From 3fc3ebf26bc58db00a51a8be548a78ca6ae3c4f3 Mon Sep 17 00:00:00 2001
From: tjhunt <tjhunt>
Date: Tue, 30 Oct 2007 10:50:20 +0000
Subject: [PATCH] MDL-11951 - supplemental - need capability checks in the
 outer if of the file too. Merged from MOODLE_19_STABLE.

---
 admin/settings/frontpage.php | 19 +++++++++++++------
 lib/accesslib.php            | 22 ++++++++++++++++++++++
 2 files changed, 35 insertions(+), 6 deletions(-)

diff --git a/admin/settings/frontpage.php b/admin/settings/frontpage.php
index c88928c9b8..4481d6be1e 100644
--- a/admin/settings/frontpage.php
+++ b/admin/settings/frontpage.php
@@ -5,12 +5,19 @@
 if (get_site()) { //do not use during installation
     $frontpagecontext = get_context_instance(CONTEXT_COURSE, SITEID);
 
-    if ($hassiteconfig
-     or has_capability('moodle/course:update',      $frontpagecontext)
-     or has_capability('moodle/role:assign',        $frontpagecontext)
-     or has_capability('moodle/site:restore',       $frontpagecontext)
-     or has_capability('moodle/site:backup',        $frontpagecontext)
-     or has_capability('moodle/course:managefiles', $frontpagecontext)) {
+    if ($hassiteconfig or has_any_capability(array(
+            'moodle/course:update',
+            'moodle/role:assign',
+            'moodle/site:restore',
+            'moodle/site:backup',
+            'moodle/course:managefiles',
+            'moodle/question:add',
+            'moodle/question:editmine',
+            'moodle/question:editall',
+            'moodle/question:viewmine',
+            'moodle/question:viewall',
+            'moodle/question:movemine',
+            'moodle/question:moveall'), $frontpagecontext)) {
 
         // "frontpage" settingpage
         $temp = new admin_settingpage('frontpagesettings', get_string('frontpagesettings','admin'), 'moodle/course:update', false, $frontpagecontext);
diff --git a/lib/accesslib.php b/lib/accesslib.php
index 4f36f5a994..bf9eb1b6cf 100755
--- a/lib/accesslib.php
+++ b/lib/accesslib.php
@@ -429,6 +429,28 @@ function has_capability($capability, $context, $userid=NULL, $doanything=true) {
     return has_capability_in_accessdata($capability, $context, $ACCESS[$userid], $doanything);
 }
 
+/**
+ * This function returns whether the current user has any of the capabilities in the
+ * $capabilities array. This is a simple wrapper around has_capability for convinience.
+ *
+ * There are probably tricks that could be done to improve the performance here, for example,
+ * check the capabilities that are already cached first.
+ *
+ * @param array $capabilities - an array of capability names.
+ * @param object $context - a context object (record from context table)
+ * @param integer $userid - a userid number, empty if current $USER
+ * @param bool $doanything - if false, ignore do anything
+ * @return bool
+ */
+function has_any_capability($capabilities, $context, $userid=NULL, $doanything=true) {
+    foreach ($capabilities as $capability) {
+        if (has_any_capability($capability, $context, $userid, $doanything)) {
+            return true;
+        }
+    }
+    return false;
+}
+
 /**
  * Uses 1 DB query to answer whether a user is an admin at the sitelevel.
  * It depends on DB schema >=1.7 but does not depend on the new datastructures
-- 
2.39.5