moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-06 17:36:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-45760 make sure to check permission before setting header

Browse source
This commit is contained in:
Marina Glancy 2014-07-04 10:22:03 +08:00 committed by Dan Poltawski
parent 9d8348e13f
commit 74556525de
2 changed files with 15 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

9
notes/index.php
View file

@ -15,6 +15,10 @@ $userid = optional_param('user', 0, PARAM_INT);
$filtertype = optional_param('filtertype', '', PARAM_ALPHA);
$filterselect = optional_param('filterselect', 0, PARAM_INT);
if (empty($CFG->enablenotes)) {
print_error('notesdisabled', 'notes');
}
$url = new moodle_url('/notes/index.php');
if ($courseid != SITEID) {
$url->param('course', $courseid);
@ -67,6 +71,7 @@ if ($course->id == SITEID) {
} else {
$coursecontext = context_course::instance($course->id); // Course context
}
require_capability('moodle/notes:view', $coursecontext);
$systemcontext = context_system::instance(); // SYSTEM context
// Trigger event.
@ -78,10 +83,6 @@ $event = \core\event\notes_viewed::create(array(
));
$event->trigger();
if (empty($CFG->enablenotes)) {
print_error('notesdisabled', 'notes');
}
$strnotes = get_string('notes', 'notes');
if ($userid) {
$PAGE->set_context(context_user::instance($user->id));

20
user/edit.php
View file

@ -104,16 +104,6 @@ if ($course->id == SITEID) {
$systemcontext = context_system::instance();
$personalcontext = context_user::instance($user->id);
$PAGE->set_pagelayout('admin');
$PAGE->set_context($personalcontext);
if ($USER->id != $user->id) {
$PAGE->navigation->extend_for_user($user);
} else {
if ($node = $PAGE->navigation->find('myprofile', navigation_node::TYPE_ROOTNODE)) {
$node->force_open();
}
}
// check access control
if ($user->id == $USER->id) {
//editing own profile - require_login() MUST NOT be used here, it would result in infinite loop!
@ -141,6 +131,16 @@ if ($user->deleted) {
die;
}
$PAGE->set_pagelayout('admin');
$PAGE->set_context($personalcontext);
if ($USER->id != $user->id) {
$PAGE->navigation->extend_for_user($user);
} else {
if ($node = $PAGE->navigation->find('myprofile', navigation_node::TYPE_ROOTNODE)) {
$node->force_open();
}
}
// Process email change cancellation
if ($cancelemailchange) {
cancel_email_update($user->id);