From f5fc83e81892c8866be03fd5daeafb551d8df3c0 Mon Sep 17 00:00:00 2001
From: skodak <skodak>
Date: Sat, 5 Jul 2008 14:52:39 +0000
Subject: [PATCH] MDL-15516 prvent access to deleted profiles and other user
 areas

---
 blog/index.php         |  7 +++++++
 course/user.php        |  9 ++++++++-
 message/discussion.php |  7 +++++++
 mod/forum/user.php     |  7 +++++++
 notes/index.php        |  8 ++++++++
 user/edit.php          |  7 +++++++
 user/editadvanced.php  |  7 +++++++
 user/view.php          | 12 +++++++++---
 8 files changed, 60 insertions(+), 4 deletions(-)

diff --git a/blog/index.php b/blog/index.php
index 88b66c2d07..da23b2feaa 100755
--- a/blog/index.php
+++ b/blog/index.php
@@ -122,6 +122,13 @@ switch ($filtertype) {
         if (!$user = $DB->get_record('user', array('id'=>$filterselect))) {
             print_error('invaliduserid');
         }
+        if ($user->deleted) {
+            print_header();
+            print_heading(get_string('userdeleted'));
+            print_footer();
+            die;
+        }
+
         if ($USER->id == $filterselect) {
             if (!has_capability('moodle/blog:create', $sitecontext)
               and !has_capability('moodle/blog:view', $sitecontext)) {
diff --git a/course/user.php b/course/user.php
index 56ffa6703d..ee52a3b7d7 100644
--- a/course/user.php
+++ b/course/user.php
@@ -21,9 +21,16 @@
         print_error('invaliduserid', 'error');
     }
 
-    //require_login($course);
+    require_login();
     $COURSE = clone($course);
 
+    if ($user->deleted) {
+        print_header();
+        print_heading(get_string('userdeleted'));
+        print_footer();
+        die;
+    }
+
     $coursecontext = get_context_instance(CONTEXT_COURSE, $id);
     $personalcontext = get_context_instance(CONTEXT_USER, $user->id);
 
diff --git a/message/discussion.php b/message/discussion.php
index aa84495084..025d0a62e6 100644
--- a/message/discussion.php
+++ b/message/discussion.php
@@ -22,6 +22,13 @@
         print_error('invaliduserid');
     }
 
+    if ($user->deleted) {
+        print_header();
+        print_heading(get_string('userdeleted'));
+        print_footer();
+        die;
+    }
+
 /// Check if frame&jsless mode selected
     if (!get_user_preferences('message_noframesjs', 0) and !$noframesjs) {
 
diff --git a/mod/forum/user.php b/mod/forum/user.php
index 6d93d01572..68b4faf438 100644
--- a/mod/forum/user.php
+++ b/mod/forum/user.php
@@ -33,6 +33,13 @@
         require_course_login($course);
     }
 
+    if ($user->deleted) {
+        print_header();
+        print_heading(get_string('userdeleted'));
+        print_footer($course);
+        die;
+    }
+
     add_to_log($course->id, "forum", "user report",
             "user.php?course=$course->id&amp;id=$user->id&amp;mode=$mode", "$user->id");
 
diff --git a/notes/index.php b/notes/index.php
index 5f93610cbf..2ebb673423 100644
--- a/notes/index.php
+++ b/notes/index.php
@@ -37,6 +37,14 @@
         }
         $filtertype = 'user';
         $filterselect = $user->id;
+
+        if ($user->deleted) {
+            print_header();
+            print_heading(get_string('userdeleted'));
+            print_footer();
+            die;
+        }
+
     } else {
         $filtertype = 'course';
         $filterselect = $course->id;
diff --git a/user/edit.php b/user/edit.php
index 2298e7963a..79814bc4cf 100644
--- a/user/edit.php
+++ b/user/edit.php
@@ -89,6 +89,13 @@
         }
     }
 
+    if ($user->deleted) {
+        print_header();
+        print_heading(get_string('userdeleted'));
+        print_footer($course);
+        die;
+    }
+
     //load user preferences
     useredit_load_preferences($user);
 
diff --git a/user/editadvanced.php b/user/editadvanced.php
index 8d3f88ebae..562568ccd0 100644
--- a/user/editadvanced.php
+++ b/user/editadvanced.php
@@ -52,6 +52,13 @@
         print_error('guestnoeditprofileother');
     }
 
+    if ($user->deleted) {
+        print_header();
+        print_heading(get_string('userdeleted'));
+        print_footer($course);
+        die;
+    }
+
     //load user preferences
     useredit_load_preferences($user);
 
diff --git a/user/view.php b/user/view.php
index 6aee0643e5..2c8c3c9fcd 100644
--- a/user/view.php
+++ b/user/view.php
@@ -142,6 +142,10 @@
 
     if ($user->deleted) {
         print_heading(get_string('userdeleted'));
+        if (!has_capability('moodle/user:update', $coursecontext)) {
+            print_footer($course);
+            die;
+        }
     }
 
 /// OK, security out the way, now we are showing the user
@@ -171,7 +175,9 @@
 
     $currenttab = 'profile';
     $showroles = 1;
-    include('tabs.php');
+    if (!$user->deleted) {
+        include('tabs.php');
+    }
 
     if (is_mnet_remote_user($user)) {
         $sql = "
@@ -458,7 +464,7 @@
         }
     }
 
-    if ($USER->id != $user->id  && empty($USER->realuser) && has_capability('moodle/user:loginas', $coursecontext) &&
+    if (!$user->deleted and $USER->id != $user->id  && empty($USER->realuser) && has_capability('moodle/user:loginas', $coursecontext) &&
                                  ! has_capability('moodle/site:doanything', $coursecontext, $user->id, false)) {
         echo '<form action="'.$CFG->wwwroot.'/course/loginas.php" method="get">';
         echo '<div>';
@@ -470,7 +476,7 @@
         echo '</form>';
     }
 
-    if (!empty($CFG->messaging) and !isguest() and has_capability('moodle/site:sendmessage', get_context_instance(CONTEXT_SYSTEM))) {
+    if (!$user->deleted and !empty($CFG->messaging) and !isguest() and has_capability('moodle/site:sendmessage', get_context_instance(CONTEXT_SYSTEM))) {
         if (!empty($USER->id) and ($USER->id == $user->id)) {
             if ($countmessages = $DB->count_records('message', array('useridto'=>$user->id))) {
                 $messagebuttonname = get_string("messages", "message")."($countmessages)";
-- 
2.39.5