Merge branch 'MDL-52811_prevent_forcelang' of git://github.com/davosm…

…ith/moodle
moodle · Feb 6, 2018 · d3e54578ea6ba8f4d10899342bc0b5b8728b303a · d3e5457
2 parents e742f93 + 4ee8ec3
commit d3e54578ea6ba8f4d10899342bc0b5b8728b303a
diff --git a/admin/tool/uploadcourse/classes/course.php b/admin/tool/uploadcourse/classes/course.php
@@ -592,6 +592,23 @@ public function prepare() {
            $coursedata['enddate'] = strtotime($coursedata['enddate']);
        }

+        // If lang is specified, check the user is allowed to set that field.
+        if (!empty($coursedata['lang'])) {
+            if ($exists) {
+                $courseid = $DB->get_field('course', 'id', ['shortname' => $this->shortname]);
+                if (!has_capability('moodle/course:setforcedlanguage', context_course::instance($courseid))) {
+                    $this->error('cannotforcelang', new lang_string('cannotforcelang', 'tool_uploadcourse'));
+                    return false;
+                }
+            } else {
+                $catcontext = context_coursecat::instance($coursedata['category']);
+                if (!guess_if_creator_will_have_course_capability('moodle/course:setforcedlanguage', $catcontext)) {
+                    $this->error('cannotforcelang', new lang_string('cannotforcelang', 'tool_uploadcourse'));
+                    return false;
+                }
+            }
+        }
+
        // Ultimate check mode vs. existence.
        switch ($mode) {
            case tool_uploadcourse_processor::MODE_CREATE_NEW:
diff --git a/admin/tool/uploadcourse/lang/en/tool_uploadcourse.php b/admin/tool/uploadcourse/lang/en/tool_uploadcourse.php
@@ -30,6 +30,7 @@
 $string['allowresets_help'] = 'Whether the reset field is accepted or not.';
 $string['cachedef_helper'] = 'Helper caching';
 $string['cannotdeletecoursenotexist'] = 'Cannot delete a course that does not exist';
+$string['cannotforcelang'] = 'No permission to force language for this course';
 $string['cannotgenerateshortnameupdatemode'] = 'Cannot generate a shortname when updates are allowed';
 $string['cannotreadbackupfile'] = 'Cannot read the backup file';
 $string['cannotrenamecoursenotexist'] = 'Cannot rename a course that does not exist';
diff --git a/admin/tool/uploadcourse/tests/course_test.php b/admin/tool/uploadcourse/tests/course_test.php
@@ -266,6 +266,8 @@ public function test_data_saved() {
        global $DB;
        $this->resetAfterTest(true);

+        $this->setAdminUser(); // To avoid warnings related to 'moodle/course:setforcedlanguage' capability check.
+
        // Create.
        $mode = tool_uploadcourse_processor::MODE_CREATE_NEW;
        $updatemode = tool_uploadcourse_processor::UPDATE_NOTHING;
diff --git a/backup/moodle2/restore_stepslib.php b/backup/moodle2/restore_stepslib.php
@@ -1827,6 +1827,7 @@ public function process_course($data) {
        // When restoring to a new course we can set all the things except for the ID number.
        $canchangeidnumber = $isnewcourse || has_capability('moodle/course:changeidnumber', $context, $userid);
        $canchangesummary = $isnewcourse || has_capability('moodle/course:changesummary', $context, $userid);
+        $canforcelanguage = has_capability('moodle/course:setforcedlanguage', $context, $userid);

        $data = (object)$data;
        $data->id = $this->get_courseid();
@@ -1851,6 +1852,11 @@ public function process_course($data) {
            unset($data->summaryformat);
        }

+        // Unset lang if user can't change it.
+        if (!$canforcelanguage) {
+            unset($data->lang);
+        }
+
        // Only allow the idnumber to be set if the user has permission and the idnumber is not already in use by
        // another course on this site.
        if (!empty($data->idnumber) && $canchangeidnumber && $this->task->is_samesite()
@@ -1889,7 +1895,7 @@ public function process_course($data) {
            $data->completionnotify = 0;
        }
        $languages = get_string_manager()->get_list_of_translations(); // Get languages for quick search
-        if (!array_key_exists($data->lang, $languages)) {
+        if (isset($data->lang) && !array_key_exists($data->lang, $languages)) {
            $data->lang = '';
        }

diff --git a/course/edit_form.php b/course/edit_form.php
@@ -205,8 +205,11 @@ function definition() {
        $languages=array();
        $languages[''] = get_string('forceno');
        $languages += get_string_manager()->get_list_of_translations();
-        $mform->addElement('select', 'lang', get_string('forcelanguage'), $languages);
-        $mform->setDefault('lang', $courseconfig->lang);
+        if ((empty($course->id) && guess_if_creator_will_have_course_capability('moodle/course:setforcedlanguage', $categorycontext))
+                || (!empty($course->id) && has_capability('moodle/course:setforcedlanguage', $coursecontext))) {
+            $mform->addElement('select', 'lang', get_string('forcelanguage'), $languages);
+            $mform->setDefault('lang', $courseconfig->lang);
+        }

        // Multi-Calendar Support - see MDL-18375.
        $calendartypes = \core_calendar\type_factory::get_list_of_calendar_types();
diff --git a/course/externallib.php b/course/externallib.php
@@ -713,8 +713,13 @@ public static function create_courses($courses) {
            require_capability('moodle/course:create', $context);

            // Make sure lang is valid
-            if (array_key_exists('lang', $course) and empty($availablelangs[$course['lang']])) {
-                throw new moodle_exception('errorinvalidparam', 'webservice', '', 'lang');
+            if (array_key_exists('lang', $course)) {
+                if (empty($availablelangs[$course['lang']])) {
+                    throw new moodle_exception('errorinvalidparam', 'webservice', '', 'lang');
+                }
+                if (!has_capability('moodle/course:setforcedlanguage', $context)) {
+                    unset($course['lang']);
+                }
            }

            // Make sure theme is valid
@@ -911,8 +916,11 @@ public static function update_courses($courses) {
                }

                // Make sure lang is valid.
-                if (array_key_exists('lang', $course) && empty($availablelangs[$course['lang']])) {
-                    throw new moodle_exception('errorinvalidparam', 'webservice', '', 'lang');
+                if (array_key_exists('lang', $course) && ($oldcourse->lang != $course['lang'])) {
+                    require_capability('moodle/course:setforcedlanguage', $context);
+                    if (empty($availablelangs[$course['lang']])) {
+                        throw new moodle_exception('errorinvalidparam', 'webservice', '', 'lang');
+                    }
                }

                // Make sure theme is valid.
diff --git a/course/tests/externallib_test.php b/course/tests/externallib_test.php
@@ -412,6 +412,7 @@ public function test_create_courses() {
        $contextid = context_system::instance()->id;
        $roleid = $this->assignUserCapability('moodle/course:create', $contextid);
        $this->assignUserCapability('moodle/course:visibility', $contextid, $roleid);
+        $this->assignUserCapability('moodle/course:setforcedlanguage', $contextid, $roleid);

        $category  = self::getDataGenerator()->create_category();

@@ -1129,6 +1130,7 @@ public function test_update_courses() {
        $this->assignUserCapability('moodle/course:changesummary', $contextid, $roleid);
        $this->assignUserCapability('moodle/course:visibility', $contextid, $roleid);
        $this->assignUserCapability('moodle/course:viewhiddencourses', $contextid, $roleid);
+        $this->assignUserCapability('moodle/course:setforcedlanguage', $contextid, $roleid);

        // Create category and course.
        $category1  = self::getDataGenerator()->create_category();
diff --git a/lang/en/role.php b/lang/en/role.php
@@ -164,6 +164,7 @@
 $string['course:changesummary'] = 'Change course summary';
 $string['course:enrolconfig'] = 'Configure enrol instances in courses';
 $string['course:enrolreview'] = 'Review course enrolments';
+$string['course:setforcedlanguage'] = 'Force course language';
 $string['course:ignoreavailabilityrestrictions'] = 'Ignore availability restrictions';
 $string['course:ignorefilesizelimits'] = 'Use files larger than any file size restrictions';
 $string['course:isincompletionreports'] = 'Be shown on completion reports';
diff --git a/lib/db/access.php b/lib/db/access.php
@@ -1062,6 +1062,16 @@
        'clonepermissionsfrom' => 'moodle/course:update'
    ),

+    'moodle/course:setforcedlanguage' => array(
+        'captype' => 'write',
+        'contextlevel' => CONTEXT_COURSE,
+        'archetypes' => array(
+            'editingteacher' => CAP_ALLOW,
+            'manager' => CAP_ALLOW
+        ),
+        'clonepermissionsfrom' => 'moodle/course:update'
+    ),
+

    'moodle/site:viewparticipants' => array(