From 11f91275999279be095198e8c7000d0b7eebb4c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Georg=20Mai=C3=9Fer?= <georg.maisser@wunderbyte.at>
Date: Wed, 10 Jul 2024 10:22:34 +0200
Subject: [PATCH] Improvment: Only show move to for cms where there is the
 right capability

---
 classes/option/fields/moveoption.php | 38 ++++++++++++++++++++--------
 1 file changed, 27 insertions(+), 11 deletions(-)

diff --git a/classes/option/fields/moveoption.php b/classes/option/fields/moveoption.php
index 2372df00..f55054b9 100644
--- a/classes/option/fields/moveoption.php
+++ b/classes/option/fields/moveoption.php
@@ -24,6 +24,7 @@
 
 namespace mod_booking\option\fields;
 
+use Exception;
 use mod_booking\booking_option_settings;
 use mod_booking\option\fields;
 use mod_booking\option\fields_info;
@@ -33,6 +34,7 @@
 use moodle_exception;
 use MoodleQuickForm;
 use stdClass;
+use context_module;
 
 /**
  * Class to handle one property of the booking_option_settings class.
@@ -131,7 +133,14 @@ public static function instance_form_definition(MoodleQuickForm &$mform, array &
             )"
         )) {
             foreach ($records as $record) {
-                $allowedinstances[$record->cmid] = "$record->bookingname ($record->coursename, ID: $record->cmid)";
+                // A user should only be able to move the option to a cm where she has access.
+                $context = context_module::instance($record->cmid);
+                if (
+                    has_capability('mod/booking:updatebooking', $context)
+                    || has_capability('mod/booking:addeditownoption', $context)
+                ) {
+                    $allowedinstances[$record->cmid] = "$record->bookingname ($record->coursename, ID: $record->cmid)";
+                }
             }
         }
 
@@ -180,17 +189,24 @@ public static function save_data(stdClass &$data, stdClass &$option): array {
             $instance = new moveoption();
             $changes = $instance->check_for_changes($data, $instance, '', 'moveoption', $option->bookingid);
 
-            $elements = get_course_and_cm_from_cmid((int)$data->moveoption);
-            $cm = $elements[1];
-
-            if ($option->bookingid != $cm->instance) {
-                $option->cmid = $cm->id;
-                $option->bookingid = $cm->instance;
-                $data->cmid = $cm->id;
-                $data->bookingid = $cm->instance;
-
-                $DB->update_record('booking_options', ['id' => $data->id, 'bookingid' => $cm->instance]);
+            try {
+                $elements = get_course_and_cm_from_cmid((int)$data->moveoption);
+                $cm = $elements[1];
+
+                if (!empty($cm) && ($option->bookingid != $cm->instance)) {
+                    $option->cmid = $cm->id;
+                    $option->bookingid = $cm->instance;
+                    $data->cmid = $cm->id;
+                    $data->bookingid = $cm->instance;
+
+                    $DB->update_record('booking_options', ['id' => $data->id, 'bookingid' => $cm->instance]);
+                }
+            } catch (Exception $e) {
+                // We don't want to throw an error here but just ignore it.
+                // Might occur when a cm is chosen that does not exist anymore.
+                $changes = [];
             }
+
         }
 
         return $changes;