mirror of
https://github.com/moodle/moodle.git
synced 2025-08-05 00:46:50 +02:00
MDL-32239 question bank: wrong cap checks editing/viewing quesitions
None of these problems affect the default roles. They only occur when the permissions have been edited to allow restricted subsets of the question capabilities. In some cases, things that the restriced subset of capabilities should have allowed were blocked by errors. In other cases, users were allowed to do more than they should bave been due to failures to check the right capabilities in the right places. For full details, see the bug report. Two of the bugs were previously reported separately as MDL-26395 and MDL-27232.
This commit is contained in:
Tim Hunt
parent
58db57ad53
commit
29e247e44e
3 changed files with 26 additions and 18 deletions
|
|
@ -126,6 +126,7 @@ if ($id) {
|
|||
$question = new stdClass();
|
||||
$question->category = $categoryid;
|
||||
$question->qtype = $qtype;
|
||||
$question->createdby = $USER->id;
|
||||
|
||||
// Check that users are allowed to create this question type at the moment.
|
||||
if (!question_bank::qtype_enabled($qtype)) {
|
||||
|
|
@ -157,7 +158,6 @@ $categorycontext = get_context_instance_by_id($category->contextid);
|
|||
$addpermission = has_capability('moodle/question:add', $categorycontext);
|
||||
|
||||
if ($id) {
|
||||
$canview = question_has_capability_on($question, 'view');
|
||||
if ($movecontext){
|
||||
$question->formoptions->canedit = false;
|
||||
$question->formoptions->canmove = (question_has_capability_on($question, 'move') && $contexts->have_cap('moodle/question:add'));
|
||||
|
|
@ -165,26 +165,28 @@ if ($id) {
|
|||
$question->formoptions->repeatelements = false;
|
||||
$question->formoptions->movecontext = true;
|
||||
$formeditable = true;
|
||||
question_require_capability_on($question, 'view');
|
||||
question_require_capability_on($question, 'move');
|
||||
} else {
|
||||
$question->formoptions->canedit = question_has_capability_on($question, 'edit');
|
||||
$question->formoptions->canmove = (question_has_capability_on($question, 'move') && $addpermission);
|
||||
$question->formoptions->cansaveasnew = (($canview ||question_has_capability_on($question, 'edit')) && $addpermission);
|
||||
$question->formoptions->repeatelements = ($question->formoptions->canedit || $question->formoptions->cansaveasnew);
|
||||
$question->formoptions->canmove = $addpermission && question_has_capability_on($question, 'move');
|
||||
$question->formoptions->cansaveasnew = $addpermission &&
|
||||
(question_has_capability_on($question, 'view') || $question->formoptions->canedit);
|
||||
$question->formoptions->repeatelements = $question->formoptions->canedit || $question->formoptions->cansaveasnew;
|
||||
$formeditable = $question->formoptions->canedit || $question->formoptions->cansaveasnew || $question->formoptions->canmove;
|
||||
$question->formoptions->movecontext = false;
|
||||
if (!$formeditable){
|
||||
if (!$formeditable) {
|
||||
question_require_capability_on($question, 'view');
|
||||
}
|
||||
}
|
||||
|
||||
} else { // creating a new question
|
||||
require_capability('moodle/question:add', $categorycontext);
|
||||
$formeditable = true;
|
||||
$question->formoptions->canedit = question_has_capability_on($question, 'edit');
|
||||
$question->formoptions->canmove = (question_has_capability_on($question, 'move') && $addpermission);
|
||||
$question->formoptions->cansaveasnew = false;
|
||||
$question->formoptions->repeatelements = true;
|
||||
$question->formoptions->movecontext = false;
|
||||
$formeditable = true;
|
||||
require_capability('moodle/question:add', $categorycontext);
|
||||
}
|
||||
|
||||
// Validate the question type.
|
||||
|
|
@ -245,7 +247,7 @@ if ($mform->is_cancelled()) {
|
|||
|
||||
/// If we are moving a question, check we have permission to move it from
|
||||
/// whence it came. (Where we are moving to is validated by the form.)
|
||||
list($newcatid) = explode(',', $fromform->category);
|
||||
list($newcatid, $newcontextid) = explode(',', $fromform->category);
|
||||
if (!empty($question->id) && $newcatid != $question->category) {
|
||||
question_require_capability_on($question, 'move');
|
||||
}
|
||||
|
|
@ -261,6 +263,14 @@ if ($mform->is_cancelled()) {
|
|||
|
||||
} else {
|
||||
// We are acutally saving the question.
|
||||
if (!empty($question->id)) {
|
||||
question_require_capability_on($question, 'edit');
|
||||
} else {
|
||||
require_capability('moodle/question:add', get_context_instance_by_id($newcontextid));
|
||||
if (!empty($fromform->makecopy) && !$question->formoptions->cansaveasnew) {
|
||||
print_error('nopermissions', '', '', 'edit');
|
||||
}
|
||||
}
|
||||
$question = $qtypeobj->save_question($question, $fromform);
|
||||
if (!empty($CFG->usetags) && isset($fromform->tags)) {
|
||||
// A wizardpage from multipe pages questiontype like calculated may not
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue