From 8c27cc95349a6cce073651ebbff9b44394d4ecb7 Mon Sep 17 00:00:00 2001
From: Paul Nicholls <paul.nicholls@canterbury.ac.nz>
Date: Mon, 13 Aug 2012 12:51:30 +1200
Subject: [PATCH] MDL-27619: Prevent teachers from turning course Outcomes into
 site-wide ones

Similar to the issue which allowed teachers to create site-wide scales by editing a course-specific scale (MDL-24682), teachers could also promote a course-specific scale to a site-wide (standard) by editing it.  As with MDL-24682, removing the course ID check (leaving just the capability check) prevents this unauthorised creation of site-wide (standard) outcomes.
---
 grade/edit/outcome/edit_form.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/grade/edit/outcome/edit_form.php b/grade/edit/outcome/edit_form.php
index 6c1893ef00a79..a283f40e6a83e 100644
--- a/grade/edit/outcome/edit_form.php
+++ b/grade/edit/outcome/edit_form.php
@@ -114,7 +114,7 @@ function definition_after_data() {
             if (empty($courseid)) {
                 $mform->hardFreeze('standard');
 
-            } else if (empty($outcome->courseid) and !has_capability('moodle/grade:manage', get_context_instance(CONTEXT_SYSTEM))) {
+            } else if (!has_capability('moodle/grade:manage', get_context_instance(CONTEXT_SYSTEM))) {
                 $mform->hardFreeze('standard');
 
             } else if ($coursecount and empty($outcome->courseid)) {