From 5e9dd950a14e73e113fe6e2af0b7b57d31e83dce Mon Sep 17 00:00:00 2001
From: Shamim Rezaie <shamim@moodle.com>
Date: Tue, 2 Jul 2019 03:40:42 +1000
Subject: [PATCH] MDL-61115: mod_lesson: Check if the teacher can access the
 override

---
 mod/lesson/overridedelete.php | 10 ++++++++++
 mod/lesson/overrideedit.php   | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git a/mod/lesson/overridedelete.php b/mod/lesson/overridedelete.php
index 8f23eb8053e0b..bd213e00a73d3 100644
--- a/mod/lesson/overridedelete.php
+++ b/mod/lesson/overridedelete.php
@@ -49,6 +49,16 @@
 // Check the user has the required capabilities to modify an override.
 require_capability('mod/lesson:manageoverrides', $context);
 
+if ($override->groupid) {
+    if (!groups_group_visible($override->groupid, $course, $cm)) {
+        print_error('invalidoverrideid', 'lesson');
+    }
+} else {
+    if (!groups_user_groups_visible($course, $override->userid, $cm)) {
+        print_error('invalidoverrideid', 'lesson');
+    }
+}
+
 $url = new moodle_url('/mod/lesson/overridedelete.php', array('id' => $override->id));
 $confirmurl = new moodle_url($url, array('id' => $override->id, 'confirm' => 1));
 $cancelurl = new moodle_url('/mod/lesson/overrides.php', array('cmid' => $cm->id));
diff --git a/mod/lesson/overrideedit.php b/mod/lesson/overrideedit.php
index 0268b35e8f65f..68f8251d9dc0f 100644
--- a/mod/lesson/overrideedit.php
+++ b/mod/lesson/overrideedit.php
@@ -76,6 +76,16 @@
 if ($overrideid) {
     // Editing an override.
     $data = clone $override;
+
+    if ($override->groupid) {
+        if (!groups_group_visible($override->groupid, $course, $cm)) {
+            print_error('invalidoverrideid', 'lesson');
+        }
+    } else {
+        if (!groups_user_groups_visible($course, $override->userid, $cm)) {
+            print_error('invalidoverrideid', 'lesson');
+        }
+    }
 } else {
     // Creating a new override.
     $data = new stdClass();