Permalink
Browse files

MDL-37245 Blog: Added permission check for blog comments

  • Loading branch information...
1 parent b15eea6 commit 5fde58a59335bc3109a9eaac4a15d1e9217541c3 Rajesh Taneja committed with danpoltawski Mar 8, 2013
Showing with 29 additions and 14 deletions.
  1. +1 −7 blog/index.php
  2. +28 −7 blog/lib.php
View
@@ -183,13 +183,7 @@
print_error('donothaveblog', 'blog');
}
} else {
- $personalcontext = context_user::instance($userid);
-
- if (!has_capability('moodle/blog:view', $sitecontext) && !has_capability('moodle/user:readuserblogs', $personalcontext)) {
- print_error('cannotviewuserblog', 'blog');
- }
-
- if (!blog_user_can_view_user_entry($userid)) {
+ if (!has_capability('moodle/blog:view', $sitecontext) || !blog_user_can_view_user_entry($userid)) {
print_error('cannotviewcourseblog', 'blog');
}
View
@@ -82,7 +82,7 @@ function blog_user_can_view_user_entry($targetuserid, $blogentry=null) {
return false; // can not view draft of others
}
- // coming for 0 entry, make sure user is logged in, if not a public blog
+ // If blog entry is not public, make sure user is logged in.
if ($blogentry && $blogentry->publishstate != 'public' && !isloggedin()) {
return false;
}
@@ -1000,6 +1000,8 @@ function blog_get_associated_count($courseid, $cmid=null) {
* may have switch to turn on/off comments option, this callback will
* affect UI display, not like pluginname_comment_validate only throw
* exceptions.
+ * blog_comment_validate will be called before viewing/adding/deleting
+ * comment, so don't repeat checks.
* Capability check has been done in comment->check_permissions(), we
* don't need to do it again here.
*
@@ -1016,7 +1018,17 @@ function blog_get_associated_count($courseid, $cmid=null) {
* @return array
*/
function blog_comment_permissions($comment_param) {
- return array('post'=>true, 'view'=>true);
+ global $DB;
+
+ // If blog is public and current user is guest, then don't let him post comments.
+ $blogentry = $DB->get_record('post', array('id' => $comment_param->itemid), 'publishstate', MUST_EXIST);
+
+ if ($blogentry->publishstate != 'public') {
+ if (!isloggedin() || isguestuser()) {
+ return array('post' => false, 'view' => true);
+ }
+ }
+ return array('post' => true, 'view' => true);
}
/**
@@ -1035,15 +1047,20 @@ function blog_comment_permissions($comment_param) {
* @return boolean
*/
function blog_comment_validate($comment_param) {
- global $DB;
- // validate comment itemid
- if (!$entry = $DB->get_record('post', array('id'=>$comment_param->itemid))) {
- throw new comment_exception('invalidcommentitemid');
+ global $CFG, $DB, $USER;
+
+ // Check if blogs are enabled user can comment.
+ if (empty($CFG->enableblogs) || empty($CFG->blogusecomments)) {
+ throw new comment_exception('nopermissiontocomment');
}
+
// validate comment area
if ($comment_param->commentarea != 'format_blog') {
throw new comment_exception('invalidcommentarea');
}
+
+ $blogentry = $DB->get_record('post', array('id' => $comment_param->itemid), '*', MUST_EXIST);
+
// validation for comment deletion
if (!empty($comment_param->commentid)) {
if ($record = $DB->get_record('comments', array('id'=>$comment_param->commentid))) {
@@ -1060,7 +1077,11 @@ function blog_comment_validate($comment_param) {
throw new comment_exception('invalidcommentid');
}
}
- return true;
+
+ // Validate if user has blog view permission.
+ $sitecontext = context_system::instance();
+ return has_capability('moodle/blog:view', $sitecontext) &&
+ blog_user_can_view_user_entry($blogentry->userid, $blogentry);
}
/**

0 comments on commit 5fde58a

Please sign in to comment.