From fd8043b2deee16a913ef12485b8df37db2f14ff3 Mon Sep 17 00:00:00 2001
From: Issam Taboubi <issam.taboubi@umontreal.ca>
Date: Wed, 5 Oct 2016 14:34:35 -0400
Subject: [PATCH] MDL-56285 competency: fix move competencies capabilities

In learning plan templates, cannot move competencies
around even if capability templatemanage is given
to the role because of bad context check
---
 competency/classes/api.php    |  9 +++--
 competency/tests/api_test.php | 65 +++++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+), 3 deletions(-)

diff --git a/competency/classes/api.php b/competency/classes/api.php
index 043111e5bd9..a7f8b888c79 100644
--- a/competency/classes/api.php
+++ b/competency/classes/api.php
@@ -2196,10 +2196,13 @@ class api {
      */
     public static function reorder_template_competency($templateid, $competencyidfrom, $competencyidto) {
         static::require_enabled();
-        // First we do a permissions check.
-        $context = context_system::instance();
+        $template = new template($templateid);
 
-        require_capability('moodle/competency:templatemanage', $context);
+        // First we do a permissions check.
+        if (!$template->can_manage()) {
+            throw new required_capability_exception($template->get_context(), 'moodle/competency:templatemanage',
+                'nopermissions', '');
+        }
 
         $down = true;
         $matches = template_competency::get_records(array('templateid' => $templateid, 'competencyid' => $competencyidfrom));
diff --git a/competency/tests/api_test.php b/competency/tests/api_test.php
index cb815aaa0e6..d55446bee4c 100644
--- a/competency/tests/api_test.php
+++ b/competency/tests/api_test.php
@@ -1883,6 +1883,71 @@ class core_competency_api_testcase extends advanced_testcase {
         $this->assertInstanceOf('core_competency\\template_cohort', $result);
     }
 
+    public function test_reorder_template_competencies_permissions() {
+        $this->resetAfterTest(true);
+
+        $dg = $this->getDataGenerator();
+        $lpg = $this->getDataGenerator()->get_plugin_generator('core_competency');
+        $cat = $dg->create_category();
+        $catcontext = context_coursecat::instance($cat->id);
+        $syscontext = context_system::instance();
+
+        $user = $dg->create_user();
+        $role = $dg->create_role();
+        assign_capability('moodle/competency:templatemanage', CAP_ALLOW, $role, $syscontext->id, true);
+        $dg->role_assign($role, $user->id, $syscontext->id);
+
+        // Create a template.
+        $template = $lpg->create_template(array('contextid' => $catcontext->id));
+
+        // Create a competency framework.
+        $framework = $lpg->create_framework(array('contextid' => $catcontext->id));
+
+        // Create competencies.
+        $competency1 = $lpg->create_competency(array('competencyframeworkid' => $framework->get_id()));
+        $competency2 = $lpg->create_competency(array('competencyframeworkid' => $framework->get_id()));
+
+        // Add the competencies.
+        $lpg->create_template_competency(array(
+            'templateid' => $template->get_id(),
+            'competencyid' => $competency1->get_id()
+        ));
+        $lpg->create_template_competency(array(
+            'templateid' => $template->get_id(),
+            'competencyid' => $competency2->get_id()
+        ));
+        $this->setUser($user);
+        // Can reorder competencies with system context permissions in category context.
+        $result = api::reorder_template_competency($template->get_id(), $competency2->get_id(), $competency1->get_id());
+        $this->assertTrue($result);
+        unassign_capability('moodle/competency:templatemanage', $role, $syscontext->id);
+        accesslib_clear_all_caches_for_unit_testing();
+
+        try {
+            api::reorder_template_competency($template->get_id(), $competency2->get_id(), $competency1->get_id());
+            $this->fail('Exception expected due to not permissions to manage template competencies');
+        } catch (required_capability_exception $e) {
+            $this->assertEquals('nopermissions', $e->errorcode);
+        }
+
+        // Giving permissions in category context.
+        assign_capability('moodle/competency:templatemanage', CAP_ALLOW, $role, $catcontext->id, true);
+        $dg->role_assign($role, $user->id, $catcontext->id);
+        // User with templatemanage capability in category context can reorder competencies in temple.
+        $result = api::reorder_template_competency($template->get_id(), $competency1->get_id(), $competency2->get_id());
+        $this->assertTrue($result);
+        // Removing templatemanage capability in category context.
+        unassign_capability('moodle/competency:templatemanage', $role, $catcontext->id);
+        accesslib_clear_all_caches_for_unit_testing();
+
+        try {
+            api::reorder_template_competency($template->get_id(), $competency2->get_id(), $competency1->get_id());
+            $this->fail('Exception expected due to not permissions to manage template competencies');
+        } catch (required_capability_exception $e) {
+            $this->assertEquals('nopermissions', $e->errorcode);
+        }
+    }
+
     public function test_delete_template() {
         $this->resetAfterTest(true);
         $this->setAdminUser();