From 3a512f86c754cc71e95e0193ea3015c87432a85c Mon Sep 17 00:00:00 2001 From: stronk7 Date: Sat, 28 Aug 2004 00:28:56 +0000 Subject: [PATCH] Some important changes arrive: - 'editalways' applied to comments. - some minor notices out. - security bug solved: + users cannot edit any comment now. + users cannot delete any comment now. + users cannot edit any entry now. + users cannot delete any antry now. Thanks to skodak, discovering the bug!!! Merged from MOODLE_14_STABLE --- mod/glossary/comment.php | 14 +++++++------- mod/glossary/deleteentry.php | 9 +++++++-- mod/glossary/edit.php | 15 +++++++++++++++ mod/glossary/lib.php | 7 ++++--- 4 files changed, 33 insertions(+), 12 deletions(-) diff --git a/mod/glossary/comment.php b/mod/glossary/comment.php index 546141ae2b..bb7c649ce3 100644 --- a/mod/glossary/comment.php +++ b/mod/glossary/comment.php @@ -71,6 +71,9 @@ /// Input section if ( $action == "delete" ) { + if (($comment->userid <> $USER->id) and !isteacher($glossary->course)) { + error("You can't delete other people's comments!"); + } if ( $confirm ) { delete_records("glossary_comments","id", $cid); @@ -105,16 +108,13 @@ } } else { if ( $action == "edit" ) { - if ( (time() - $comment->timemodified >= $CFG->maxeditingtime or - $USER->id != $comment->userid) and !isteacher($course->id) ) { - echo "
"; + $ineditperiod = ((time() - $comment->timemodified < $CFG->maxeditingtime) || $glossary->editalways); + if ( (!$ineditperiod || $USER->id != $comment->userid) and !isteacher($course->id) ) { if ( $USER->id != $comment->userid ) { - echo get_string("youarenottheauthor","glossary",$CFG->maxeditingtime); + error("You can't edit other people's comments!"); } elseif (time() - $comment->timemodified >= $CFG->maxeditingtime ) { - echo get_string("maxtimehaspassed","glossary",$CFG->maxeditingtime); + error("You can't edit this. Time expired!"); } - echo "
"; - print_footer($course); die; } } diff --git a/mod/glossary/deleteentry.php b/mod/glossary/deleteentry.php index 699dc0a137..4cca03d52e 100644 --- a/mod/glossary/deleteentry.php +++ b/mod/glossary/deleteentry.php @@ -45,11 +45,16 @@ "", "", true, update_module_button($cm->id, $course->id, $strglossary), navmenu($course, $cm)); + $entry = get_record("glossary_entries","id", $entry); + + if (($entry->userid <> $USER->id) and !isteacher($course->id)) { + error("You can't delete other people's entries!"); + } + /// If data submitted, then process and store. if ($confirm) { // the operation was confirmed. // if it is an imported entry, just delete the relation - $entry = get_record("glossary_entries","id", $entry); if ( $entry->sourceglossaryid ) { $entry->glossaryid = $entry->sourceglossaryid; @@ -74,7 +79,7 @@ } else { // the operation has not been confirmed yet so ask the user to do so notice_yesno("$entryfields->concept

$strareyousuredelete

", - "deleteentry.php?id=$cm->id&mode=delete&confirm=1&entry=".s($entry)."&prevmode=$prevmode&hook=$hook", + "deleteentry.php?id=$cm->id&mode=delete&confirm=1&entry=".s($entry->concept)."&prevmode=$prevmode&hook=$hook", "view.php?id=$cm->id&mode=$prevmode&hook=$hook"); } diff --git a/mod/glossary/edit.php b/mod/glossary/edit.php index 532d19d684..b1573f196f 100644 --- a/mod/glossary/edit.php +++ b/mod/glossary/edit.php @@ -192,6 +192,8 @@ if ( $confirm ) { $newentry->casesensitive = $form->casesensitive; $newentry->fullmatch = $form->fullmatch; $newentry->aliases = ""; + $newentry->userid = $form->userid; + $newentry->timemodified = $form->timemodified; if ( $aliases = get_records("glossary_alias","entryid",$e) ) { foreach ($aliases as $alias) { @@ -232,6 +234,9 @@ if (!isset($newentry->fullmatch)) { if (!isset($newentry->definition)) { $newentry->definition = ""; } +if (!isset($newentry->timemodified)) { + $newentry->timemodified = 0; +} $strglossary = get_string("modulename", "glossary"); $strglossaries = get_string("modulenameplural", "glossary"); $stredit = get_string("edit"); @@ -247,6 +252,16 @@ print_header_simple(strip_tags("$glossary->name"), "", id\">$glossary->name -> $stredit", "", "", true, "", navmenu($course, $cm)); +$ineditperiod = ((time() - $newentry->timemodified < $CFG->maxeditingtime) || $glossary->editalways); +if ( (!$ineditperiod || $USER->id != $newentry->userid) and !isteacher($course->id) and $e) { + if ( $USER->id != $newentry->userid ) { + error("You can't edit other people's entries!"); + } elseif (!$ineditperiod) { + error("You can't edit this. Time expired!"); + } + die; + } + echo '

' . stripslashes_safe($glossary->name); echo '

'; diff --git a/mod/glossary/lib.php b/mod/glossary/lib.php index 4e038fd8c0..5696500beb 100644 --- a/mod/glossary/lib.php +++ b/mod/glossary/lib.php @@ -710,8 +710,8 @@ function glossary_print_entry_icons($course, $cm, $glossary, $entry,$mode="",$ho //Decide if an entry is editable: // -It isn't a imported entry (so nobody can edit a imported (from secondary to main) entry)) and // -The user is teacher or he is a student with time permissions (edit period or editalways defined). - $ineditperiod = (time() - $entry->timemodified < $CFG->maxeditingtime); - if ( !$importedentry and ($isteacher or ($entry->userid == $USER->id and ($glossary->editalways or $ineditperiod)))) { + $ineditperiod = ((time() - $entry->timemodified < $CFG->maxeditingtime) || $glossary->editalways); + if ( !$importedentry and ($isteacher or ($entry->userid == $USER->id and $ineditperiod))) { $return .= " id&mode=delete&entry=$entry->id&prevmode=$mode&hook=$hook\"> "; @@ -1556,7 +1556,8 @@ function glossary_print_comment($course, $cm, $glossary, $entry, $comment) { echo format_text($comment->comment, $comment->format); echo "

"; - if ( (time() - $comment->timemodified < $CFG->maxeditingtime and $USER->id == $comment->userid) or isteacher($course->id) ) { + $ineditperiod = ((time() - $comment->timemodified < $CFG->maxeditingtime) || $glossary->editalways); + if ( ($ineditperiod && $USER->id == $comment->userid) or isteacher($course->id) ) { echo "id&eid=$entry->id&cid=$comment->id&action=edit\">\""pixpath/t/edit.gif\" height=11 width=11 border=0> "; } -- 2.39.5