Permalink
Browse files

MDL-26859 improve blog access control and prevent unnecessary blog in…

…cludes
  • Loading branch information...
1 parent 5b183f5 commit 8f6c1f3488622f252d971ff23946969fb708386c @skodak skodak committed Mar 20, 2011
Showing with 39 additions and 18 deletions.
  1. +5 −5 admin/settings/appearance.php
  2. +27 −5 blog/index.php
  3. +7 −8 lib/navigationlib.php
@@ -63,10 +63,10 @@
// blog
$temp = new admin_settingpage('blog', get_string('blog','blog'));
$temp->add(new admin_setting_configcheckbox('useblogassociations', get_string('useblogassociations', 'blog'), get_string('configuseblogassociations','blog'), 1));
- $temp->add(new admin_setting_bloglevel('bloglevel', get_string('bloglevel', 'admin'), get_string('configbloglevel', 'admin'), 4, array(5 => get_string('worldblogs','blog'),
- 4 => get_string('siteblogs','blog'),
- 1 => get_string('personalblogs','blog'),
- 0 => get_string('disableblogs','blog'))));
+ $temp->add(new admin_setting_bloglevel('bloglevel', get_string('bloglevel', 'admin'), get_string('configbloglevel', 'admin'), 4, array(BLOG_GLOBAL_LEVEL => get_string('worldblogs','blog'),
+ BLOG_SITE_LEVEL => get_string('siteblogs','blog'),
+ BLOG_USER_LEVEL => get_string('personalblogs','blog'),
+ 0 => get_string('disableblogs','blog'))));
$temp->add(new admin_setting_configcheckbox('useexternalblogs', get_string('useexternalblogs', 'blog'), get_string('configuseexternalblogs','blog'), 1));
$temp->add(new admin_setting_configselect('externalblogcrontime', get_string('externalblogcrontime', 'blog'), get_string('configexternalblogcrontime', 'blog'), 86400,
array(43200 => get_string('numhours', '', 12),
@@ -130,7 +130,7 @@
// link to tag management interface
$ADMIN->add('appearance', new admin_externalpage('managetags', get_string('managetags', 'tag'), "$CFG->wwwroot/tag/manage.php"));
-
+
$temp = new admin_settingpage('additionalhtml', get_string('additionalhtml', 'admin'));
$temp->add(new admin_setting_heading('additionalhtml_heading', get_string('additionalhtml_heading', 'admin'), get_string('additionalhtml_desc', 'admin')));
$temp->add(new admin_setting_configtextarea('additionalhtmlhead', get_string('additionalhtmlhead', 'admin'), get_string('additionalhtmlhead_desc', 'admin'), '', PARAM_RAW));
View
@@ -34,6 +34,10 @@
}
$PAGE->set_url('/blog/index.php', $url_params);
+if (empty($CFG->bloglevel)) {
+ print_error('blogdisable', 'blog');
+}
+
//correct tagid if a text tag is provided as a param
if (!empty($tag)) {
if ($tagrec = $DB->get_record_sql("SELECT * FROM {tag} WHERE ". $DB->sql_like('name', '?', false), array("%$tag%"))) {
@@ -52,11 +56,32 @@
$courseid = $DB->get_field('groups', 'courseid', array('id'=>$groupid));
}
-if (empty($CFG->bloglevel)) {
+$sitecontext = get_context_instance(CONTEXT_SYSTEM);
+
+// check basic permissions
+if ($CFG->bloglevel == BLOG_GLOBAL_LEVEL) {
+ // everybody can see anything - no login required unless site is locked down using forcelogin
+ if ($CFG->forcelogin) {
+ require_login();
+ }
+
+} else if ($CFG->bloglevel == BLOG_SITE_LEVEL) {
+ // users must log in and can not be guests
+ require_login();
+ if (isguestuser()) {
+ // they must have entered the url manually...
+ print_error('blogdisable', 'blog');
+ }
+
+} else if ($CFG->bloglevel == BLOG_USER_LEVEL) {
+ // users can see own blogs only! with the exception of ppl with special cap
+ require_login();
+
+} else {
+ // weird!
print_error('blogdisable', 'blog');
}
-$sitecontext = get_context_instance(CONTEXT_SYSTEM);
if (!$userid && has_capability('moodle/blog:view', $sitecontext) && $CFG->bloglevel > BLOG_USER_LEVEL) {
if ($entryid) {
@@ -83,9 +108,6 @@
if ($CFG->bloglevel < BLOG_SITE_LEVEL) {
print_error('siteblogdisable', 'blog');
}
- if ($CFG->bloglevel < BLOG_GLOBAL_LEVEL) {
- require_login();
- }
if (!has_capability('moodle/blog:view', $sitecontext)) {
print_error('cannotviewsiteblog', 'blog');
}
View
@@ -1967,7 +1967,6 @@ public function add_course_essentials(navigation_node $coursenode, stdClass $cou
//Participants
if (has_capability('moodle/course:viewparticipants', $this->page->context)) {
- require_once($CFG->dirroot.'/blog/lib.php');
$participants = $coursenode->add(get_string('participants'), new moodle_url('/user/index.php?id='.$course->id), self::TYPE_CONTAINER, get_string('participants'), 'participants');
$currentgroup = groups_get_course_group($course, true);
if ($course->id == SITEID) {
@@ -1978,7 +1977,8 @@ public function add_course_essentials(navigation_node $coursenode, stdClass $cou
$filterselect = $currentgroup;
}
$filterselect = clean_param($filterselect, PARAM_INT);
- if ($CFG->bloglevel >= 3) {
+ if (($CFG->bloglevel == BLOG_GLOBAL_LEVEL or ($CFG->bloglevel == BLOG_SITE_LEVEL and (isloggedin() and !isguestuser())))
+ and has_capability('moodle/blog:view', get_context_instance(CONTEXT_SYSTEM))) {
$blogsurls = new moodle_url('/blog/index.php', array('courseid' => $filterselect));
$participants->add(get_string('blogs','blog'), $blogsurls->out());
}
@@ -2036,12 +2036,11 @@ public function add_front_page_course_essentials(navigation_node $coursenode, st
$filterselect = 0;
// Blogs
- if (has_capability('moodle/blog:view', $this->page->context)) {
- require_once($CFG->dirroot.'/blog/lib.php');
- if (blog_is_enabled_for_user()) {
- $blogsurls = new moodle_url('/blog/index.php', array('courseid' => $filterselect));
- $coursenode->add(get_string('blogs','blog'), $blogsurls->out());
- }
+ if (!empty($CFG->bloglevel)
+ and ($CFG->bloglevel == BLOG_GLOBAL_LEVEL or ($CFG->bloglevel == BLOG_SITE_LEVEL and (isloggedin() and !isguestuser())))
+ and has_capability('moodle/blog:view', get_context_instance(CONTEXT_SYSTEM))) {
+ $blogsurls = new moodle_url('/blog/index.php', array('courseid' => $filterselect));
+ $coursenode->add(get_string('blogs','blog'), $blogsurls->out());
}
// Notes

0 comments on commit 8f6c1f3

Please sign in to comment.