Skip to content
Permalink
Browse files

MDL-37244 Assignment: Submission comments plugin does not implement c…

…omments callbacks.

This allows anyone to view or modify anyone elses submission comments.
  • Loading branch information...
damyon authored and danpoltawski committed Dec 20, 2012
1 parent 9860957 commit e00b5c454c1036654b8d030c41345b6cd0d867e2
Showing with 66 additions and 0 deletions.
  1. +66 −0 mod/assign/submission/comments/lib.php
@@ -31,6 +31,39 @@
* @return bool
*/
function assignsubmission_comments_comment_validate(stdClass $options) {
global $USER, $CFG, $DB;
if ($options->commentarea != 'submission_comments' &&
$options->commentarea != 'submission_comments_upgrade') {
throw new comment_exception('invalidcommentarea');
}
if (!$submission = $DB->get_record('assign_submission', array('id'=>$options->itemid))) {
throw new comment_exception('invalidcommentitemid');
}
$context = $options->context;
require_once($CFG->dirroot . '/mod/assign/locallib.php');
$assignment = new assign($context, null, null);
if ($assignment->get_instance()->id != $submission->assignment) {
throw new comment_exception('invalidcontext');
}
if (!has_capability('mod/assign:grade', $context)) {
if (!has_capability('mod/assign:submit', $context)) {
throw new comment_exception('nopermissiontocomment');
} else if ($assignment->get_instance()->teamsubmission) {
$group = $assignment->get_submission_group($USER->id);
$groupid = 0;
if ($group) {
$groupid = $group->id;
}
if ($groupid != $submission->groupid) {
throw new comment_exception('nopermissiontocomment');
}
} else if ($submission->userid != $USER->id) {
throw new comment_exception('nopermissiontocomment');
}
}
return true;
}
@@ -42,6 +75,39 @@ function assignsubmission_comments_comment_validate(stdClass $options) {
* @return array
*/
function assignsubmission_comments_comment_permissions(stdClass $options) {
global $USER, $CFG, $DB;
if ($options->commentarea != 'submission_comments' &&
$options->commentarea != 'submission_comments_upgrade') {
throw new comment_exception('invalidcommentarea');
}
if (!$submission = $DB->get_record('assign_submission', array('id'=>$options->itemid))) {
throw new comment_exception('invalidcommentitemid');
}
$context = $options->context;
require_once($CFG->dirroot . '/mod/assign/locallib.php');
$assignment = new assign($context, null, null);
if ($assignment->get_instance()->id != $submission->assignment) {
throw new comment_exception('invalidcontext');
}
if (!has_capability('mod/assign:grade', $context)) {
if (!has_capability('mod/assign:submit', $context)) {
return array('post' => false, 'view' => false);
} else if ($assignment->get_instance()->teamsubmission) {
$group = $assignment->get_submission_group($USER->id);
$groupid = 0;
if ($group) {
$groupid = $group->id;
}
if ($groupid != $submission->groupid) {
return array('post' => false, 'view' => false);
}
} else if ($submission->userid != $USER->id) {
return array('post' => false, 'view' => false);
}
}
return array('post' => true, 'view' => true);
}

0 comments on commit e00b5c4

Please sign in to comment.
You can’t perform that action at this time.