MDL-50576 mod_forum: Correct use of movedicussions cap when posting T…

…his is a partial backport of the logic added on MDL-50714 to post.php to prevent users to post to a forum without permission. The ability to view the group dropdown was too closely related to the movediscussions capability when posting, or editing a forum post. The movedicussions capability should only be considered for some parts of this logic. Users should be able to select the group to post to when writing message, as long as they have access to that group.
moodle · Sep 8, 2015 · 0bbeac0 · 0bbeac0
1 parent 7824b2f
commit 0bbeac0
Showing 1 changed file with 23 additions and 11 deletions.
diff --git a/mod/forum/post.php b/mod/forum/post.php
@@ -674,8 +674,6 @@
     // WARNING: the $fromform->message array has been overwritten, do not use it anymore!
     $fromform->messagetrust  = trusttext_trusted($modcontext);
 
-    $contextcheck = isset($fromform->groupinfo) && has_capability('mod/forum:movediscussions', $modcontext);
-
     if ($fromform->edit) {           // Updating a post
         unset($fromform->groupid);
         $fromform->id = $fromform->edit;
@@ -699,10 +697,15 @@
         }
 
         // If the user has access to all groups and they are changing the group, then update the post.
-        if ($contextcheck) {
+        if (isset($fromform->groupinfo) && has_capability('mod/forum:movediscussions', $modcontext)) {
             if (empty($fromform->groupinfo)) {
                 $fromform->groupinfo = -1;
             }
+
+            if (!forum_user_can_post_discussion($forum, $fromform->groupinfo, null, $cm, $modcontext)) {
+                print_error('cannotupdatepost', 'forum');
+            }
+
             $DB->set_field('forum_discussions' ,'groupid' , $fromform->groupinfo, array('firstpost' => $fromform->id));
         }
 
@@ -831,20 +834,28 @@
         exit;
 
     } else { // Adding a new discussion.
+        // The location to redirect to after successfully posting.
+        $redirectto = new moodle_url('view.php', array('f' => $fromform->forum));
+
         // Before we add this we must check that the user will not exceed the blocking threshold.
         forum_check_blocking_threshold($thresholdwarning);
 
-        if (!forum_user_can_post_discussion($forum, $fromform->groupid, -1, $cm, $modcontext)) {
-            print_error('cannotcreatediscussion', 'forum');
-        }
-        // If the user has access all groups capability let them choose the group.
-        if ($contextcheck) {
+        if (isset($fromform->groupinfo)) {
+            // Use the value provided in the dropdown group selection.
             $fromform->groupid = $fromform->groupinfo;
-        }
-        if (empty($fromform->groupid)) {
+
+            // Ensure that we redirect back to the group selected.
+            $redirectto->param('group', $fromform->groupid);
+        } else if (!isset($fromform->groupid) || empty($fromform->groupid)) {
+            // There was not value set in the hidden form element.
+            // Use the value for all participants instead.
             $fromform->groupid = -1;
         }
 
+        if (!forum_user_can_post_discussion($forum, $fromform->groupid, -1, $cm, $modcontext)) {
+            print_error('cannotcreatediscussion', 'forum');
+        }
+
         $fromform->mailnow = empty($fromform->mailnow) ? 0 : 1;
 
         $discussion = $fromform;
@@ -895,7 +906,8 @@
                 $completion->update_state($cm,COMPLETION_COMPLETE);
             }
 
-            redirect(forum_go_back_to("view.php?f=$fromform->forum"), $message.$subscribemessage, $timemessage);
+            // Redirect back to the discussion.
+            redirect(forum_go_back_to($redirectto->out()), $message . $subscribemessage, $timemessage);
 
         } else {
             print_error("couldnotadd", "forum", $errordestination);