Permalink
Browse files

MDL-39990 wiki: more detailed validation of view/edit access

  • Loading branch information...
1 parent 7748e17 commit d9596365e59ac53787105ff326f7f2bab5b9bada @marinaglancy marinaglancy committed with danpoltawski Feb 28, 2014
View
@@ -55,6 +55,9 @@
require_login($course, true, $cm);
+if (!wiki_user_can_view($subwiki, $wiki)) {
+ print_error('cannotviewpage', 'wiki');
+}
$context = context_module::instance($cm->id);
require_capability('mod/wiki:managewiki', $context);
@@ -59,6 +59,10 @@
require_login($course, true, $cm);
+if (!wiki_user_can_view($subwiki, $wiki)) {
+ print_error('cannotviewpage', 'wiki');
+}
+
add_to_log($course->id, 'wiki', 'comments', "comments.php?pageid=".$pageid, $pageid, $cm->id);
/// Print the page header
@@ -77,6 +77,7 @@ protected function definition() {
$groupname = $groupinfo[$groupid];
$mform->addElement('static', 'groupdesciption', get_string('group'), $groupname);
$mform->addElement('hidden', 'groupinfo', $groupid);
+ $mform->setType('groupinfo', PARAM_INT);
}
}
View
@@ -68,6 +68,10 @@
require_login($course, true, $cm);
+if (!wiki_user_can_view($subwiki, $wiki)) {
+ print_error('cannotviewpage', 'wiki');
+}
+
$wikipage = new page_wiki_diff($wiki, $subwiki, $cm);
$wikipage->set_page($page);
View
@@ -75,7 +75,10 @@
require_login($course, true, $cm);
$context = context_module::instance($cm->id);
-require_capability('mod/wiki:editpage', $context);
+
+if (!wiki_user_can_edit($subwiki)) {
+ print_error('cannoteditpage', 'wiki');
+}
if ($option == get_string('save', 'wiki')) {
if (!confirm_sesskey()) {
@@ -54,6 +54,10 @@
}
require_login($course, true, $cm);
+if (!wiki_user_can_view($subwiki, $wiki)) {
+ print_error('cannotviewpage', 'wiki');
+}
+
$editcomments = new page_wiki_editcomment($wiki, $subwiki, $cm);
$comment = new stdClass();
if ($action == 'edit') {
View
@@ -78,7 +78,11 @@
$PAGE->set_url('/mod/wiki/files.php', array('pageid'=>$pageid));
require_login($course, true, $cm);
-$PAGE->set_context($context);
+
+if (!wiki_user_can_view($subwiki, $wiki)) {
+ print_error('cannotviewfiles', 'wiki');
+}
+
$PAGE->set_title(get_string('wikifiles', 'wiki'));
$PAGE->set_heading(get_string('wikifiles', 'wiki'));
$PAGE->navbar->add(format_string(get_string('wikifiles', 'wiki')));
@@ -93,12 +97,8 @@
echo $OUTPUT->box_start('generalbox');
-if (has_capability('mod/wiki:viewpage', $context)) {
- echo $renderer->wiki_print_subwiki_selector($PAGE->activityrecord, $subwiki, $page, 'files');
- echo $renderer->wiki_files_tree($context, $subwiki);
-} else {
- echo $OUTPUT->notification(get_string('cannotviewfiles', 'wiki'));
-}
+echo $renderer->wiki_print_subwiki_selector($PAGE->activityrecord, $subwiki, $page, 'files');
+echo $renderer->wiki_files_tree($context, $subwiki);
echo $OUTPUT->box_end();
if (has_capability('mod/wiki:managefiles', $context)) {
@@ -53,6 +53,10 @@
$context = context_module::instance($cm->id);
require_login($course, true, $cm);
+
+if (!wiki_user_can_view($subwiki, $wiki)) {
+ print_error('cannotviewpage', 'wiki');
+}
require_capability('mod/wiki:managefiles', $context);
if (empty($returnurl)) {
@@ -59,8 +59,11 @@
$course = $DB->get_record('course', array('id' => $cm->course), '*', MUST_EXIST);
require_login($course, true, $cm);
-$context = context_module::instance($cm->id);
-require_capability('mod/wiki:viewpage', $context);
+
+if (!wiki_user_can_view($subwiki, $wiki)) {
+ print_error('cannotviewpage', 'wiki');
+}
+
add_to_log($course->id, 'wiki', 'history', "history.php?pageid=".$pageid, $pageid, $cm->id);
/// Print the page header
View
@@ -279,7 +279,7 @@ function wiki_supports($feature) {
function wiki_print_recent_activity($course, $viewfullnames, $timestart) {
global $CFG, $DB, $OUTPUT;
- $sql = "SELECT p.*, w.id as wikiid, sw.groupid
+ $sql = "SELECT p.id, p.timemodified, p.subwikiid, sw.wikiid, w.wikimode, sw.userid, sw.groupid
FROM {wiki_pages} p
JOIN {wiki_subwikis} sw ON sw.id = p.subwikiid
JOIN {wiki} w ON w.id = sw.wikiid
@@ -288,48 +288,25 @@ function wiki_print_recent_activity($course, $viewfullnames, $timestart) {
if (!$pages = $DB->get_records_sql($sql, array($timestart, $course->id))) {
return false;
}
- $modinfo = get_fast_modinfo($course);
+ require_once($CFG->dirroot . "/mod/wiki/locallib.php");
$wikis = array();
$modinfo = get_fast_modinfo($course);
+ $subwikivisible = array();
foreach ($pages as $page) {
- if (!isset($modinfo->instances['wiki'][$page->wikiid])) {
- // not visible
- continue;
+ if (!isset($subwikivisible[$page->subwikiid])) {
+ $subwiki = (object)array('id' => $page->subwikiid, 'wikiid' => $page->wikiid,
+ 'groupid' => $page->groupid, 'userid' => $page->userid);
+ $wiki = (object)array('id' => $page->wikiid, 'course' => $course->id, 'wikimode' => $page->wikimode);
+ $subwikivisible[$page->subwikiid] = wiki_user_can_view($subwiki, $wiki);
}
- $cm = $modinfo->instances['wiki'][$page->wikiid];
- if (!$cm->uservisible) {
- continue;
- }
- $context = context_module::instance($cm->id);
-
- if (!has_capability('mod/wiki:viewpage', $context)) {
- continue;
- }
-
- $groupmode = groups_get_activity_groupmode($cm, $course);
-
- if ($groupmode) {
- if ($groupmode == SEPARATEGROUPS and !has_capability('mod/wiki:managewiki', $context)) {
- // separate mode
- if (isguestuser()) {
- // shortcut
- continue;
- }
-
- if (is_null($modinfo->groups)) {
- $modinfo->groups = groups_get_user_groups($course->id); // load all my groups and cache it in modinfo
- }
-
- if (!in_array($page->groupid, $modinfo->groups[0])) {
- continue;
- }
- }
+ if ($subwikivisible[$page->subwikiid]) {
+ $wikis[] = $page;
}
- $wikis[] = $page;
}
+ unset($subwikivisible);
unset($pages);
if (!$wikis) {
View
@@ -719,13 +719,27 @@ function wiki_parser_get_token($markup, $name) {
/**
* Checks if current user can view a subwiki
*
- * @param $subwiki
+ * @param stdClass $subwiki usually record from {wiki_subwikis}. Must contain fields 'wikiid', 'groupid', 'userid'.
+ * If it also contains fields 'course' and 'groupmode' from table {wiki} it will save extra DB query.
+ * @param stdClass $wiki optional wiki object if known
+ * @return bool
*/
-function wiki_user_can_view($subwiki) {
+function wiki_user_can_view($subwiki, $wiki = null) {
global $USER;
- $wiki = wiki_get_wiki($subwiki->wikiid);
- $cm = get_coursemodule_from_instance('wiki', $wiki->id);
+ if (empty($wiki) || $wiki->id != $subwiki->wikiid) {
+ $wiki = wiki_get_wiki($subwiki->wikiid);
+ }
+ $modinfo = get_fast_modinfo($wiki->course);
+ if (!isset($modinfo->instances['wiki'][$subwiki->wikiid])) {
+ // Module does not exist.
+ return false;
+ }
+ $cm = $modinfo->instances['wiki'][$subwiki->wikiid];
+ if (!$cm->uservisible) {
+ // The whole module is not visible to the current user.
+ return false;
+ }
$context = context_module::instance($cm->id);
// Working depending on activity groupmode
@@ -767,7 +781,7 @@ function wiki_user_can_view($subwiki) {
// Each person owns a wiki.
if ($wiki->wikimode == 'collaborative' || $wiki->wikimode == 'individual') {
// Only members of subwiki group could view that wiki
- if (groups_is_member($subwiki->groupid)) {
+ if (in_array($subwiki->groupid, $modinfo->get_groups($cm->groupingid))) {
// Only view capability needed
return has_capability('mod/wiki:viewpage', $context);
View
@@ -68,8 +68,9 @@
require_login($course, false, $cm);
-$context = context_module::instance($cm->id);
-require_capability('mod/wiki:editpage', $context);
+if (!wiki_user_can_edit($subwiki)) {
+ print_error('cannoteditpage', 'wiki');
+}
$wikipage = new page_wiki_lock($wiki, $subwiki, $cm);
$wikipage->set_page($page);
View
@@ -54,8 +54,10 @@
}
require_login($course, true, $cm);
-$context = context_module::instance($cm->id);
-require_capability('mod/wiki:viewpage', $context);
+
+if (!wiki_user_can_view($subwiki, $wiki)) {
+ print_error('cannotviewpage', 'wiki');
+}
$wikipage = new page_wiki_map($wiki, $subwiki, $cm);
add_to_log($course->id, "wiki", "map", "map.php?pageid=".$pageid, $pageid, $cm->id);
@@ -64,12 +64,13 @@
require_login($course, true, $cm);
-$context = context_module::instance($cm->id);
-require_capability('mod/wiki:overridelock', $context);
+require_sesskey();
-if (!confirm_sesskey()) {
- print_error(get_string('invalidsesskey', 'wiki'));
+if (!wiki_user_can_view($subwiki, $wiki)) {
+ print_error('cannotviewpage', 'wiki');
}
+$context = context_module::instance($cm->id);
+require_capability('mod/wiki:overridelock', $context);
$wikipage = new page_wiki_overridelocks($wiki, $subwiki, $cm);
$wikipage->set_page($page);
@@ -53,8 +53,9 @@
require_login($course, true, $cm);
-$context = context_module::instance($cm->id);
-require_capability('mod/wiki:viewpage', $context);
+if (!wiki_user_can_view($subwiki, $wiki)) {
+ print_error('cannotviewpage', 'wiki');
+}
$wikipage = new page_wiki_prettyview($wiki, $subwiki, $cm);
@@ -60,6 +60,10 @@
require_login($course, true, $cm);
+if (!wiki_user_can_view($subwiki)) {
+ print_error('cannotviewpage', 'wiki');
+}
+
if ($confirm) {
if (!confirm_sesskey()) {
print_error(get_string('invalidsesskey', 'wiki'));
View
@@ -45,12 +45,16 @@
$gid = 0;
}
if (!$subwiki = wiki_get_subwiki_by_group($cm->instance, $gid)) {
- return false;
+ print_error('incorrectsubwikiid', 'wiki');
}
if (!$wiki = wiki_get_wiki($subwiki->wikiid)) {
print_error('incorrectwikiid', 'wiki');
}
+if (!wiki_user_can_view($subwiki, $wiki)) {
+ print_error('cannotviewfiles', 'wiki');
+}
+
$wikipage = new page_wiki_search($wiki, $subwiki, $cm);
$wikipage->set_search_string($search, $searchcontent);
View
@@ -271,8 +271,9 @@
print_error('incorrectparameters');
}
-$context = context_module::instance($cm->id);
-require_capability('mod/wiki:viewpage', $context);
+if (!wiki_user_can_view($subwiki, $wiki)) {
+ print_error('cannotviewpage', 'wiki');
+}
// Update 'viewed' state if required by completion system
require_once($CFG->libdir . '/completionlib.php');
@@ -297,6 +298,7 @@
$wikipage->set_gid($currentgroup);
$wikipage->set_page($page);
+$context = context_module::instance($cm->id);
if($pageid) {
add_to_log($course->id, 'wiki', 'view', "view.php?pageid=".$pageid, $pageid, $cm->id);
} else if($id) {
@@ -60,6 +60,10 @@
require_login($course, true, $cm);
+if (!wiki_user_can_view($subwiki, $wiki)) {
+ print_error('cannotviewpage', 'wiki');
+}
+
$wikipage = new page_wiki_viewversion($wiki, $subwiki, $cm);
$wikipage->set_page($page);

0 comments on commit d959636

Please sign in to comment.