From 74556525de9617c593c3e08269d6d541c6576c90 Mon Sep 17 00:00:00 2001
From: Marina Glancy <marina@moodle.com>
Date: Fri, 4 Jul 2014 10:22:03 +0800
Subject: [PATCH] MDL-45760 make sure to check permission before setting header

---
 notes/index.php |  9 +++++----
 user/edit.php   | 20 ++++++++++----------
 2 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/notes/index.php b/notes/index.php
index fc94a7882ef..611624df2b6 100644
--- a/notes/index.php
+++ b/notes/index.php
@@ -15,6 +15,10 @@ $userid       = optional_param('user', 0, PARAM_INT);
 $filtertype   = optional_param('filtertype', '', PARAM_ALPHA);
 $filterselect = optional_param('filterselect', 0, PARAM_INT);
 
+if (empty($CFG->enablenotes)) {
+    print_error('notesdisabled', 'notes');
+}
+
 $url = new moodle_url('/notes/index.php');
 if ($courseid != SITEID) {
     $url->param('course', $courseid);
@@ -67,6 +71,7 @@ if ($course->id == SITEID) {
 } else {
     $coursecontext = context_course::instance($course->id);   // Course context
 }
+require_capability('moodle/notes:view', $coursecontext);
 $systemcontext = context_system::instance();   // SYSTEM context
 
 // Trigger event.
@@ -78,10 +83,6 @@ $event = \core\event\notes_viewed::create(array(
 ));
 $event->trigger();
 
-if (empty($CFG->enablenotes)) {
-    print_error('notesdisabled', 'notes');
-}
-
 $strnotes = get_string('notes', 'notes');
 if ($userid) {
     $PAGE->set_context(context_user::instance($user->id));
diff --git a/user/edit.php b/user/edit.php
index 7b2dc73c32f..603378befd3 100644
--- a/user/edit.php
+++ b/user/edit.php
@@ -104,16 +104,6 @@ if ($course->id == SITEID) {
 $systemcontext   = context_system::instance();
 $personalcontext = context_user::instance($user->id);
 
-$PAGE->set_pagelayout('admin');
-$PAGE->set_context($personalcontext);
-if ($USER->id != $user->id) {
-    $PAGE->navigation->extend_for_user($user);
-} else {
-    if ($node = $PAGE->navigation->find('myprofile', navigation_node::TYPE_ROOTNODE)) {
-        $node->force_open();
-    }
-}
-
 // check access control
 if ($user->id == $USER->id) {
     //editing own profile - require_login() MUST NOT be used here, it would result in infinite loop!
@@ -141,6 +131,16 @@ if ($user->deleted) {
     die;
 }
 
+$PAGE->set_pagelayout('admin');
+$PAGE->set_context($personalcontext);
+if ($USER->id != $user->id) {
+    $PAGE->navigation->extend_for_user($user);
+} else {
+    if ($node = $PAGE->navigation->find('myprofile', navigation_node::TYPE_ROOTNODE)) {
+        $node->force_open();
+    }
+}
+
 // Process email change cancellation
 if ($cancelemailchange) {
     cancel_email_update($user->id);