_editing_enabled)) { $SESSION->blog_editing_enabled = false; } - // checks to see if user has visited blogpages before, if not, install 2 default blocks - // (blog_menu and blog_tags) + + /** + * Checks to see if user has visited blogpages before, if not, install 2 + * default blocks (blog_menu and blog_tags). + */ function blog_check_and_install_blocks() { global $USER; if (isloggedin() && !isguest()) { @@ -78,6 +84,7 @@ return ($SESSION->blog_editing_enabled); } + /** * This function is in lib and not in BlogInfo because entries being searched * might be found in any number of blogs rather than just one. @@ -132,9 +139,10 @@ print $output; } + /** - * This function is in lib and not in BlogInfo because entries being searched - * might be found in any number of blogs rather than just one. + * This function is in lib and not in BlogInfo because entries being searched + * might be found in any number of blogs rather than just one. * * This function builds an array which can be used by the included * template file, making predefined and nicely formatted variables available @@ -184,7 +192,7 @@ echo '
'.$template['title'].'
'; - $fullname = fullname($user, isteacher($template['userid'])); + $fullname = fullname($user, $template['userid']); $by->name = ''.$fullname.''; $by->date = $template['lastmod']; @@ -240,11 +248,14 @@ echo '
'; if (isset($USER->id)) { - if (($template['userid'] == $USER->id) or isadmin()) { + $context = get_context_instance(CONTEXT_SYSTEM, SITEID); + $canmanage = has_capability('moodle/blog:manageentries', $context->id); + + if (($template['userid'] == $USER->id) or $canmanage) { echo ''.$stredit.''; } - if (($template['userid'] == $USER->id) or isadmin()) { + if (($template['userid'] == $USER->id) or $canmanage) { echo '| '.$strdelete.''; } } @@ -255,6 +266,7 @@ } + /** * Use this function to retrieve a list of publish states available for * the currently logged in user. @@ -274,25 +286,36 @@ return $options; } - // user can edit if he's an admin, or blog owner - function blog_user_can_edit_post($blogEntry) { + /** + * User can edit a blog entry if this is their own blog post and they have + * the capability moodle/blog:writeentry, or if they have the capability + * moodle/blog:manageentries. + */ + function blog_user_can_edit_post($blogEntry, $contextid) { + global $CFG, $USER; - return (isadmin() || ($blogEntry->userid == $USER->id)); - + return ((has_capability('moodle/blog:writeentries', $contextid) && + $blogEntry->userid == $USER->id) || + has_capability('moodle/blog:manageentries', $context->id)); } - /// Checks to see if a user can view the blogs of another user. - /// He can do so, if he is admin, in any same non-spg course, - /// or spg group, but same group member - function blog_user_can_view_user_post($targetuserid, $blogEntry=null) { - global $CFG, $USER; + /** + * Checks to see if a user can view the blogs of another user. + * He can do so, if he has the moodle/blog:readentry capability. In the + * case of spg group course, the user also needs to be in the same group. + */ + function blog_user_can_view_user_post($targetuserid, $blogEntry=null) { + + global $CFG, $USER; $canview = 0; //bad start - - if (isadmin()) { - return true; + + $context = get_context_instance(CONTEXT_SYSTEM, SITEID); + + if (!has_capability('moodle/blog:readentry', $context->id)) { + return false; } if ($USER->id && ($USER->id == $targetuserid)) { @@ -302,17 +325,17 @@ if ($blogEntry and $blogEntry->publishstate == 'draft') { // can not view draft return false; } - + $usercourses = get_my_courses($targetuserid); foreach ($usercourses as $usercourse) { - /// if viewer and user sharing same non-spg course, then grant permission - if (groupmode($usercourse)!= SEPARATEGROUPS){ - if (isstudent($usercourse->id) || isteacher($usercourse->id)) { - $canview = 1; - return $canview; - } + // If the viewer and user are sharing same non-spg course, then + // grant permission. + if (groupmode($usercourse) != SEPARATEGROUPS) { + $canview = 1; + return $canview; } else { - /// now we need every group the user is in, and check to see if view is a member + // Now we need every group the user is in, and check to see + // if view is a member. if ($usergroups = user_group($usercourse->id, $targetuserid)) { foreach ($usergroups as $usergroup) { if (ismember($usergroup->id)) { @@ -325,14 +348,16 @@ } if (!$canview && $CFG->bloglevel < BLOG_SITE_LEVEL) { - error ('you can not view this user\'s blogs'); + error ('You can not view this user\'s blogs'); } return $canview; } - /// moved from BlogEntry class + /** + * Moved from BlogEntry class. + */ function get_formatted_entry_body($body, $format) { global $CFG; include_once($CFG->libdir .'/weblib.php'); @@ -342,8 +367,10 @@ return stripslashes_safe($body); } -/// Main filter function + /** + * Main filter function. + */ function fetch_entries($userid, $postid='', $fetchlimit=10, $fetchstart='', $filtertype='', $filterselect='', $tagid='', $tag ='', $sort='lastmodified DESC', $limit=true) { global $CFG, $USER; @@ -522,18 +549,25 @@ return $records; } + /** * get the count of viewable entries, easiest way is to count fetch_entries * this is used for print_paging_bar * this is not ideal, but because of the UNION in the sql in fetch_entries, * it is hard to use count_records_sql */ - function get_viewable_entry_count($userid, $postid='', $fetchlimit=10, $fetchstart='', $filtertype='', $filterselect='', $tagid='', $tag ='', $sort='lastmodified DESC') { + function get_viewable_entry_count($userid, $postid='', $fetchlimit=10, + $fetchstart='', $filtertype='', $filterselect='', $tagid='', + $tag ='', $sort='lastmodified DESC') { - $blogEntries = fetch_entries($userid, $postid, $fetchlimit, $fetchstart,$filtertype, $filterselect, $tagid, $tag, $sort='lastmodified DESC', false); + $blogEntries = fetch_entries($userid, $postid, $fetchlimit, + $fetchstart, $filtertype, $filterselect, $tagid, $tag, + $sort='lastmodified DESC', false); + return count($blogEntries); } - + + /// Find the base url from $_GET variables, for print_paging_bar function get_baseurl($filtertype, $filterselect) { @@ -570,7 +604,8 @@ $querystring = '?'; } - return strip_querystring(qualified_me()) . $querystring. 'filtertype='.$filtertype.'&filterselect='.$filterselect.'&'; + return strip_querystring(qualified_me()) . $querystring. 'filtertype='. + $filtertype.'&filterselect='.$filterselect.'&'; } -?> +?> \ No newline at end of file diff --git a/blog/preferences.php b/blog/preferences.php index 5dc2fd7523..03e2886f9d 100755 --- a/blog/preferences.php +++ b/blog/preferences.php @@ -17,13 +17,11 @@ } } - //ensure that the logged in user is not using the guest account - if (isguest()) { - error(get_string('noguestpost', 'blog'), $referrer); - } - - if (!(isloggedin() && !isguest())) { - error(get_string('noguestpost', 'blog'), $referrer); + $context = get_context_instance(CONTEXT_SYSTEM, SITEID); + + // Ensure that the logged in user has the capability to post blog entries. + if (!has_capability('moodle/blog:writepost', $context->id)) { + error(get_string('nopost', 'blog'), $referrer); } $userid = $USER->id; diff --git a/blog/tags.html b/blog/tags.html index 99d1b9eb51..c14dc57324 100755 --- a/blog/tags.html +++ b/blog/tags.html @@ -12,7 +12,10 @@ print_heading(get_string('tagmanagement'));
- + id)) { + ?>
- + id)) { ?> :
diff --git a/blog/tags.php b/blog/tags.php index 1d909ea0f5..534e0d5240 100755 --- a/blog/tags.php +++ b/blog/tags.php @@ -2,16 +2,17 @@ require_once('../config.php'); require_login(); -if (isguest()) { - error ('Guests can not modify tags!'); -} + //form process $mode = optional_param('mode','',PARAM_ALPHA); +$context = get_context_instance(CONTEXT_SYSTEM, SITEID); + + switch ($mode) { - case 'addofficial': /// adding official tags - - if (!isadmin() || !confirm_sesskey()) { + case 'addofficial': + /// Adding official tags. + if (!has_capability('moodle/blog:manageofficialtags', $context->id) || !confirm_sesskey()) { die('you can not add official tags'); } @@ -21,21 +22,25 @@ switch ($mode) { $tag->type = 'official'; $tagid = insert_record('tags', $tag); - /// write newly added tags back into window opener + /// Write newly added tags back into window opener. echo ''; - } else { // tag already exist + } else { + /// Tag already exists. notify(get_string('tagalready')); } break; - case 'addpersonal': /// everyone can add personal tags - if (!confirm_sesskey() || isguest() || !isset($USER->id)) { + case 'addpersonal': + /// Everyone can add personal tags as long as they can write blog entries. + if (!confirm_sesskey() || + !has_capability('moodle/blog:writeentries', $context->id) || + !isset($USER->id)) { error ('you can not add tags'); } @@ -45,20 +50,22 @@ switch ($mode) { $tag->type = 'personal'; $tagid = insert_record('tags', $tag); - /// write newly added tags back into window opener + /// Write newly added tags back into window opener. echo ''; - } else { //tag already exist + } else { + /// Tag already exists. notify(get_string('tagalready')); } break; - case 'delete': /// delete a tag + case 'delete': + /// Delete a tag. if (!confirm_sesskey()) { error('you can not delete tags'); } @@ -69,14 +76,18 @@ switch ($mode) { $blogtag = get_record('tags','id',$tag); - // you can only delete your own tags, or you have to be an admin - if (!isadmin() and $USER->id != $blogtag->userid) { + // You can only delete your own tags, or you have to have the + // moodle/blog:manageofficialtags capability. + if (!has_capability('moodle/blog:manageofficialtags', $context->id) + && $USER->id != $blogtag->userid) { notify(get_string('norighttodeletetag','blog', $blogtag->text)); continue; } - /// Only admin can delete tags that are referenced - if (!isadmin() && get_records('blog_tag_instance','tagid', $tag)) { + // You can only delete tags that are referenced if you have + // the moodle/blog:manageofficialtags capability. + if (!has_capability('moodle/blog:manageofficialtags', $context->id) + && get_records('blog_tag_instance','tagid', $tag)) { notify('tag is used by other users, can not delete!'); continue; } @@ -84,7 +95,7 @@ switch ($mode) { delete_records('tags','id',$tag); delete_records('blog_tag_instance', 'tagid', $tag); - /// remove parent window option via javascript + /// Remove parent window option via javascript. echo '