From 0bbeac0d0de4561a598cd09c959d032f7924806c Mon Sep 17 00:00:00 2001 From: Andrew Nicols Date: Tue, 8 Sep 2015 14:12:34 +0800 Subject: [PATCH] MDL-50576 mod_forum: Correct use of movedicussions cap when posting This is a partial backport of the logic added on MDL-50714 to post.php to prevent users to post to a forum without permission. The ability to view the group dropdown was too closely related to the movediscussions capability when posting, or editing a forum post. The movedicussions capability should only be considered for some parts of this logic. Users should be able to select the group to post to when writing message, as long as they have access to that group. --- mod/forum/post.php | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/mod/forum/post.php b/mod/forum/post.php index 355d676d7dd52..5fa7610d614a9 100644 --- a/mod/forum/post.php +++ b/mod/forum/post.php @@ -674,8 +674,6 @@ // WARNING: the $fromform->message array has been overwritten, do not use it anymore! $fromform->messagetrust = trusttext_trusted($modcontext); - $contextcheck = isset($fromform->groupinfo) && has_capability('mod/forum:movediscussions', $modcontext); - if ($fromform->edit) { // Updating a post unset($fromform->groupid); $fromform->id = $fromform->edit; @@ -699,10 +697,15 @@ } // If the user has access to all groups and they are changing the group, then update the post. - if ($contextcheck) { + if (isset($fromform->groupinfo) && has_capability('mod/forum:movediscussions', $modcontext)) { if (empty($fromform->groupinfo)) { $fromform->groupinfo = -1; } + + if (!forum_user_can_post_discussion($forum, $fromform->groupinfo, null, $cm, $modcontext)) { + print_error('cannotupdatepost', 'forum'); + } + $DB->set_field('forum_discussions' ,'groupid' , $fromform->groupinfo, array('firstpost' => $fromform->id)); } @@ -831,20 +834,28 @@ exit; } else { // Adding a new discussion. + // The location to redirect to after successfully posting. + $redirectto = new moodle_url('view.php', array('f' => $fromform->forum)); + // Before we add this we must check that the user will not exceed the blocking threshold. forum_check_blocking_threshold($thresholdwarning); - if (!forum_user_can_post_discussion($forum, $fromform->groupid, -1, $cm, $modcontext)) { - print_error('cannotcreatediscussion', 'forum'); - } - // If the user has access all groups capability let them choose the group. - if ($contextcheck) { + if (isset($fromform->groupinfo)) { + // Use the value provided in the dropdown group selection. $fromform->groupid = $fromform->groupinfo; - } - if (empty($fromform->groupid)) { + + // Ensure that we redirect back to the group selected. + $redirectto->param('group', $fromform->groupid); + } else if (!isset($fromform->groupid) || empty($fromform->groupid)) { + // There was not value set in the hidden form element. + // Use the value for all participants instead. $fromform->groupid = -1; } + if (!forum_user_can_post_discussion($forum, $fromform->groupid, -1, $cm, $modcontext)) { + print_error('cannotcreatediscussion', 'forum'); + } + $fromform->mailnow = empty($fromform->mailnow) ? 0 : 1; $discussion = $fromform; @@ -895,7 +906,8 @@ $completion->update_state($cm,COMPLETION_COMPLETE); } - redirect(forum_go_back_to("view.php?f=$fromform->forum"), $message.$subscribemessage, $timemessage); + // Redirect back to the discussion. + redirect(forum_go_back_to($redirectto->out()), $message . $subscribemessage, $timemessage); } else { print_error("couldnotadd", "forum", $errordestination);