MDL-64737 editor_atto: Fix the privacy export_user_data() implementation

Multiple issues fixed: * Fixed order of the statements to avoid access to undefined variables. * Fixed population of the SQL query parameter to make sure they match the placeholder in the query. * Fixed missing table aliases in the second query to make sure the query actually works as expected.
moodle · Jan 31, 2019 · 599abfa · 599abfa
1 parent c5dde62
commit 599abfa
Showing 1 changed file with 14 additions and 7 deletions.
diff --git a/lib/editor/atto/classes/privacy/provider.php b/lib/editor/atto/classes/privacy/provider.php
@@ -118,23 +118,30 @@ public static function export_user_data(approved_contextlist $contextlist) {
 
         $user = $contextlist->get_user();
 
+        // Firstly export all autosave records from all contexts in the list owned by the given user.
+
+        list($contextsql, $contextparams) = $DB->get_in_or_equal($contextlist->get_contextids(), SQL_PARAMS_NAMED);
+        $contextparams['userid'] = $user->id;
+
         $sql = "SELECT *
                   FROM {editor_atto_autosave}
                  WHERE userid = :userid AND contextid {$contextsql}";
 
-        list($contextsql, $contextparams) = $DB->get_in_or_equal($contextlist->get_contextids(), SQL_PARAMS_NAMED);
-        $contextparams['userid'] = $contextlist->get_user()->id;
         $autosaves = $DB->get_recordset_sql($sql, $contextparams);
         self::export_autosaves($user, $autosaves);
 
-        $sql = "SELECT *
-                  FROM {editor_atto_autosave}
-                  JOIN {context} c ON c.id = eas.contextid
-                 WHERE c.id {$contextsql} AND contextlevel = :contextuser AND c.instanceid = :userid";
+        // Additionally export all eventual records in the given user's context regardless the actual owner.
+        // We still consider them to be the user's personal data even when edited by someone else.
 
         list($contextsql, $contextparams) = $DB->get_in_or_equal($contextlist->get_contextids(), SQL_PARAMS_NAMED);
-        $contextparams['userid'] = $contextlist->get_user()->id;
+        $contextparams['userid'] = $user->id;
         $contextparams['contextuser'] = CONTEXT_USER;
+
+        $sql = "SELECT eas.*
+                  FROM {editor_atto_autosave} eas
+                  JOIN {context} c ON c.id = eas.contextid
+                 WHERE c.id {$contextsql} AND c.contextlevel = :contextuser AND c.instanceid = :userid";
+
         $autosaves = $DB->get_recordset_sql($sql, $contextparams);
         self::export_autosaves($user, $autosaves);
     }