From d14edf06eec9a1454644f0cef2208d4b72db69a7 Mon Sep 17 00:00:00 2001 From: tjhunt Date: Thu, 30 Jul 2009 03:44:10 +0000 Subject: [PATCH] blocks: MDL-19399 proper permissions checks for editing blocks. In particular for editing sticky blocks. If the admin addes one at site level, then the teacher should not be able to change its configuration from the course page, but should be able to set the position on this page. --- blocks/edit_form.php | 8 ++++++++ blocks/moodleblock.class.php | 6 +++--- lang/en_utf8/role.php | 3 ++- lib/blocklib.php | 16 ++++++++++------ lib/db/access.php | 11 +++++++++++ version.php | 2 +- 6 files changed, 35 insertions(+), 11 deletions(-) diff --git a/blocks/edit_form.php b/blocks/edit_form.php index b3d6c5faed..14bfa5fb8f 100644 --- a/blocks/edit_form.php +++ b/blocks/edit_form.php @@ -121,6 +121,14 @@ class block_edit_form extends moodleform { $mform->addElement('select', 'bui_weight', get_string('weight', 'block'), $weightoptions); + $pagefields = array('bui_visible', 'bui_region', 'bui_weight'); + if (!$this->block->user_can_edit()) { + $mform->hardFreezeAllVisibleExcept($pagefields); + } + if (!$this->page->user_can_edit_blocks()) { + $mform->hardFreeze($pagefields); + } + $this->add_action_buttons(); } diff --git a/blocks/moodleblock.class.php b/blocks/moodleblock.class.php index 6adf0a7ff9..b161989a7a 100644 --- a/blocks/moodleblock.class.php +++ b/blocks/moodleblock.class.php @@ -649,7 +649,7 @@ class block_base { * @return boolean */ function user_can_edit() { - return true; + return has_capability('moodle/block:edit', $this->context); } /** @@ -660,11 +660,11 @@ class block_base { * @return boolean */ function user_can_addto($page) { - return true; + return has_capability('moodle/block:edit', $page->context); } function get_extra_capabilities() { - return array('moodle/block:view'); + return array('moodle/block:view', 'moodle/block:edit'); } // Methods deprecated in Moodle 2.0 ======================================== diff --git a/lang/en_utf8/role.php b/lang/en_utf8/role.php index 8dd53a5045..ed5995df4b 100644 --- a/lang/en_utf8/role.php +++ b/lang/en_utf8/role.php @@ -29,6 +29,7 @@ $string['blog:manageentries'] = 'Edit and manage entries'; $string['blog:manageofficialtags'] = 'Manage official tags'; $string['blog:managepersonaltags'] = 'Manage personal tags'; $string['blog:view'] = 'View blog entries'; +$string['block:edit'] = 'Edit a block\'s settings'; $string['block:view'] = 'View block'; $string['calendar:manageentries'] = 'Manage any calendar entries'; $string['calendar:managegroupentries'] = 'Manage group calendar entries'; @@ -218,7 +219,7 @@ $string['site:doclinks'] = 'Show links to offsite docs'; $string['site:import'] = 'Import other courses into a course'; $string['site:langeditlocal'] = 'Customize local translation'; $string['site:langeditmaster'] = 'Edit master language packages'; -$string['site:manageblocks'] = 'Manage site-level blocks'; +$string['site:manageblocks'] = 'Manage blocks on a page'; $string['site:mnetlogintoremote'] = 'Roam to a remote Moodle'; $string['site:mnetloginfromremote'] = 'Login from a remote Moodle'; $string['site:readallmessages'] = 'Read all messages on site'; diff --git a/lib/blocklib.php b/lib/blocklib.php index 8e3b2488cb..d16ab6cfd9 100644 --- a/lib/blocklib.php +++ b/lib/blocklib.php @@ -821,7 +821,7 @@ class block_manager { $block = $this->page->blocks->find_instance($blockid); - if (!$block->user_can_edit() || !$this->page->user_can_edit_blocks()) { + if (!$this->page->user_can_edit_blocks()) { throw new moodle_exception('nopermissions', '', $this->page->url->out(), get_string('hideshowblocks')); } @@ -852,7 +852,7 @@ class block_manager { $block = $this->find_instance($blockid); - if (!$block->user_can_edit() || !$this->page->user_can_edit_blocks()) { + if (!$block->user_can_edit() && !$this->page->user_can_edit_blocks()) { throw new moodle_exception('nopermissions', '', $this->page->url->out(), get_string('editblock')); } @@ -1170,7 +1170,7 @@ function block_edit_controls($block, $page) { 'icon' => 'i/roles', 'caption' => get_string('assignroles', 'role')); } - if ($block->user_can_edit() && $page->user_can_edit_blocks()) { + if ($page->user_can_edit_blocks()) { // Show/hide icon. if ($block->instance->visible) { $controls[] = array('url' => $actionurl . '&bui_hideid=' . $block->instance->id, @@ -1179,17 +1179,21 @@ function block_edit_controls($block, $page) { $controls[] = array('url' => $actionurl . '&bui_showid=' . $block->instance->id, 'icon' => 't/show', 'caption' => get_string('show')); } + } + if ($page->user_can_edit_blocks() || $block->user_can_edit()) { // Edit config icon - always show - needed for positioning UI. $controls[] = array('url' => $actionurl . '&bui_editid=' . $block->instance->id, 'icon' => 't/edit', 'caption' => get_string('configuration')); + } + if ($page->user_can_edit_blocks() && $block->user_can_edit() && $block->user_can_addto($page)) { // Delete icon. - if ($block->user_can_addto($page)) { - $controls[] = array('url' => $actionurl . '&bui_deleteid=' . $block->instance->id, + $controls[] = array('url' => $actionurl . '&bui_deleteid=' . $block->instance->id, 'icon' => 't/delete', 'caption' => get_string('delete')); - } + } + if ($page->user_can_edit_blocks()) { // Move icon. $controls[] = array('url' => $page->url->out(false, array('moveblockid' => $block->instance->id)), 'icon' => 't/move', 'caption' => get_string('move')); diff --git a/lib/db/access.php b/lib/db/access.php index 760fb54808..8ff7b5c3c5 100644 --- a/lib/db/access.php +++ b/lib/db/access.php @@ -1322,6 +1322,17 @@ $moodle_capabilities = array( ) ), + 'moodle/block:edit' => array( + 'riskbitmask' => RISK_SPAM | RISK_XSS, + + 'captype' => 'write', + 'contextlevel' => CONTEXT_BLOCK, + 'legacy' => array( + 'editingteacher' => CAP_ALLOW, + 'coursecreator' => CAP_ALLOW + ) + ), + 'moodle/portfolio:export' => array( 'captype' => 'read', 'contextlevel' => CONTEXT_SYSTEM, diff --git a/version.php b/version.php index db6afe04f5..5294e9b30d 100644 --- a/version.php +++ b/version.php @@ -6,7 +6,7 @@ // This is compared against the values stored in the database to determine // whether upgrades should be performed (see lib/db/*.php) - $version = 2009072700; // YYYYMMDD = date of the last version bump + $version = 2009073000; // YYYYMMDD = date of the last version bump // XX = daily increments $release = '2.0 dev (Build: 20090730)'; // Human-friendly version name -- 2.39.5