MDL-62790 course: cap check in core_course_get_categories

2025-08-06 01:16:44 +02:00 · 2018-06-25 14:54:59 +08:00 · 2018-06-25 14:54:59 +08:00 · d80533be40
commit d80533be40
parent 25a592ff5f
2 changed files with 6 additions and 9 deletions
--- a/course/externallib.php
+++ b/course/externallib.php
@ -1600,9 +1600,7 @@ class core_course_external extends external_api {
                            break;

                        case 'visible':
-                            if (has_capability('moodle/category:manage', $context)
-                                or has_capability('moodle/category:viewhiddencategories',
-                                        context_system::instance())) {
+                            if (has_capability('moodle/category:viewhiddencategories', $context)) {
                                $value = clean_param($crit['value'], PARAM_INT);
                                $conditions[$key] = $value;
                                $wheres[] = $key . " = :" . $key;
@ -1712,9 +1710,7 @@ class core_course_external extends external_api {
            if (!isset($excludedcats[$category->id])) {

                // Final check to see if the category is visible to the user.
-                if ($category->visible
-                        or has_capability('moodle/category:viewhiddencategories', context_system::instance())
-                        or has_capability('moodle/category:manage', $context)) {
+                if ($category->visible or has_capability('moodle/category:viewhiddencategories', $context)) {

                    $categoryinfo = array();
                    $categoryinfo['id'] = $category->id;
--- a/course/tests/externallib_test.php
+++ b/course/tests/externallib_test.php
@ -201,6 +201,7 @@ class core_course_externallib_testcase extends externallib_advanced_testcase {
        // Set the required capabilities by the external function.
        $context = context_system::instance();
        $roleid = $this->assignUserCapability('moodle/category:manage', $context->id);
+        $this->assignUserCapability('moodle/category:viewhiddencategories', $context->id, $roleid);

        // Retrieve category1 + sub-categories except not visible ones
        $categories = core_course_external::get_categories(array(
@ -278,10 +279,10 @@ class core_course_externallib_testcase extends externallib_advanced_testcase {

        $this->assertEquals($DB->count_records('course_categories'), count($categories));

-        $this->unassignUserCapability('moodle/category:manage', $context->id, $roleid);
+        $this->unassignUserCapability('moodle/category:viewhiddencategories', $context->id, $roleid);

-        // Ensure maxdepthcategory is 2 and retrieve all categories without category:manage capability. It should retrieve all
-        // visible categories as well.
+        // Ensure maxdepthcategory is 2 and retrieve all categories without category:viewhiddencategories capability.
+        // It should retrieve all visible categories as well.
        set_config('maxcategorydepth', 2);
        $categories = core_course_external::get_categories();