Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

MDL-31763 - data - users can only override their own presets unless t…

…hey have manage presets permission.
  • Loading branch information...
commit 541685ec20c90200502f2689e8b433ce28570b0b 1 parent e16e230
@abgreeve abgreeve authored
Showing with 46 additions and 6 deletions.
  1. +20 −0 mod/data/lib.php
  2. +26 −6 mod/data/preset.php
View
20 mod/data/lib.php
@@ -3605,3 +3605,23 @@ function data_get_advanced_search_sql($sort, $data, $recordids, $selectdata, $so
$sqlselect['params'] = $inparam;
return $sqlselect;
}
+
+/**
+ * Checks to see if the user has permission to delete the preset.
+ * @param stdClass $context Context object.
+ * @param stdClass $preset The preset object that we are checking for deletion.
+ * @return bool Returns true if the user can delete, otherwise false.
+ */
+function data_user_can_delete_preset($context, $preset) {
+ global $USER;
+
+ if (has_capability('mod/data:manageuserpresets', $context)) {
+ return true;
+ } else {
+ $candelete = false;
+ if ($preset->userid == $USER->id) {
+ $candelete = true;
+ }
+ return $candelete;
+ }
+}
View
32 mod/data/preset.php
@@ -44,7 +44,8 @@
$course = $DB->get_record('course', array('id'=>$data->course), '*', MUST_EXIST);
$cm = get_coursemodule_from_instance('data', $data->id, $course->id, null, MUST_EXIST);
}
-$context = get_context_instance(CONTEXT_MODULE, $cm->id, MUST_EXIST);
+
+$context = context_module::instance($cm->id, MUST_EXIST);
require_login($course, false, $cm);
require_capability('mod/data:managetemplates', $context);
$PAGE->set_url(new moodle_url('/mod/data/preset.php', array('d'=>$data->id)));
@@ -57,7 +58,6 @@
$data->instance = $cm->instance;
$presets = data_get_available_presets($context);
-$canmanage = has_capability('mod/data:manageuserpresets', $context);
$strdelete = get_string('deleted', 'data');
foreach ($presets as &$preset) {
if (!empty($preset->userid)) {
@@ -66,8 +66,13 @@
} else {
$preset->userid = 0;
$preset->description = $preset->name;
+ if (data_user_can_delete_preset($context, $preset) && $preset->name != 'Image gallery') {
+ $delurl = new moodle_url('/mod/data/preset.php', array('d'=> $data->id, 'action'=>'confirmdelete', 'fullname'=>$preset->userid.'/'.$preset->shortname, 'sesskey'=>sesskey()));
+ $delicon = html_writer::empty_tag('img', array('src'=>$OUTPUT->pix_url('t/delete'), 'class'=>'iconsmall', 'alt'=>$strdelete.' '.$preset->description));
+ $preset->description .= html_writer::link($delurl, $delicon);
+ }
}
- if ($preset->userid > 0 and ($preset->userid == $USER->id || $canmanage)) {
+ if ($preset->userid > 0 && data_user_can_delete_preset($context, $preset)) {
$delurl = new moodle_url('/mod/data/preset.php', array('d'=> $data->id, 'action'=>'confirmdelete', 'fullname'=>$preset->userid.'/'.$preset->shortname, 'sesskey'=>sesskey()));
$delicon = html_writer::empty_tag('img', array('src'=>$OUTPUT->pix_url('t/delete'), 'class'=>'iconsmall', 'alt'=>$strdelete.' '.$preset->description));
$preset->description .= html_writer::link($delurl, $delicon);
@@ -135,9 +140,18 @@
exit(0);
} else if ($formdata = $form_save->get_data()) {
-
if (!empty($formdata->overwrite)) {
- data_delete_site_preset($formdata->name);
+ $selectedpreset = new stdClass();
+ foreach ($presets as $preset) {
+ if ($preset->name == $formdata->name) {
+ $selectedpreset = $preset;
+ }
+ }
+ if (data_user_can_delete_preset($context, $selectedpreset)) {
+ data_delete_site_preset($formdata->name);
+ } else {
+ print_error('cannotdeletepreset', 'data');
+ }
}
// If the preset exists now then we need to throw an error.
@@ -179,7 +193,13 @@
echo $OUTPUT->footer();
exit(0);
} else if ($action == 'delete') {
- if (!$userid || ($userid != $USER->id && !$canmanage)) {
+ $selectedpreset = new stdClass();
+ foreach ($presets as $preset) {
+ if ($preset->shortname == $shortname) {
+ $selectedpreset = $preset;
+ }
+ }
+ if (!data_user_can_delete_preset($context, $selectedpreset)) {
print_error('invalidrequest');
}
Please sign in to comment.
Something went wrong with that request. Please try again.