From b0c90e6ede71dfb2a1fe4d5d55869c2395becc5b Mon Sep 17 00:00:00 2001 From: skodak Date: Wed, 14 Mar 2007 23:37:28 +0000 Subject: [PATCH] (MDL-8820) moodle/user:editprofile now works in user contexts - reverted previous fix, adding new one; merged from MOODLE_18_STABLE --- user/edit.php | 34 +++++++++++++++++++++++++------- user/edit_form.php | 4 ++-- user/editadvanced.php | 18 +++++------------ user/tabs.php | 46 ++++++++++++++++++++++++++++++------------- 4 files changed, 66 insertions(+), 36 deletions(-) diff --git a/user/edit.php b/user/edit.php index 10b5461cf7..4bb0f52e1a 100644 --- a/user/edit.php +++ b/user/edit.php @@ -8,6 +8,7 @@ httpsrequired(); + $userid = optional_param('id', $USER->id, PARAM_INT); // user id $course = optional_param('course', SITEID, PARAM_INT); // course id (defaults to Site) if (!$course = get_record('course', 'id', $course)) { @@ -23,10 +24,11 @@ redirect($CFG->httpswwwroot.'/login/index.php'); } - if (isguest()) { //TODO: add proper capability to edit own profile and change password too + if (isguest()) { //TODO: add proper capability to edit own profile print_error('guestnoeditprofile'); } - if (!$user = get_record('user', 'id', $USER->id)) { + + if (!$user = get_record('user', 'id', $userid)) { error('User ID was incorrect'); } @@ -35,6 +37,22 @@ redirect($CFG->wwwroot . "/user/view.php?course={$course->id}"); } + // check access control + if ($user->id != $USER->id) { + // teachers, parents, etc. + $personalcontext = get_context_instance(CONTEXT_USER, $user->id); + require_capability('moodle/user:editprofile', $personalcontext); + // no editing of guest user account + if (isguestuser($user->id)) { + print_error('guestnoeditprofileother'); + } + // no editing of primary admin! + $mainadmin = get_admin(); + if ($user->id == $mainadmin->id) { + print_error('adminprimarynoedit'); + } + } + //load user preferences useredit_load_preferences($user); @@ -83,13 +101,15 @@ // save custom profile fields data profile_save_data($usernew); - // Override old $USER session variable - $usernew = (array)get_record('user', 'id', $usernew->id); // reload from db - foreach ($usernew as $variable => $value) { - $USER->$variable = $value; + if ($USER->id == $user->id) { + // Override old $USER session variable if needed + $usernew = (array)get_record('user', 'id', $user->id); // reload from db + foreach ($usernew as $variable => $value) { + $USER->$variable = $value; + } } - redirect("$CFG->wwwroot/user/view.php?id=$USER->id&course=$course->id"); + redirect("$CFG->wwwroot/user/view.php?id=$user->id&course=$course->id"); } diff --git a/user/edit_form.php b/user/edit_form.php index 11d80ceb3b..00cc480cbc 100644 --- a/user/edit_form.php +++ b/user/edit_form.php @@ -6,7 +6,7 @@ class user_edit_form extends moodleform { // Define the form function definition () { - global $USER, $CFG, $COURSE; + global $CFG, $COURSE; $mform =& $this->_form; $this->set_upload_manager(new upload_manager('imagefile', false, false, null, false, 0, true, true, false)); @@ -37,7 +37,7 @@ class user_edit_form extends moodleform { } function definition_after_data() { - global $USER, $CFG; + global $CFG; $mform =& $this->_form; $userid = $mform->getElementValue('id'); diff --git a/user/editadvanced.php b/user/editadvanced.php index 42b079614c..b94045da39 100644 --- a/user/editadvanced.php +++ b/user/editadvanced.php @@ -19,20 +19,14 @@ if ($id == -1) { // creating new user - require_capability('moodle/user:create', get_context_instance(CONTEXT_SYSTEM, SITEID)); + require_capability('moodle/user:create', get_context_instance(CONTEXT_SYSTEM)); $user = new object(); $user->id = -1; $user->auth = 'manual'; $user->confirmed = 1; } else { // editing existing user - - if (!has_capability('moodle/user:update', get_context_instance(CONTEXT_SYSTEM, SITEID)) - && !has_capability('moodle/user:update', get_context_instance(CONTEXT_USER, $id))) { - error('nopermission'); - } - - + require_capability('moodle/user:update', get_context_instance(CONTEXT_SYSTEM)); if (!$user = get_record('user', 'id', $id)) { error('User ID was incorrect'); } @@ -144,17 +138,15 @@ } else { redirect("$CFG->wwwroot/user/view.php?id=$USER->id&course=$course->id"); } - } elseif (has_capability('moodle/user:update', get_context_instance(CONTEXT_SYSTEM, SITEID))) { - redirect("$CFG->wwwroot/$CFG->admin/user.php"); } else { - redirect($CFG->wwwroot . "/user/view.php?id=$id&course={$course->id}"); + redirect("$CFG->wwwroot/$CFG->admin/user.php"); } //never reached } /// Display page header - if ($user->id == -1 or has_capability('moodle/user:update', get_context_instance(CONTEXT_SYSTEM, SITEID))) { + if ($user->id == -1 or ($user->id != $USER->id)) { $adminroot = admin_get_root(); if ($user->id == -1) { admin_externalpage_setup('addnewuser', $adminroot); @@ -196,7 +188,7 @@ $userform->display(); /// and proper footer - if ($user->id == -1 or has_capability('moodle/user:update', get_context_instance(CONTEXT_SYSTEM, SITEID))) { + if ($user->id == -1 or ($user->id != $USER->id)) { admin_externalpage_print_footer($adminroot); } else if (!empty($USER->newadminuser)) { print_footer('none'); diff --git a/user/tabs.php b/user/tabs.php index 420546e4ca..27cfdd91de 100644 --- a/user/tabs.php +++ b/user/tabs.php @@ -87,7 +87,7 @@ $toprow[] = new tabobject('profile', $CFG->wwwroot.'/user/view.php?id='.$user->id.'&course='.$course->id, get_string('profile')); - $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID); + $systemcontext = get_context_instance(CONTEXT_SYSTEM); $coursecontext = get_context_instance(CONTEXT_COURSE, $course->id); $personalcontext = get_context_instance(CONTEXT_USER, $user->id); @@ -95,24 +95,42 @@ $mainadmin = get_admin(); + if(empty($CFG->loginhttps)) { + $wwwroot = $CFG->wwwroot; + } else { + $wwwroot = str_replace('http:','https:',$CFG->wwwroot); + } + + $edittype = 'none'; if (is_mnet_remote_user($user)) { // cannot edit remote users - } - else if ((!empty($USER->id) and ($USER->id == $user->id) and !isguest()) or - ((has_capability('moodle/user:update', $sitecontext) || has_capability('moodle/user:update', $personalcontext)) and ($user->id != $mainadmin->id)) ) { - if(empty($CFG->loginhttps)) { - $wwwroot = $CFG->wwwroot; + } else if (isguest() or !isloggedin()) { + // can not edit guest like accounts - TODO: add capability to edit own profile + + } else if ($USER->id == $user->id) { + if (has_capability('moodle/user:update', $systemcontext)) { + $edittype = 'advanced'; } else { - $wwwroot = str_replace('http:','https:',$CFG->wwwroot); + $edittype = 'normal'; } - if ((has_capability('moodle/user:update', $sitecontext) || has_capability('moodle/user:update', $personalcontext))and ($user->id==$USER->id or $user->id != $mainadmin->id)) { - $toprow[] = new tabobject('editprofile', $wwwroot.'/user/editadvanced.php?id='.$user->id.'&course='.$course->id, get_string('editmyprofile')); - } else { - $toprow[] = new tabobject('editprofile', $wwwroot.'/user/edit.php?id='.$user->id.'&course='.$course->id, get_string('editmyprofile')); + + } else if ($user->id != $mainadmin->id) { + //no editing of primary admin! + if (has_capability('moodle/user:update', $systemcontext)) { + $edittype = 'advanced'; + } else if (has_capability('moodle/user:editprofile', $personalcontext)) { + //teachers, parents, etc. + $edittype = 'normal'; } } + if ($edittype == 'advanced') { + $toprow[] = new tabobject('editprofile', $wwwroot.'/user/editadvanced.php?id='.$user->id.'&course='.$course->id, get_string('editmyprofile')); + } else if ($edittype == 'normal') { + $toprow[] = new tabobject('editprofile', $wwwroot.'/user/edit.php?id='.$user->id.'&course='.$course->id, get_string('editmyprofile')); + } + /// Everyone can see posts for this user /// add logic to see course read posts permission @@ -137,9 +155,9 @@ require_once($CFG->dirroot.'/blog/lib.php'); if ($CFG->bloglevel >= BLOG_USER_LEVEL and // blogs must be enabled (has_capability('moodle/user:readuserblogs', $personalcontext) // can review posts (parents etc) - or has_capability('moodle/blog:manageentries', $sitecontext) // entry manager can see all posts - or ($user->id == $USER->id and has_capability('moodle/blog:create', $sitecontext)) // viewing self - or (has_capability('moodle/blog:view', $sitecontext) or has_capability('moodle/blog:view', $coursecontext)) + or has_capability('moodle/blog:manageentries', $systemcontext) // entry manager can see all posts + or ($user->id == $USER->id and has_capability('moodle/blog:create', $systemcontext)) // viewing self + or (has_capability('moodle/blog:view', $systemcontext) or has_capability('moodle/blog:view', $coursecontext)) ) // able to read blogs in site or course context ) { //end if -- 2.39.5