Skip to content
Browse files

MDL-31834 message: fixed up some not quite correct usage of moodle/si…

…te:readallmessages
  • Loading branch information...
1 parent 651cf35 commit 01496962740afca2f19e9566fec1df3307468ee7 @andyjdavis andyjdavis committed with stronk7 Mar 1, 2012
Showing with 13 additions and 2 deletions.
  1. +8 −2 message/index.php
  2. +5 −0 message/lib.php
View
10 message/index.php
@@ -116,8 +116,14 @@
}
unset($user2id);
-//the current user isnt involved in this discussion at all
-if ($user1->id != $USER->id && (!empty($user2) && $user2->id != $USER->id) && !has_capability('moodle/site:readallmessages', $context)) {
+// Is the user involved in the conversation?
+// Do they have the ability to read other user's conversations?
+// There will always be a $user1
+// but $user2 may be null. For example, if viewing $user1's recent conversations
+if ($user1->id != $USER->id
+ && (empty($user2) || $user2->id != $USER->id)
+ && !has_capability('moodle/site:readallmessages', $context)){
+
print_error('accessdenied','admin');
}
View
5 message/lib.php
@@ -1533,6 +1533,11 @@ function message_search($searchterms, $fromme=true, $tome=true, $courseid='none'
///
global $CFG, $USER, $DB;
+ // If user is searching all messages check they are allowed to before doing anything else
+ if ($courseid == SITEID && !has_capability('moodle/site:readallmessages', get_context_instance(CONTEXT_SYSTEM))) {
+ print_error('accessdenied','admin');
+ }
+
/// If no userid sent then assume current user
if ($userid == 0) $userid = $USER->id;

0 comments on commit 0149696

Please sign in to comment.
Something went wrong with that request. Please try again.