MDL-68936 core_contentbank: Checking manage permissions to allow editing

moodle · Jun 8, 2020 · 0633e60 · 0633e60
1 parent bbb7dfc
commit 0633e60
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 8 deletions.
diff --git a/contentbank/classes/contenttype.php b/contentbank/classes/contenttype.php
@@ -330,10 +330,13 @@ protected function is_manage_allowed(content $content): bool {
 
     /**
      * Returns whether or not the user has permission to use the editor.
+     * This function will be called with the content to be edited as parameter,
+     * or null when is checking permission to create a new content using the editor.
      *
+     * @param  content $content The content to be edited or null when creating a new content.
      * @return bool     True if the user can edit content. False otherwise.
      */
-    final public function can_edit(): bool {
+    final public function can_edit(?content $content = null): bool {
         if (!$this->is_feature_supported(self::CAN_EDIT)) {
             return false;
         }
@@ -342,19 +345,24 @@ final public function can_edit(): bool {
             return false;
         }
 
+        if (!is_null($content) && !$this->can_manage($content)) {
+            return false;
+        }
+
         $classname = 'contenttype/'.$this->get_plugin_name();
 
         $editioncap = $classname.':useeditor';
         $hascapabilities = has_all_capabilities(['moodle/contentbank:useeditor', $editioncap], $this->context);
-        return $hascapabilities && $this->is_edit_allowed();
+        return $hascapabilities && $this->is_edit_allowed($content);
     }
 
     /**
      * Returns plugin allows edition.
      *
+     * @param  content $content The content to be edited.
      * @return bool     True if plugin allows edition. False otherwise.
      */
-    protected function is_edit_allowed(): bool {
+    protected function is_edit_allowed(?content $content): bool {
         // Plugins can overwrite this function to add any check they need.
         return true;
     }

diff --git a/contentbank/classes/output/viewcontent.php b/contentbank/classes/output/viewcontent.php
@@ -75,7 +75,7 @@ public function export_for_template(renderer_base $output): stdClass {
         $data->contenthtml = $contenthtml;
 
         // Check if the user can edit this content type.
-        if ($this->contenttype->can_edit()) {
+        if ($this->contenttype->can_edit($this->content)) {
             $data->usercanedit = true;
             $urlparams = [
                 'contextid' => $this->content->get_contextid(),

diff --git a/contentbank/edit.php b/contentbank/edit.php
@@ -45,6 +45,7 @@
 } else {
     $contenttypename = "contenttype_$pluginname";
     $heading = get_string('addinganew', 'moodle', get_string('description', $contenttypename));
+    $content = null;
 }
 
 // Check plugin is enabled.
@@ -61,9 +62,9 @@
     print_error('unsupported', 'core_contentbank', $returnurl);
 }
 
-// Checks the user can edit this content type.
-if (!$contenttype->can_edit()) {
-    print_error('contenttypenoedit', 'core_contentbank', $returnurl, $contenttype->get_plugin_name());
+// Checks the user can edit this content and content type.
+if (!$contenttype->can_edit($content)) {
+    print_error('contenttypenoedit', 'core_contentbank', $returnurl);
 }
 
 $values = [

diff --git a/lang/en/contentbank.php b/lang/en/contentbank.php
@@ -32,7 +32,7 @@
 $string['contentrenamed'] = 'The content has been renamed.';
 $string['contentsmoved'] = 'Content bank contents moved to {$a}.';
 $string['contenttypenoaccess'] = 'You cannot view this {$a} instance.';
-$string['contenttypenoedit'] = 'You cannot edit contents of the {$a} content type.';
+$string['contenttypenoedit'] = 'You can not edit this content';
 $string['eventcontentcreated'] = 'Content created';
 $string['eventcontentdeleted'] = 'Content deleted';
 $string['eventcontentupdated'] = 'Content updated';