From 0a3bdfaf79031e7f4afe4488b57804cc8a105fea Mon Sep 17 00:00:00 2001
From: skodak <skodak>
Date: Thu, 27 Sep 2007 06:51:54 +0000
Subject: [PATCH] MDL-11451 grade publishing security/privacy improved - new
 capabilities needed for publishing, by default allowed only for admins; added
 warning to publishing option

---
 grade/export/ods/db/access.php   | 10 ++++++++++
 grade/export/ods/dump.php        |  6 ++++++
 grade/export/ods/index.php       |  4 ++++
 grade/export/ods/version.php     |  2 +-
 grade/export/txt/db/access.php   | 10 ++++++++++
 grade/export/txt/dump.php        |  6 ++++++
 grade/export/txt/index.php       |  4 ++++
 grade/export/txt/version.php     |  2 +-
 grade/export/xls/db/access.php   | 10 ++++++++++
 grade/export/xls/dump.php        |  6 ++++++
 grade/export/xls/index.php       |  4 ++++
 grade/export/xls/version.php     |  2 +-
 grade/export/xml/db/access.php   | 10 ++++++++++
 grade/export/xml/dump.php        |  6 ++++++
 grade/export/xml/index.php       |  4 ++++
 grade/export/xml/version.php     |  2 +-
 grade/import/xml/db/access.php   |  8 ++++++++
 grade/import/xml/fetch.php       |  6 ++++++
 grade/import/xml/index.php       |  4 ++++
 grade/import/xml/version.php     |  2 +-
 lang/en_utf8/gradeexport_csv.php |  1 +
 lang/en_utf8/gradeexport_ods.php |  1 +
 lang/en_utf8/gradeexport_txt.php |  1 +
 lang/en_utf8/gradeexport_xls.php |  1 +
 lang/en_utf8/gradeexport_xml.php |  1 +
 lang/en_utf8/gradeimport_xml.php |  1 +
 lang/en_utf8/grades.php          |  2 +-
 27 files changed, 110 insertions(+), 6 deletions(-)

diff --git a/grade/export/ods/db/access.php b/grade/export/ods/db/access.php
index b7b6c2df09..8c2b7712b0 100644
--- a/grade/export/ods/db/access.php
+++ b/grade/export/ods/db/access.php
@@ -11,7 +11,17 @@ $gradeexport_ods_capabilities = array(
             'editingteacher' => CAP_ALLOW,
             'admin' => CAP_ALLOW
         )
+    ),
+
+    'gradeexport/ods:publish' => array(
+        'riskbitmask' => RISK_PERSONAL,
+        'captype' => 'read',
+        'contextlevel' => CONTEXT_COURSE,
+        'legacy' => array(
+            'admin' => CAP_ALLOW
+        )
     )
+
 );
 
 ?>
diff --git a/grade/export/ods/dump.php b/grade/export/ods/dump.php
index fb7c17ece8..f1dd09b812 100644
--- a/grade/export/ods/dump.php
+++ b/grade/export/ods/dump.php
@@ -4,6 +4,9 @@ $nomoodlecookie = true; // session not used here
 require '../../../config.php';
 
 $id = required_param('id', PARAM_INT); // course id
+if (!$course = get_record('course', 'id', $id)) {
+    print_error('nocourseid');
+}
 
 require_user_key_login('grade/export', $id); // we want different keys for each course
 
@@ -11,6 +14,9 @@ if (empty($CFG->gradepublishing)) {
     error('Grade publishing disabled');
 }
 
+$context = get_context_instance(CONTEXT_COURSE, $id);
+require_capability('gradeexport/ods:pusblish', $context);
+
 // use the same page parameters as export.php and append &key=sdhakjsahdksahdkjsahksadjksahdkjsadhksa
 require 'export.php';
 
diff --git a/grade/export/ods/index.php b/grade/export/ods/index.php
index c3d01ccba9..36015d13c4 100755
--- a/grade/export/ods/index.php
+++ b/grade/export/ods/index.php
@@ -47,6 +47,10 @@ $navigation = grade_build_nav(__FILE__, $actionstr, array('courseid' => $course-
 print_header($course->shortname.': '.get_string('grades'), $course->fullname, $navigation);
 print_grade_plugin_selector($id, 'export', 'ods');
 
+if (!empty($CFG->gradepublishing)) {
+    $CFG->gradepublishing = has_capability('gradeexport/ods:publish', $context);
+}
+
 $mform = new grade_export_form(null, array('publishing' => true));
 
 // process post information
diff --git a/grade/export/ods/version.php b/grade/export/ods/version.php
index 55d7451372..c68c6e13e4 100644
--- a/grade/export/ods/version.php
+++ b/grade/export/ods/version.php
@@ -1,6 +1,6 @@
 <?PHP // $Id$
 
-$plugin->version  = 2007072500;
+$plugin->version  = 2007092701;
 $plugin->requires = 2007072402;
 
 ?>
diff --git a/grade/export/txt/db/access.php b/grade/export/txt/db/access.php
index 243bd9b027..5141e1aaa0 100644
--- a/grade/export/txt/db/access.php
+++ b/grade/export/txt/db/access.php
@@ -11,7 +11,17 @@ $gradeexport_txt_capabilities = array(
             'editingteacher' => CAP_ALLOW,
             'admin' => CAP_ALLOW
         )
+    ),
+
+    'gradeexport/txt:publish' => array(
+        'riskbitmask' => RISK_PERSONAL,
+        'captype' => 'read',
+        'contextlevel' => CONTEXT_COURSE,
+        'legacy' => array(
+            'admin' => CAP_ALLOW
+        )
     )
+
 );
 
 ?>
diff --git a/grade/export/txt/dump.php b/grade/export/txt/dump.php
index fb7c17ece8..dd6be185f2 100644
--- a/grade/export/txt/dump.php
+++ b/grade/export/txt/dump.php
@@ -4,6 +4,9 @@ $nomoodlecookie = true; // session not used here
 require '../../../config.php';
 
 $id = required_param('id', PARAM_INT); // course id
+if (!$course = get_record('course', 'id', $id)) {
+    print_error('nocourseid');
+}
 
 require_user_key_login('grade/export', $id); // we want different keys for each course
 
@@ -11,6 +14,9 @@ if (empty($CFG->gradepublishing)) {
     error('Grade publishing disabled');
 }
 
+$context = get_context_instance(CONTEXT_COURSE, $id);
+require_capability('gradeexport/txt:pusblish', $context);
+
 // use the same page parameters as export.php and append &key=sdhakjsahdksahdkjsahksadjksahdkjsadhksa
 require 'export.php';
 
diff --git a/grade/export/txt/index.php b/grade/export/txt/index.php
index 56e287cdad..0f537d8dc8 100755
--- a/grade/export/txt/index.php
+++ b/grade/export/txt/index.php
@@ -47,6 +47,10 @@ $navigation = grade_build_nav(__FILE__, $actionstr, array('courseid' => $course-
 print_header($course->shortname.': '.get_string('grades'), $course->fullname, $navigation);
 print_grade_plugin_selector($id, 'export', 'txt');
 
+if (!empty($CFG->gradepublishing)) {
+    $CFG->gradepublishing = has_capability('gradeexport/txt:publish', $context);
+}
+
 $mform = new grade_export_form(null, array('includeseparator'=>true, 'publishing' => true));
 
 // process post information
diff --git a/grade/export/txt/version.php b/grade/export/txt/version.php
index 55d7451372..c8a85f377d 100755
--- a/grade/export/txt/version.php
+++ b/grade/export/txt/version.php
@@ -1,6 +1,6 @@
 <?PHP // $Id$
 
-$plugin->version  = 2007072500;
+$plugin->version  = 2007092700;
 $plugin->requires = 2007072402;
 
 ?>
diff --git a/grade/export/xls/db/access.php b/grade/export/xls/db/access.php
index 6ea4d57c13..eabce41c29 100644
--- a/grade/export/xls/db/access.php
+++ b/grade/export/xls/db/access.php
@@ -11,7 +11,17 @@ $gradeexport_xls_capabilities = array(
             'editingteacher' => CAP_ALLOW,
             'admin' => CAP_ALLOW
         )
+    ),
+
+    'gradeexport/xls:publish' => array(
+        'riskbitmask' => RISK_PERSONAL,
+        'captype' => 'read',
+        'contextlevel' => CONTEXT_COURSE,
+        'legacy' => array(
+            'admin' => CAP_ALLOW
+        )
     )
+
 );
 
 ?>
diff --git a/grade/export/xls/dump.php b/grade/export/xls/dump.php
index fb7c17ece8..d2985d7421 100644
--- a/grade/export/xls/dump.php
+++ b/grade/export/xls/dump.php
@@ -4,6 +4,9 @@ $nomoodlecookie = true; // session not used here
 require '../../../config.php';
 
 $id = required_param('id', PARAM_INT); // course id
+if (!$course = get_record('course', 'id', $id)) {
+    print_error('nocourseid');
+}
 
 require_user_key_login('grade/export', $id); // we want different keys for each course
 
@@ -11,6 +14,9 @@ if (empty($CFG->gradepublishing)) {
     error('Grade publishing disabled');
 }
 
+$context = get_context_instance(CONTEXT_COURSE, $id);
+require_capability('gradeexport/xls:pusblish', $context);
+
 // use the same page parameters as export.php and append &key=sdhakjsahdksahdkjsahksadjksahdkjsadhksa
 require 'export.php';
 
diff --git a/grade/export/xls/index.php b/grade/export/xls/index.php
index edf8e1b704..5c3803d3a9 100755
--- a/grade/export/xls/index.php
+++ b/grade/export/xls/index.php
@@ -47,6 +47,10 @@ $navigation = grade_build_nav(__FILE__, $actionstr, array('courseid' => $course-
 print_header($course->shortname.': '.get_string('grades'), $course->fullname, $navigation);
 print_grade_plugin_selector($id, 'export', 'xls');
 
+if (!empty($CFG->gradepublishing)) {
+    $CFG->gradepublishing = has_capability('gradeexport/xls:publish', $context);
+}
+
 $mform = new grade_export_form(null, array('publishing' => true));
 
 // process post information
diff --git a/grade/export/xls/version.php b/grade/export/xls/version.php
index 55d7451372..c8a85f377d 100644
--- a/grade/export/xls/version.php
+++ b/grade/export/xls/version.php
@@ -1,6 +1,6 @@
 <?PHP // $Id$
 
-$plugin->version  = 2007072500;
+$plugin->version  = 2007092700;
 $plugin->requires = 2007072402;
 
 ?>
diff --git a/grade/export/xml/db/access.php b/grade/export/xml/db/access.php
index 51233ab985..e95ce44b79 100644
--- a/grade/export/xml/db/access.php
+++ b/grade/export/xml/db/access.php
@@ -11,7 +11,17 @@ $gradeexport_xml_capabilities = array(
             'editingteacher' => CAP_ALLOW,
             'admin' => CAP_ALLOW
         )
+    ),
+
+    'gradeexport/xml:publish' => array(
+        'riskbitmask' => RISK_PERSONAL,
+        'captype' => 'read',
+        'contextlevel' => CONTEXT_COURSE,
+        'legacy' => array(
+            'admin' => CAP_ALLOW
+        )
     )
+
 );
 
 ?>
diff --git a/grade/export/xml/dump.php b/grade/export/xml/dump.php
index fb7c17ece8..198260a86e 100644
--- a/grade/export/xml/dump.php
+++ b/grade/export/xml/dump.php
@@ -4,6 +4,9 @@ $nomoodlecookie = true; // session not used here
 require '../../../config.php';
 
 $id = required_param('id', PARAM_INT); // course id
+if (!$course = get_record('course', 'id', $id)) {
+    print_error('nocourseid');
+}
 
 require_user_key_login('grade/export', $id); // we want different keys for each course
 
@@ -11,6 +14,9 @@ if (empty($CFG->gradepublishing)) {
     error('Grade publishing disabled');
 }
 
+$context = get_context_instance(CONTEXT_COURSE, $id);
+require_capability('gradeexport/xml:pusblish', $context);
+
 // use the same page parameters as export.php and append &key=sdhakjsahdksahdkjsahksadjksahdkjsadhksa
 require 'export.php';
 
diff --git a/grade/export/xml/index.php b/grade/export/xml/index.php
index 245601fbb0..483e64ad50 100755
--- a/grade/export/xml/index.php
+++ b/grade/export/xml/index.php
@@ -47,6 +47,10 @@ $navigation = grade_build_nav(__FILE__, $actionstr, array('courseid' => $course-
 print_header($course->shortname.': '.get_string('grades'), $course->fullname, $navigation);
 print_grade_plugin_selector($id, 'export', 'xml');
 
+if (!empty($CFG->gradepublishing)) {
+    $CFG->gradepublishing = has_capability('gradeexport/xml:publish', $context);
+}
+
 $mform = new grade_export_form(null, array('idnumberrequired'=>true, 'publishing' => true));
 
 // process post information
diff --git a/grade/export/xml/version.php b/grade/export/xml/version.php
index 55d7451372..c8a85f377d 100644
--- a/grade/export/xml/version.php
+++ b/grade/export/xml/version.php
@@ -1,6 +1,6 @@
 <?PHP // $Id$
 
-$plugin->version  = 2007072500;
+$plugin->version  = 2007092700;
 $plugin->requires = 2007072402;
 
 ?>
diff --git a/grade/import/xml/db/access.php b/grade/import/xml/db/access.php
index c221c46452..b4558d678c 100644
--- a/grade/import/xml/db/access.php
+++ b/grade/import/xml/db/access.php
@@ -9,6 +9,14 @@ $gradeimport_xml_capabilities = array(
             'editingteacher' => CAP_ALLOW,
             'admin' => CAP_ALLOW
         )
+    ),
+
+    'gradeimport/xml:publish' => array(
+        'captype' => 'write',
+        'contextlevel' => CONTEXT_COURSE,
+        'legacy' => array(
+            'admin' => CAP_ALLOW
+        )
     )
 );
 
diff --git a/grade/import/xml/fetch.php b/grade/import/xml/fetch.php
index 37a69bc533..b04e27f23c 100644
--- a/grade/import/xml/fetch.php
+++ b/grade/import/xml/fetch.php
@@ -4,6 +4,9 @@ $nomoodlecookie = true; // session not used here
 require '../../../config.php';
 
 $id = required_param('id', PARAM_INT); // course id
+if (!$course = get_record('course', 'id', $id)) {
+    print_error('nocourseid');
+}
 
 require_user_key_login('grade/import', $id); // we want different keys for each course
 
@@ -11,6 +14,9 @@ if (empty($CFG->gradepublishing)) {
     error('Grade publishing disabled');
 }
 
+$context = get_context_instance(CONTEXT_COURSE, $id);
+require_capability('gradeimport/xml:pusblish', $context);
+
 // use the same page parameters as import.php and append &key=sdhakjsahdksahdkjsahksadjksahdkjsadhksa
 require 'import.php';
 
diff --git a/grade/import/xml/index.php b/grade/import/xml/index.php
index 912eedfd8e..1e4ea1e40d 100755
--- a/grade/import/xml/index.php
+++ b/grade/import/xml/index.php
@@ -43,6 +43,10 @@ $strgrades = get_string('grades', 'grades');
 $actionstr = get_string('modulename', 'gradeimport_xml');
 $navigation = grade_build_nav(__FILE__, $actionstr, array('courseid' => $course->id));
 
+if (!empty($CFG->gradepublishing)) {
+    $CFG->gradepublishing = has_capability('gradeimport/xml:publish', $context);
+}
+
 $mform = new grade_import_form();
 
 if ($data = $mform->get_data()) {
diff --git a/grade/import/xml/version.php b/grade/import/xml/version.php
index d616882fb9..2aebb9ce74 100644
--- a/grade/import/xml/version.php
+++ b/grade/import/xml/version.php
@@ -1,6 +1,6 @@
 <?PHP // $Id$
 
-$plugin->version  = 2007092600;
+$plugin->version  = 2007092700;
 $plugin->requires = 2007092002;
 
 ?>
diff --git a/lang/en_utf8/gradeexport_csv.php b/lang/en_utf8/gradeexport_csv.php
index 216a15a0b8..3ccf9a43ff 100644
--- a/lang/en_utf8/gradeexport_csv.php
+++ b/lang/en_utf8/gradeexport_csv.php
@@ -2,5 +2,6 @@
 
 $string['modulename'] = 'CSV file';
 $string['cvs:view'] = 'Use CSV grade export';
+$string['cvs:publish'] = 'Publish CSV grade export';
 
 ?>
diff --git a/lang/en_utf8/gradeexport_ods.php b/lang/en_utf8/gradeexport_ods.php
index 90eee3b782..b002037434 100644
--- a/lang/en_utf8/gradeexport_ods.php
+++ b/lang/en_utf8/gradeexport_ods.php
@@ -2,5 +2,6 @@
 
 $string['modulename'] = 'OpenOffice spreadsheet';
 $string['ods:view'] = 'Use Openoffice grade export';
+$string['ods:publish'] = 'Publish ODS grade export';
 
 ?>
diff --git a/lang/en_utf8/gradeexport_txt.php b/lang/en_utf8/gradeexport_txt.php
index 242e2da815..45cd6dabff 100644
--- a/lang/en_utf8/gradeexport_txt.php
+++ b/lang/en_utf8/gradeexport_txt.php
@@ -2,5 +2,6 @@
 
 $string['modulename'] = 'Plain text file';
 $string['txt:view'] = 'Use text grade export';
+$string['txt:publish'] = 'Publish TXT grade export';
 
 ?>
diff --git a/lang/en_utf8/gradeexport_xls.php b/lang/en_utf8/gradeexport_xls.php
index 74d94749e0..3a65e05fbc 100644
--- a/lang/en_utf8/gradeexport_xls.php
+++ b/lang/en_utf8/gradeexport_xls.php
@@ -2,5 +2,6 @@
 
 $string['modulename'] = 'Excel spreadsheet';
 $string['xls:view'] = 'Use Excel grade export';
+$string['xls:publish'] = 'Publish XLS grade export';
 
 ?>
diff --git a/lang/en_utf8/gradeexport_xml.php b/lang/en_utf8/gradeexport_xml.php
index 534da61986..6d85861222 100644
--- a/lang/en_utf8/gradeexport_xml.php
+++ b/lang/en_utf8/gradeexport_xml.php
@@ -2,5 +2,6 @@
 
 $string['modulename'] = 'XML file';
 $string['xml:view'] = 'Use XML grade export';
+$string['xml:publish'] = 'Publish XML grade export';
 
 ?>
diff --git a/lang/en_utf8/gradeimport_xml.php b/lang/en_utf8/gradeimport_xml.php
index 6b76b910eb..1cd932f1f0 100644
--- a/lang/en_utf8/gradeimport_xml.php
+++ b/lang/en_utf8/gradeimport_xml.php
@@ -6,5 +6,6 @@ $string['errincorrectidnumber'] = 'Error - incorrect idnumber';
 $string['fileurl'] = 'Remote file URL';
 $string['modulename'] = 'XML file';
 $string['xml:view'] = 'Import grades from XML';
+$string['xml:publish'] = 'Publish import grades from XML';
 
 ?>
diff --git a/lang/en_utf8/grades.php b/lang/en_utf8/grades.php
index 6f053664ce..93caa384fb 100644
--- a/lang/en_utf8/grades.php
+++ b/lang/en_utf8/grades.php
@@ -71,7 +71,7 @@ $string['configgradeboundary'] = 'A percentage boundary over which grades will b
 $string['configgradedisplaytype'] = 'Grades can be shown as real grades, as percentages (in reference to the minimum and maximum grades) or as letters (A, B, C etc..)';
 $string['configgradeletter'] = 'A letter or other symbol used to represent a range of grades.';
 $string['configgradeletterdefault'] = 'A letter or other symbol used to represent a range of grades. Leave this field empty to use the site default (currently $a).';
-$string['configgradepublishing'] = 'Enable publishing in exports and imports: Exported grades can be accessed by accessing a URL, without having to log on to a Moodle site. Grades can be imported by accessing such a URL (which means that a moodle site can import grades published by another site).';
+$string['configgradepublishing'] = 'Enable publishing in exports and imports: Exported grades can be accessed by accessing a URL, without having to log on to a Moodle site. Grades can be imported by accessing such a URL (which means that a moodle site can import grades published by another site). By default only administrators may use this feature, please educate users before adding required capabilities to other roles (dangers of bookmark sharing and download accelerators, IP restrictions, etc.).';
 $string['configmeanselection'] = 'Select which types of grades will be included in the column averages. Cells with no grade can be ignored, or counted as 0 (default setting).';
 $string['configquickfeedback'] = 'Quick Feedback adds a text input element in each grade cell on the grader report, allowing you to edit many grades at once. You can then click the Update button to perform all these changes at once, instead of one at a time.';
 $string['configquickgrading'] = 'Quick Grading adds a text input element in each grade cell on the grader report, allowing you to edit the feedback for many grades at once. You can then click the Update button to perform all these changes at once, instead of one at a time.';
-- 
2.39.5