moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-08 02:16:41 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-37710 Assign: Fix pluginfile permission checks for student viewing their own team submission.

Browse source 
This change adds a function to the assign class to allow the permissions for a group submission
to be checked and updates all the submission plugins to call it.
This commit is contained in:
Damyon Wiese 2013-01-29 16:07:08 +08:00
parent cbb26eb0ec
commit 3e1b63f1c8
4 changed files with 62 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

24
mod/assign/locallib.php
View file

@ -2784,6 +2784,30 @@ class assign {
return false; return false;
} }
/**
* Perform an access check to see if the current $USER can view this group submission.
*
* @param int $groupid
* @return bool
*/
public function can_view_group_submission($groupid) {
global $USER;
if (!is_enrolled($this->get_course_context(), $USER->id)) {
return false;
}
if (has_capability('mod/assign:grade', $this->context)) {
return true;
}
$members = $this->get_submission_group_members($groupid, true);
foreach ($members as $member) {
if ($member->id == $USER->id) {
return true;
}
}
return false;
}
/** /**
* Perform an access check to see if the current $USER can view this users submission. * Perform an access check to see if the current $USER can view this users submission.
* *

18
mod/assign/submission/comments/lib.php
View file

@ -92,22 +92,16 @@ function assignsubmission_comments_comment_permissions(stdClass $options) {
if ($assignment->get_instance()->id != $submission->assignment) { if ($assignment->get_instance()->id != $submission->assignment) {
throw new comment_exception('invalidcontext'); throw new comment_exception('invalidcontext');
} }
if (!has_capability('mod/assign:grade', $context)) {
if (!has_capability('mod/assign:submit', $context)) { if ($assignment->get_instance()->teamsubmission &&
return array('post' => false, 'view' => false); !$assignment->can_view_group_submission($submission->groupid)) {
} else if ($assignment->get_instance()->teamsubmission) {
$group = $assignment->get_submission_group($USER->id);
$groupid = 0;
if ($group) {
$groupid = $group->id;
}
if ($groupid != $submission->groupid) {
return array('post' => false, 'view' => false); return array('post' => false, 'view' => false);
} }
} else if ($submission->userid != $USER->id) {
if (!$assignment->get_instance()->teamsubmission &&
!$assignment->can_view_submission($submission->userid)) {
return array('post' => false, 'view' => false); return array('post' => false, 'view' => false);
} }
}
return array('post' => true, 'view' => true); return array('post' => true, 'view' => true);
} }

20
mod/assign/submission/file/lib.php
View file

@ -40,7 +40,7 @@ function assignsubmission_file_pluginfile($course,
$filearea, $filearea,
$args, $args,
$forcedownload) { $forcedownload) {
global $USER, $DB; global $DB, $CFG;
if ($context->contextlevel != CONTEXT_MODULE) { if ($context->contextlevel != CONTEXT_MODULE) {
return false; return false;
@ -50,20 +50,26 @@ function assignsubmission_file_pluginfile($course,
$itemid = (int)array_shift($args); $itemid = (int)array_shift($args);
$record = $DB->get_record('assign_submission', $record = $DB->get_record('assign_submission',
array('id'=>$itemid), array('id'=>$itemid),
'userid, assignment', 'userid, assignment, groupid',
MUST_EXIST); MUST_EXIST);
$userid = $record->userid; $userid = $record->userid;
$groupid = $record->groupid;
if (!$assign = $DB->get_record('assign', array('id'=>$cm->instance))) { require_once($CFG->dirroot . '/mod/assign/locallib.php');
$assign = new assign($context, $cm, $course);
if ($assign->get_instance()->id != $record->assignment) {
return false; return false;
} }
if ($assign->id != $record->assignment) { if ($assign->get_instance()->teamsubmission &&
!$assign->can_view_group_submission($groupid)) {
return false; return false;
} }
// Check if this is the current users submission or the user has grading permission. if (!$assign->get_instance()->teamsubmission &&
if ($USER->id != $userid and !has_capability('mod/assign:grade', $context)) { !$assign->can_view_submission($userid)) {
return false; return false;
} }
@ -72,7 +78,7 @@ function assignsubmission_file_pluginfile($course,
$fullpath = "/{$context->id}/assignsubmission_file/$filearea/$itemid/$relativepath"; $fullpath = "/{$context->id}/assignsubmission_file/$filearea/$itemid/$relativepath";
$fs = get_file_storage(); $fs = get_file_storage();
if (!$file = $fs->get_file_by_hash(sha1($fullpath)) or $file->is_directory()) { if (!($file = $fs->get_file_by_hash(sha1($fullpath))) || $file->is_directory()) {
return false; return false;
} }

23
mod/assign/submission/onlinetext/lib.php
View file

@ -35,7 +35,7 @@ defined('MOODLE_INTERNAL') || die();
* @return bool false if file not found, does not return if found - just send the file * @return bool false if file not found, does not return if found - just send the file
*/ */
function assignsubmission_onlinetext_pluginfile($course, $cm, context $context, $filearea, $args, $forcedownload) { function assignsubmission_onlinetext_pluginfile($course, $cm, context $context, $filearea, $args, $forcedownload) {
global $USER, $DB; global $DB, $CFG;
if ($context->contextlevel != CONTEXT_MODULE) { if ($context->contextlevel != CONTEXT_MODULE) {
return false; return false;
@ -43,19 +43,28 @@ function assignsubmission_onlinetext_pluginfile($course, $cm, context $context,
require_login($course, false, $cm); require_login($course, false, $cm);
$itemid = (int)array_shift($args); $itemid = (int)array_shift($args);
$record = $DB->get_record('assign_submission', array('id'=>$itemid), 'userid, assignment', MUST_EXIST); $record = $DB->get_record('assign_submission',
array('id'=>$itemid),
'userid, assignment, groupid',
MUST_EXIST);
$userid = $record->userid; $userid = $record->userid;
$groupid = $record->groupid;
if (!$assign = $DB->get_record('assign', array('id'=>$cm->instance))) { require_once($CFG->dirroot . '/mod/assign/locallib.php');
$assign = new assign($context, $cm, $course);
if ($assign->get_instance()->id != $record->assignment) {
return false; return false;
} }
if ($assign->id != $record->assignment) { if ($assign->get_instance()->teamsubmission &&
!$assign->can_view_group_submission($groupid)) {
return false; return false;
} }
// Check is users submission or has grading permission. if (!$assign->get_instance()->teamsubmission &&
if ($USER->id != $userid and !has_capability('mod/assign:grade', $context)) { !$assign->can_view_submission($userid)) {
return false; return false;
} }
@ -64,7 +73,7 @@ function assignsubmission_onlinetext_pluginfile($course, $cm, context $context,
$fullpath = "/{$context->id}/assignsubmission_onlinetext/$filearea/$itemid/$relativepath"; $fullpath = "/{$context->id}/assignsubmission_onlinetext/$filearea/$itemid/$relativepath";
$fs = get_file_storage(); $fs = get_file_storage();
if (!$file = $fs->get_file_by_hash(sha1($fullpath)) or $file->is_directory()) { if (!($file = $fs->get_file_by_hash(sha1($fullpath))) || $file->is_directory()) {
return false; return false;
} }