Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

MDL-31834 message: fixed up some not quite correct usage of moodle/si…

…te:readallmessages
  • Loading branch information...
commit 48e03792ca8faa2d781f9ef74606f3b3f0d3baec 1 parent e4db653
@andyjdavis andyjdavis authored stronk7 committed
Showing with 13 additions and 2 deletions.
  1. +8 −2 message/index.php
  2. +5 −0 message/lib.php
View
10 message/index.php
@@ -115,8 +115,14 @@
}
unset($user2id);
-//the current user isnt involved in this discussion at all
-if ($user1->id != $USER->id && (!empty($user2) && $user2->id != $USER->id) && !has_capability('moodle/site:readallmessages', $context)) {
+// Is the user involved in the conversation?
+// Do they have the ability to read other user's conversations?
+// There will always be a $user1
+// but $user2 may be null. For example, if viewing $user1's recent conversations
+if ($user1->id != $USER->id
+ && (empty($user2) || $user2->id != $USER->id)
+ && !has_capability('moodle/site:readallmessages', $context)){
+
print_error('accessdenied','admin');
}
View
5 message/lib.php
@@ -1528,6 +1528,11 @@ function message_search($searchterms, $fromme=true, $tome=true, $courseid='none'
///
global $CFG, $USER, $DB;
+ // If user is searching all messages check they are allowed to before doing anything else
+ if ($courseid == SITEID && !has_capability('moodle/site:readallmessages', get_context_instance(CONTEXT_SYSTEM))) {
+ print_error('accessdenied','admin');
+ }
+
/// If no userid sent then assume current user
if ($userid == 0) $userid = $USER->id;
Please sign in to comment.
Something went wrong with that request. Please try again.