From 6a5f60d419bbd45a5cdb5e96b882e819039447af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Mudr=C3=A1k?= <david@moodle.com>
Date: Thu, 31 Jan 2019 12:28:52 +0100
Subject: [PATCH] MDL-64737 editor_atto: Fix the privacy export_user_data()
 implementation

Multiple issues fixed:

* Fixed order of the statements to avoid access to undefined variables.
* Fixed population of the SQL query parameter to make sure they match
  the placeholder in the query.
* Fixed missing table aliases in the second query to make sure the query
  actually works as expected.
---
 lib/editor/atto/classes/privacy/provider.php | 21 +++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/lib/editor/atto/classes/privacy/provider.php b/lib/editor/atto/classes/privacy/provider.php
index 90036e83a0a4f..102e760bf95ea 100644
--- a/lib/editor/atto/classes/privacy/provider.php
+++ b/lib/editor/atto/classes/privacy/provider.php
@@ -118,23 +118,30 @@ public static function export_user_data(approved_contextlist $contextlist) {
 
         $user = $contextlist->get_user();
 
+        // Firstly export all autosave records from all contexts in the list owned by the given user.
+
+        list($contextsql, $contextparams) = $DB->get_in_or_equal($contextlist->get_contextids(), SQL_PARAMS_NAMED);
+        $contextparams['userid'] = $user->id;
+
         $sql = "SELECT *
                   FROM {editor_atto_autosave}
                  WHERE userid = :userid AND contextid {$contextsql}";
 
-        list($contextsql, $contextparams) = $DB->get_in_or_equal($contextlist->get_contextids(), SQL_PARAMS_NAMED);
-        $contextparams['userid'] = $contextlist->get_user()->id;
         $autosaves = $DB->get_recordset_sql($sql, $contextparams);
         self::export_autosaves($user, $autosaves);
 
-        $sql = "SELECT *
-                  FROM {editor_atto_autosave}
-                  JOIN {context} c ON c.id = eas.contextid
-                 WHERE c.id {$contextsql} AND contextlevel = :contextuser AND c.instanceid = :userid";
+        // Additionally export all eventual records in the given user's context regardless the actual owner.
+        // We still consider them to be the user's personal data even when edited by someone else.
 
         list($contextsql, $contextparams) = $DB->get_in_or_equal($contextlist->get_contextids(), SQL_PARAMS_NAMED);
-        $contextparams['userid'] = $contextlist->get_user()->id;
+        $contextparams['userid'] = $user->id;
         $contextparams['contextuser'] = CONTEXT_USER;
+
+        $sql = "SELECT eas.*
+                  FROM {editor_atto_autosave} eas
+                  JOIN {context} c ON c.id = eas.contextid
+                 WHERE c.id {$contextsql} AND c.contextlevel = :contextuser AND c.instanceid = :userid";
+
         $autosaves = $DB->get_recordset_sql($sql, $contextparams);
         self::export_autosaves($user, $autosaves);
     }