Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

MDL-37710 Assign: Fix pluginfile permission checks for student viewin…

…g their own team submission.

This change adds a function to the assign class to allow the permissions for a group submission
to be checked and updates all the submission plugins to call it.

Conflicts:

	mod/assign/locallib.php
	mod/assign/submission/file/lib.php
	mod/assign/submission/onlinetext/lib.php
  • Loading branch information...
commit 3cf3ecd90f03fe95ff785c472ac6b685b45cc1c7 1 parent 92a7501
Damyon Wiese damyon authored
26 mod/assign/locallib.php
View
@@ -2670,7 +2670,31 @@ private function is_graded($userid) {
/**
- * Perform an access check to see if the current $USER can view this users submission
+ * Perform an access check to see if the current $USER can view this group submission.
+ *
+ * @param int $groupid
+ * @return bool
+ */
+ public function can_view_group_submission($groupid) {
+ global $USER;
+
+ if (!is_enrolled($this->get_course_context(), $USER->id)) {
+ return false;
+ }
+ if (has_capability('mod/assign:grade', $this->context)) {
+ return true;
+ }
+ $members = $this->get_submission_group_members($groupid, true);
+ foreach ($members as $member) {
+ if ($member->id == $USER->id) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ /**
+ * Perform an access check to see if the current $USER can view this users submission.
*
* @param int $userid
* @return bool
24 mod/assign/submission/comments/lib.php
View
@@ -92,21 +92,15 @@ function assignsubmission_comments_comment_permissions(stdClass $options) {
if ($assignment->get_instance()->id != $submission->assignment) {
throw new comment_exception('invalidcontext');
}
- if (!has_capability('mod/assign:grade', $context)) {
- if (!has_capability('mod/assign:submit', $context)) {
- return array('post' => false, 'view' => false);
- } else if ($assignment->get_instance()->teamsubmission) {
- $group = $assignment->get_submission_group($USER->id);
- $groupid = 0;
- if ($group) {
- $groupid = $group->id;
- }
- if ($groupid != $submission->groupid) {
- return array('post' => false, 'view' => false);
- }
- } else if ($submission->userid != $USER->id) {
- return array('post' => false, 'view' => false);
- }
+
+ if ($assignment->get_instance()->teamsubmission &&
+ !$assignment->can_view_group_submission($submission->groupid)) {
+ return array('post' => false, 'view' => false);
+ }
+
+ if (!$assignment->get_instance()->teamsubmission &&
+ !$assignment->can_view_submission($submission->userid)) {
+ return array('post' => false, 'view' => false);
}
return array('post' => true, 'view' => true);
30 mod/assign/submission/file/lib.php
View
@@ -34,8 +34,13 @@
* @param bool $forcedownload
* @return bool false if file not found, does not return if found - just send the file
*/
-function assignsubmission_file_pluginfile($course, $cm, context $context, $filearea, $args, $forcedownload) {
- global $USER, $DB;
+function assignsubmission_file_pluginfile($course,
+ $cm,
+ context $context,
+ $filearea,
+ $args,
+ $forcedownload) {
+ global $DB, $CFG;
if ($context->contextlevel != CONTEXT_MODULE) {
return false;
@@ -43,19 +48,28 @@ function assignsubmission_file_pluginfile($course, $cm, context $context, $filea
require_login($course, false, $cm);
$itemid = (int)array_shift($args);
- $record = $DB->get_record('assign_submission', array('id'=>$itemid), 'userid, assignment', MUST_EXIST);
+ $record = $DB->get_record('assign_submission',
+ array('id'=>$itemid),
+ 'userid, assignment, groupid',
+ MUST_EXIST);
$userid = $record->userid;
+ $groupid = $record->groupid;
- if (!$assign = $DB->get_record('assign', array('id'=>$cm->instance))) {
+ require_once($CFG->dirroot . '/mod/assign/locallib.php');
+
+ $assign = new assign($context, $cm, $course);
+
+ if ($assign->get_instance()->id != $record->assignment) {
return false;
}
- if ($assign->id != $record->assignment) {
+ if ($assign->get_instance()->teamsubmission &&
+ !$assign->can_view_group_submission($groupid)) {
return false;
}
- // check is users submission or has grading permission
- if ($USER->id != $userid and !has_capability('mod/assign:grade', $context)) {
+ if (!$assign->get_instance()->teamsubmission &&
+ !$assign->can_view_submission($userid)) {
return false;
}
@@ -64,7 +78,7 @@ function assignsubmission_file_pluginfile($course, $cm, context $context, $filea
$fullpath = "/{$context->id}/assignsubmission_file/$filearea/$itemid/$relativepath";
$fs = get_file_storage();
- if (!$file = $fs->get_file_by_hash(sha1($fullpath)) or $file->is_directory()) {
+ if (!($file = $fs->get_file_by_hash(sha1($fullpath))) || $file->is_directory()) {
return false;
}
send_stored_file($file, 0, 0, true); // download MUST be forced - security!
23 mod/assign/submission/onlinetext/lib.php
View
@@ -35,7 +35,7 @@
* @return bool false if file not found, does not return if found - just send the file
*/
function assignsubmission_onlinetext_pluginfile($course, $cm, context $context, $filearea, $args, $forcedownload) {
- global $USER, $DB;
+ global $DB, $CFG;
if ($context->contextlevel != CONTEXT_MODULE) {
return false;
@@ -43,19 +43,28 @@ function assignsubmission_onlinetext_pluginfile($course, $cm, context $context,
require_login($course, false, $cm);
$itemid = (int)array_shift($args);
- $record = $DB->get_record('assign_submission', array('id'=>$itemid), 'userid, assignment', MUST_EXIST);
+ $record = $DB->get_record('assign_submission',
+ array('id'=>$itemid),
+ 'userid, assignment, groupid',
+ MUST_EXIST);
$userid = $record->userid;
+ $groupid = $record->groupid;
- if (!$assign = $DB->get_record('assign', array('id'=>$cm->instance))) {
+ require_once($CFG->dirroot . '/mod/assign/locallib.php');
+
+ $assign = new assign($context, $cm, $course);
+
+ if ($assign->get_instance()->id != $record->assignment) {
return false;
}
- if ($assign->id != $record->assignment) {
+ if ($assign->get_instance()->teamsubmission &&
+ !$assign->can_view_group_submission($groupid)) {
return false;
}
- // check is users submission or has grading permission
- if ($USER->id != $userid and !has_capability('mod/assign:grade', $context)) {
+ if (!$assign->get_instance()->teamsubmission &&
+ !$assign->can_view_submission($userid)) {
return false;
}
@@ -64,7 +73,7 @@ function assignsubmission_onlinetext_pluginfile($course, $cm, context $context,
$fullpath = "/{$context->id}/assignsubmission_onlinetext/$filearea/$itemid/$relativepath";
$fs = get_file_storage();
- if (!$file = $fs->get_file_by_hash(sha1($fullpath)) or $file->is_directory()) {
+ if (!($file = $fs->get_file_by_hash(sha1($fullpath))) || $file->is_directory()) {
return false;
}
send_stored_file($file, 0, 0, true); // download MUST be forced - security!
Please sign in to comment.
Something went wrong with that request. Please try again.