From: vyshane Date: Mon, 14 Aug 2006 07:25:18 +0000 (+0000) Subject: Fixes for capability checks. X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=d7bf6d17d91f1da0a9f49b5b4fdede409ed59241;p=moodle.git Fixes for capability checks. --- diff --git a/blog/edit.php b/blog/edit.php index 93355f76b1..65bf431dde 100755 --- a/blog/edit.php +++ b/blog/edit.php @@ -18,7 +18,7 @@ if (!$referrer = optional_param('referrer','', PARAM_URL)) { $context = get_context_instance(CONTEXT_SYSTEM, SITEID); -if (!has_capability('moodle/blog:readentries', $context)) { +if (!has_capability('moodle/blog:view', $context)) { error(get_string('nopost', 'blog'), $referrer); } @@ -55,7 +55,7 @@ if (isset($act) && ($act == 'del') && confirm_sesskey()) { $postid = required_param('editid', PARAM_INT); if (optional_param('confirm',0,PARAM_INT)) { - do_delete($postid); + do_delete($postid, $context); } else { /// prints blog entry and what confirmation form @@ -98,7 +98,7 @@ if (($post = data_submitted( get_referer() )) && confirm_sesskey()) { do_update($post); } else if ($post->act == 'del') { $postid = required_param('postid', PARAM_INT); - do_delete($postid); + do_delete($postid, $context); } } } else { @@ -148,16 +148,15 @@ include($CFG->dirroot .'/blog/footer.php'); * takes $bloginfo_arg argument as reference to a blogInfo object. * also takes the postid - the id of the entry to be removed */ -function do_delete($postid) { +function do_delete($postid, $context) { global $CFG, $USER, $referrer; // make sure this user is authorized to delete this entry. // cannot use $post->pid because it may not have been initialized yet. Also the pid may be in get format rather than post. // check ownership - $blogEntry = get_record('post','id',$postid); + $blogEntry = get_record('post', 'id', $postid); - if (blog_user_can_edit_post($blogEntry, $context->id)) { /// XXX TODO - - if (delete_records('post','id',$postid)) { + if (blog_user_can_edit_post($blogEntry, $context)) { + if (delete_records('post', 'id', $postid)) { //echo "bloginfo_arg:"; //debug //print_object($bloginfo_arg); //debug //echo "pid to delete:".$postid; //debug @@ -323,4 +322,4 @@ function do_update($post) { $post->error = 'There was an error updating this post in the database'; } } -?> +?> \ No newline at end of file diff --git a/blog/index.php b/blog/index.php index f1a4968ccf..73f4e2abd5 100755 --- a/blog/index.php +++ b/blog/index.php @@ -89,8 +89,7 @@ if ($filtertype) { switch ($filtertype) { case 'site': $context = get_context_instance(CONTEXT_SYSTEM, SITEID); - if ($CFG->bloglevel < BLOG_SITE_LEVEL && - !has_capability('moodle/site:config', $context)) { + if ($CFG->bloglevel < BLOG_SITE_LEVEL) { error('Site blogs is not enabled'); } else if ($CFG->bloglevel < BLOG_GLOBAL_LEVEL) { require_login(); @@ -98,23 +97,17 @@ switch ($filtertype) { break; case 'course': $context = get_context_instance(CONTEXT_COURSE, $courseid); - if ($CFG->bloglevel < BLOG_COURSE_LEVEL && - !has_capability('moodle/course:update', $context)) { + if ($CFG->bloglevel < BLOG_COURSE_LEVEL) { error('Course blogs is not enabled'); } - if (!has_capability('moodle/blog:readentry', $context)) { - error('You do not have the required permissions to to view course blogs'); - } break; case 'group': - $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID); - $coursecontext = get_context_instance(CONTEXT_COURSE, $courseid); - if ($CFG->bloglevel < BLOG_GROUP_LEVEL && - !has_capability('moodle/site:config', $sitecontext)) { + $context = get_context_instance(CONTEXT_GROUP, $groupid); + if ($CFG->bloglevel < BLOG_GROUP_LEVEL) { error ('Group blogs is not enabled'); } - if (!has_capability('moodle/course:update', $coursecontext) && - groupmode($course) == SEPARATEGROUPS) { + if (groupmode($course) == SEPARATEGROUPS && + !has_capability('moodle/site:accessallgroups', $context)) { if (!ismember($filterselect)) { error ('You are not a member of this group'); } @@ -122,13 +115,11 @@ switch ($filtertype) { /// check if user is editting teacher, or if spg, is member break; case 'user': - $context = get_context_instance(CONTEXT_SYSTEM, $context->id); /// XXXXX TODO - if ($CFG->bloglevel < BLOG_USER_LEVEL && - !has_capability('moodle/site:config', SITEID)) { + $context = get_context_instance(CONTEXT_USERID, $userid); + if ($CFG->bloglevel < BLOG_USER_LEVEL) { error ('Blogs is not enabled'); } - if ($CFG->bloglevel == BLOG_USER_LEVEL && $USER->id != $filterselect && - !has_capability('moodle/site:config', $context)) { + if ($CFG->bloglevel == BLOG_USER_LEVEL && $USER->id != $filterselect) { error ('Under this setting, you can only view your own blogs'); } @@ -141,6 +132,11 @@ switch ($filtertype) { break; } +if (!has_capability('moodle/blog:view', $context)) { + error('You do not have the required permissions to to view blogs'); +} + + // first set the start and end day equal to the day argument passed in from the get vars if ($limit == 'none') { $limit = get_user_preferences('blogpagesize', 10); @@ -164,4 +160,5 @@ add_to_log($courseid, 'blog', 'view', 'index.php?filtertype='.$filtertype.'& include($CFG->dirroot .'/blog/footer.php'); -?> + +?> \ No newline at end of file