Merge branch 'MDL-38452-22' of git://github.com/FMCorz/moodle into MO…

…ODLE_22_STABLE
moodle · Apr 8, 2013 · 7d93a26 · 7d93a26
2 parents d9be74d + a9ecbee
commit 7d93a26
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 2 deletions.
diff --git a/repository/lib.php b/repository/lib.php
@@ -481,6 +481,9 @@ abstract class repository {
     public $returntypes;
     /** @var object repository instance database record */
     public $instance;
+    /** Type of the instance (dropbox, upload, etc...) */
+    public $type;
+
     /**
      * 1. Initialize context and options
      * 2. Accept necessary parameters
@@ -511,6 +514,17 @@ public function __construct($repositoryid, $context = SYSCONTEXTID, $options = a
         }
         $this->name = $this->get_name();
         $this->returntypes = $this->supported_returntypes();
+
+        // Determining the type of repository if not set.
+        if (empty($this->type)) {
+            $matches = array();
+            if (!preg_match("/^repository_(.*)$/", get_class($this), $matches)) {
+                throw new coding_exception('The class name of a repository should be repository_<typeofrepository>, '.
+                        'e.g. repository_dropbox');
+            }
+            $this->type = $matches[1];
+        }
+
         $this->super_called = true;
     }
 
@@ -587,11 +601,23 @@ public static function check_capability($contextid, $instance) {
         $can = has_capability('repository/'.$instance->type.':view', $currentcontext);
 
         // Context in which the repository has been created.
-        $repocontext = get_context_instance_by_id($instance->contextid);
+        if (!isset($instance->contextid)) {
+            // Depending on what is calling the function, we have to get the context from somewhere else.
+            $repocontext = get_context_instance_by_id($instance->instance->contextid);
+        } else {
+            $repocontext = get_context_instance_by_id($instance->contextid);
+        }
 
         // Prevent access to private repositories when logged in as.
         if (session_is_loggedinas()) {
-            $can = false;
+            $allowed = array('coursefiles', 'equella', 'filesystem', 'flickr_public', 'local', 'merlot', 'recent',
+                's3', 'upload', 'url', 'user', 'webdav', 'wikimedia', 'youtube');
+            // Are only accessible the repositories which do not contain private data (any data
+            // that is not part of Moodle, "Private files" is not considered "Pivate"). And if they
+            // do not contain private data, then it should not be a user instance, which is private by definition.
+            if (!in_array($instance->type, $allowed) || $repocontext->contextlevel == CONTEXT_USER) {
+                $can = false;
+            }
         }
 
         // We are going to ensure that the current context was legit, and reliable to check

diff --git a/repository/manage_instances.php b/repository/manage_instances.php
@@ -157,6 +157,8 @@
         //if you try to edit an instance set as readonly, display an error message
         if ($instance->readonly) {
             throw new repository_exception('readonlyinstance', 'repository');
+        } else if (!repository::check_capability($contextid, $instance)) {
+            throw new repository_exception('nopermissiontoaccess', 'repository');
         }
         $instancetype = repository::get_type_by_id($instance->options['typeid']);
         $classname = 'repository_' . $instancetype->get_typename();
@@ -213,6 +215,8 @@
      //if you try to delete an instance set as readonly, display an error message
     if ($instance->readonly) {
         throw new repository_exception('readonlyinstance', 'repository');
+    } else if (!repository::check_capability($contextid, $instance)) {
+        throw new repository_exception('nopermissiontoaccess', 'repository');
     }
     if ($sure) {
         if (!confirm_sesskey()) {