Skip to content
Browse files

MDL-35556 completion: Improve user completion data permission checking

  • Loading branch information...
1 parent 8ccaa29 commit 5bb05a469a9db741bec9c3a2ae012a05a4d109ff @srynot4sale srynot4sale committed Sep 21, 2012
Showing with 75 additions and 19 deletions.
  1. +2 −18 blocks/completionstatus/details.php
  2. +67 −0 lib/completionlib.php
  3. +6 −1 report/completion/index.php
View
20 blocks/completionstatus/details.php
@@ -46,25 +46,9 @@
// Check permissions
-require_login($course);
-
-$coursecontext = context_course::instance($course->id);
-$personalcontext = context_user::instance($user->id);
-
-$can_view = false;
-
-// Can view own report
-if ($USER->id == $user->id) {
- $can_view = true;
-} else if (has_capability('moodle/user:viewuseractivitiesreport', $personalcontext)) {
- $can_view = true;
-} else if (has_capability('report/completion:view', $coursecontext)) {
- $can_view = true;
-} else if (has_capability('report/completion:view', $personalcontext)) {
- $can_view = true;
-}
+require_login();
-if (!$can_view) {
+if (!completion_can_view_data($user->id, $course)) {
print_error('cannotviewreport');
}
View
67 lib/completionlib.php
@@ -147,6 +147,73 @@
/**
+ * Utility function for checking if the logged in user can view
+ * another's completion data for a particular course
+ *
+ * @access public
+ * @param int $userid Completion data's owner
+ * @param mixed $course Course object or Course ID (optional)
+ * @return boolean
+ */
+function completion_can_view_data($userid, $course = null) {
+ global $USER;
+
+ if (!isloggedin()) {
+ return false;
+ }
+
+ if (!is_object($course)) {
+ $cid = $course;
+ $course = new object();
+ $course->id = $cid;
+ }
+
+ // Check if this is the site course
+ if ($course->id == SITEID) {
+ $course = null;
+ }
+
+ // Check if completion is enabled
+ if ($course) {
+ $cinfo = new completion_info($course);
+ if (!$cinfo->is_enabled()) {
+ return false;
+ }
+ } else {
+ if (!completion_info::is_enabled_for_site()) {
+ return false;
+ }
+ }
+
+ // Is own user's data?
+ if ($USER->id == $userid) {
+ return true;
+ }
+
+ // Check capabilities
+ $personalcontext = context_user::instance($userid);
+
+ if (has_capability('moodle/user:viewuseractivitiesreport', $personalcontext)) {
+ return true;
+ } elseif (has_capability('report/completion:view', $personalcontext)) {
+ return true;
+ }
+
+ if ($course->id) {
+ $coursecontext = context_course::instance($course->id);
+ } else {
+ $coursecontext = context_system::instance();
+ }
+
+ if (has_capability('report/completion:view', $coursecontext)) {
+ return true;
+ }
+
+ return false;
+}
+
+
+/**
* Class represents completion information for a course.
*
* Does not contain any data, so you can safely construct it multiple times
View
7 report/completion/index.php
@@ -561,7 +561,12 @@
} else {
print PHP_EOL.'<tr id="user-'.$user->id.'">';
- $userurl = new moodle_url('/user/view.php', array('id' => $user->id, 'course' => $course->id));
+ if (completion_can_view_data($user->id, $course)) {
+ $userurl = new moodle_url('/blocks/completionstatus/details.php', array('course' => $course->id, 'user' => $user->id));
+ } else {
+ $userurl = new moodle_url('/user/view.php', array('id' => $user->id, 'course' => $course->id));
+ }
+
print '<th scope="row"><a href="'.$userurl->out().'">'.fullname($user).'</a></th>';
foreach ($extrafields as $field) {
echo '<td>'.s($user->{$field}).'</td>';

0 comments on commit 5bb05a4

Please sign in to comment.
Something went wrong with that request. Please try again.