From 6c95827fdf8855449522eb560d800de446b97f83 Mon Sep 17 00:00:00 2001
From: moodler <moodler>
Date: Sun, 1 Oct 2006 05:46:55 +0000
Subject: [PATCH] New implementation of loginas    see MDL-6626

---
 course/loginas.php | 89 +++++++++++++++-------------------------------
 lib/db/access.php  | 42 +++++++++++++++-------
 version.php        |  2 +-
 3 files changed, 59 insertions(+), 74 deletions(-)

diff --git a/course/loginas.php b/course/loginas.php
index e0ade43c1a..8af1355082 100644
--- a/course/loginas.php
+++ b/course/loginas.php
@@ -9,6 +9,7 @@
 
     if (!empty($USER->realuser)) {
         $USER = get_complete_user_data('id', $USER->realuser);
+        load_user_capability();   // load all this user's normal capabilities
 
         if (isset($SESSION->oldcurrentgroup)) {      // Restore previous "current group" cache.
             $SESSION->currentgroup = $SESSION->oldcurrentgroup;
@@ -26,11 +27,12 @@
         }
     }
 
+
 ///-------------------------------------
-/// try to login as student if allowed
+/// We are trying to log in as this user in the first place
+
     $id       = required_param('id', PARAM_INT);           // course id
-    $user     = required_param('user', PARAM_INT);         // login as this user
-    $password = optional_param('password', '', PARAM_RAW); // site wide password
+    $userid   = required_param('user', PARAM_INT);         // login as this user
 
     if (!$site = get_site()) {
         error("Site isn't defined!");
@@ -40,86 +42,53 @@
         error("Course ID was incorrect");
     }
 
-    if ($course->category) {
+/// User must be logged in
+
+    if ($course->id == SITEID) {
+        require_login();
+        $context = get_context_instance(CONTEXT_SYSTEM, SITEID);
+    } else {
         require_login($course->id);
+        $context = get_context_instance(CONTEXT_COURSE, $course->id);
     }
 
-    // $user must be defined to go on
+/// User must have permissions
 
-    if (!isteacher($course->id)) {
-        error("Only teachers can use this page!");
-    }
+    require_capability('moodle/user:loginas', $context);
 
-    // validate loginaspassword if defined in config.php
-
-    if (empty($SESSION->loginasvalidated) && !empty($CFG->loginaspassword)) {
-        if ($password == $CFG->loginaspassword && confirm_sesskey()) {
-            $SESSION->loginasvalidated = true;
-        } else {
-            $strloginaspasswordexplain = get_string('loginaspasswordexplain');
-            $strloginas = get_string('loginas');
-            $strpassword = get_string('password');
-
-            print_header("$site->fullname: $strloginas", "$site->fullname: $strloginas",
-                         ' ', 'passwordform.password');
-            print_simple_box_start('center', '50%', '', 5, 'noticebox');
-            ?>
-            <p align="center"><?php echo $strloginaspasswordexplain?></p>
-            <form action="loginas.php" name="passwordform" method="post">
-            <table border="0" cellpadding="3" cellspacing="3" align="center">
-                <tr><td><?php echo $strpassword?>:</td>
-                    <td><input type="password" name="password" size="15" value="" alt="<?php p($strpassword)?>" /></td>
-                    <td><input type="submit" value="<?php p($strloginas)?>" /></td>
-                </tr>
-            </table>
-            <input type="hidden" name="id" value="<?php p($id)?>"/>
-            <input type="hidden" name="user" value="<?php p($user)?>"/>
-            <input type="hidden" name="sesskey" value="<?php p($USER->sesskey)?>"/>
-            </form>
-            <?php
-            print_simple_box_end();
-            print_footer();
-            die;
-        }
+    if (!has_capability('moodle/course:view', $context, $userid, false)) {
+        error('This user is not in this course!');
     }
 
-    if ($course->category and !has_capability('moodle/course:view', get_context_instance(CONTEXT_COURSE, $course->id), $user) and !isadmin()) {
-        error("This student is not in this course!");
-    }
-
-    if (has_capability('moodle/course:create', get_context_instance(CONTEXT_SYSTEM, SITEID, $user))) {
-        error("You can not login as this person!");
-    }
-
-    // Remember current timeaccess settings for later
+/// Remember current timeaccess settings for later
 
     if (isset($USER->timeaccess)) {
         $SESSION->oldtimeaccess = $USER->timeaccess;
     }
 
-    // Login as this student and return to course home page.
+/// Login as this user and return to course home page.
+
+    $oldfullname = fullname($USER, true);
+    $olduserid   = $USER->id;
 
-    $teacher_name = fullname($USER, true);
-    $teacher_id   = "$USER->id";
+    $USER = get_complete_user_data('id', $userid);    // Create the new USER object with all details
+    $USER->realuser = $olduserid;
 
-    $USER = get_complete_user_data('id', $user);    // Create the new USER object with all details
-    $USER->realuser = $teacher_id;
+    load_user_capability('', $context); // load this user's capabilities for this context only
 
     if (isset($SESSION->currentgroup)) {    // Remember current cache setting for later
         $SESSION->oldcurrentgroup = $SESSION->currentgroup;
         unset($SESSION->currentgroup);
     }
 
-    $student_name = fullname($USER, true);
-
-    add_to_log($course->id, "course", "loginas", "../user/view.php?id=$course->id&amp;user=$user", "$teacher_name -> $student_name");
+    $newfullname = fullname($USER, true);
 
+    add_to_log($course->id, "course", "loginas", "../user/view.php?id=$course->id&amp;user=$userid", "$oldfullname -> $newfullname");
 
-    $strloginas    = get_string("loginas");
-    $strloggedinas = get_string("loggedinas", "", $student_name);
+    $strloginas    = get_string('loginas');
+    $strloggedinas = get_string('loggedinas', '', $newfullname);
 
-    print_header_simple("$strloginas $student_name", '', "$strloginas $student_name", '', '', 
-                       true, '&nbsp;', navmenu($course));
+    print_header_simple($strloggedinas, '', $strloggedinas, '', '', true, '&nbsp;', navmenu($course));
     notice($strloggedinas, "$CFG->wwwroot/course/view.php?id=$course->id");
 
 
diff --git a/lib/db/access.php b/lib/db/access.php
index 78dffbfb7b..70acaf05fe 100644
--- a/lib/db/access.php
+++ b/lib/db/access.php
@@ -355,6 +355,35 @@ $moodle_capabilities = array(
         )
     ),
 
+    'moodle/user:viewusergrades' => array(
+        'captype' => 'write',
+        'contextlevel' => CONTEXT_COURSE,
+        'legacy' => array(
+            'guest' => CAP_PREVENT,
+            'student' => CAP_ALLOW,
+            'teacher' => CAP_ALLOW,
+            'editingteacher' => CAP_ALLOW,
+            'coursecreator' => CAP_ALLOW,
+            'admin' => CAP_ALLOW
+        )
+    ),
+    
+    'moodle/user:loginas' => array(
+
+        'riskbitmask' => RISK_SPAM | RISK_PERSONAL | RISK_XSS | RISK_CONFIG,
+
+        'captype' => 'write',
+        'contextlevel' => CONTEXT_COURSE,
+        'legacy' => array(
+            'guest' => CAP_PREVENT,
+            'student' => CAP_PREVENT,
+            'teacher' => CAP_PREVENT,
+            'editingteacher' => CAP_PREVENT,
+            'coursecreator' => CAP_PREVENT,
+            'admin' => CAP_ALLOW
+        )
+    ),
+
     'moodle/role:assign' => array(
 
         'captype' => 'write',
@@ -1071,19 +1100,6 @@ $moodle_capabilities = array(
             'coursecreator' => CAP_ALLOW,
             'admin' => CAP_ALLOW
         )
-    ),
-
-    'moodle/user:viewusergrades' => array(
-        'captype' => 'write',
-        'contextlevel' => CONTEXT_USER,
-        'legacy' => array(
-            'guest' => CAP_PREVENT,
-            'student' => CAP_ALLOW,
-            'teacher' => CAP_ALLOW,
-            'editingteacher' => CAP_ALLOW,
-            'coursecreator' => CAP_ALLOW,
-            'admin' => CAP_ALLOW
-        )
     )
 
 );
diff --git a/version.php b/version.php
index 16be5079f1..f37f04ae23 100644
--- a/version.php
+++ b/version.php
@@ -6,7 +6,7 @@
 // This is compared against the values stored in the database to determine
 // whether upgrades should be performed (see lib/db/*.php)
 
-   $version = 2006092800;  // YYYYMMDD = date
+   $version = 2006092801;  // YYYYMMDD = date
                            //       XY = increments within a single day
 
    $release = '1.7 dev';    // Human-friendly version name
-- 
2.39.5