Skip to content
Permalink
Browse files

MDL-37164 core_message: prevent users from interacting with themself

  • Loading branch information...
andyjdavis committed Jan 14, 2013
1 parent 1918a24 commit 7bb19ee167c6976b4f0910aed8c3070426cd97db
Showing with 29 additions and 14 deletions.
  1. +4 −0 message/index.php
  2. +25 −14 message/lib.php
@@ -115,6 +115,10 @@
$systemcontext = context_system::instance();
if (!empty($user2) && $user1->id == $user2->id) {
print_error('invaliduserid');
}
// Is the user involved in the conversation?
// Do they have the ability to read other user's conversations?
if (!message_current_user_is_involved($user1, $user2) && !has_capability('moodle/site:readallmessages', $systemcontext)) {
@@ -1464,7 +1464,7 @@ function message_history_link($userid1, $userid2, $return=false, $keywords='', $
* @param int|array $courseids Course ID or array of course IDs.
* @param string $searchtext the text to search for.
* @param string $sort the column name to order by.
* @param string $exceptions comma separated list of user IDs to exclude
* @param string|array $exceptions comma separated list or array of user IDs to exclude.
* @return array An array of {@link $USER} records.
*/
function message_search_users($courseids, $searchtext, $sort='', $exceptions='') {
@@ -1481,35 +1481,46 @@ function message_search_users($courseids, $searchtext, $sort='', $exceptions='')
}
$fullname = $DB->sql_fullname();
if (!empty($exceptions)) {
$except = ' AND u.id NOT IN ('. $exceptions .') ';
} else {
$except = '';
}
$ufields = user_picture::fields('u');
if (!empty($sort)) {
$order = ' ORDER BY '. $sort;
} else {
$order = '';
}
$ufields = user_picture::fields('u');
$params = array(
'userid' => $USER->id,
'query' => "%$searchtext%"
);
if (empty($exceptions)) {
$exceptions = array();
} else if (!empty($exceptions) && is_string($exceptions)) {
$exceptions = explode(',', $exceptions);
}
// Ignore self and guest account.
$exceptions[] = $USER->id;
$exceptions[] = $CFG->siteguest;
// Exclude exceptions from the search result.
list($except, $params_except) = $DB->get_in_or_equal($exceptions, SQL_PARAMS_NAMED, 'param', false);
$except = ' AND u.id ' . $except;
$params = array_merge($params_except, $params);
if (in_array(SITEID, $courseids)) {
// Search on site level.
$params = array($USER->id, "%$searchtext%");
return $DB->get_records_sql("SELECT $ufields, mc.id as contactlistid, mc.blocked
FROM {user} u
LEFT JOIN {message_contacts} mc
ON mc.contactid = u.id AND mc.userid = ?
ON mc.contactid = u.id AND mc.userid = :userid
WHERE u.deleted = '0' AND u.confirmed = '1'
AND (".$DB->sql_like($fullname, '?', false).")
AND (".$DB->sql_like($fullname, ':query', false).")
$except
$order", $params);
} else {
// Search in courses.
$params = array($USER->id, "%$searchtext%");
// Getting the context IDs or each course.
$contextids = array();
@@ -1526,9 +1537,9 @@ function message_search_users($courseids, $searchtext, $sort='', $exceptions='')
FROM {user} u
JOIN {role_assignments} ra ON ra.userid = u.id
LEFT JOIN {message_contacts} mc
ON mc.contactid = u.id AND mc.userid = ?
ON mc.contactid = u.id AND mc.userid = :userid
WHERE u.deleted = '0' AND u.confirmed = '1'
AND (".$DB->sql_like($fullname, '?', false).")
AND (".$DB->sql_like($fullname, ':query', false).")
AND ra.contextid $contextwhere
$except
$order", $params);

0 comments on commit 7bb19ee

Please sign in to comment.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.