moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-09 02:46:40 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-39990 wiki: more detailed validation of view/edit access

Browse source
This commit is contained in:
Marina Glancy 2014-02-28 17:32:36 +08:00 committed by Dan Poltawski
parent d5c7462a6a
commit e6499fb8a4
19 changed files with 98 additions and 62 deletions
Download patch file Download diff file Expand all files Collapse all files

3
mod/wiki/admin.php
View file

@ -55,6 +55,9 @@ if (!$wiki = wiki_get_wiki($subwiki->wikiid)) {
require_login($course, true, $cm); require_login($course, true, $cm);
if (!wiki_user_can_view($subwiki, $wiki)) {
print_error('cannotviewpage', 'wiki');
}
$context = context_module::instance($cm->id); $context = context_module::instance($cm->id);
require_capability('mod/wiki:managewiki', $context); require_capability('mod/wiki:managewiki', $context);

4
mod/wiki/comments.php
View file

@ -59,6 +59,10 @@ $course = $DB->get_record('course', array('id' => $cm->course), '*', MUST_EXIST)
require_login($course, true, $cm); require_login($course, true, $cm);
if (!wiki_user_can_view($subwiki, $wiki)) {
print_error('cannotviewpage', 'wiki');
}
add_to_log($course->id, 'wiki', 'comments', "comments.php?pageid=".$pageid, $pageid, $cm->id); add_to_log($course->id, 'wiki', 'comments', "comments.php?pageid=".$pageid, $pageid, $cm->id);
/// Print the page header /// Print the page header

1
mod/wiki/create_form.php
View file

@ -77,6 +77,7 @@ class mod_wiki_create_form extends moodleform {
$groupname = $groupinfo[$groupid]; $groupname = $groupinfo[$groupid];
$mform->addElement('static', 'groupdesciption', get_string('group'), $groupname); $mform->addElement('static', 'groupdesciption', get_string('group'), $groupname);
$mform->addElement('hidden', 'groupinfo', $groupid); $mform->addElement('hidden', 'groupinfo', $groupid);
$mform->setType('groupinfo', PARAM_INT);
} }
} }

4
mod/wiki/diff.php
View file

@ -68,6 +68,10 @@ if ($compare >= $comparewith) {
require_login($course, true, $cm); require_login($course, true, $cm);
if (!wiki_user_can_view($subwiki, $wiki)) {
print_error('cannotviewpage', 'wiki');
}
$wikipage = new page_wiki_diff($wiki, $subwiki, $cm); $wikipage = new page_wiki_diff($wiki, $subwiki, $cm);
$wikipage->set_page($page); $wikipage->set_page($page);

5
mod/wiki/edit.php
View file

@ -75,7 +75,10 @@ if (!empty($section) && !$sectioncontent = wiki_get_section_page($page, $section
require_login($course, true, $cm); require_login($course, true, $cm);
$context = context_module::instance($cm->id); $context = context_module::instance($cm->id);
require_capability('mod/wiki:editpage', $context);
if (!wiki_user_can_edit($subwiki)) {
print_error('cannoteditpage', 'wiki');
}
if ($option == get_string('save', 'wiki')) { if ($option == get_string('save', 'wiki')) {
if (!confirm_sesskey()) { if (!confirm_sesskey()) {

4
mod/wiki/editcomments.php
View file

@ -54,6 +54,10 @@ if (!$wiki = wiki_get_wiki($subwiki->wikiid)) {
} }
require_login($course, true, $cm); require_login($course, true, $cm);
if (!wiki_user_can_view($subwiki, $wiki)) {
print_error('cannotviewpage', 'wiki');
}
$editcomments = new page_wiki_editcomment($wiki, $subwiki, $cm); $editcomments = new page_wiki_editcomment($wiki, $subwiki, $cm);
$comment = new stdClass(); $comment = new stdClass();
if ($action == 'edit') { if ($action == 'edit') {

10
mod/wiki/files.php
View file

@ -78,7 +78,11 @@ $context = context_module::instance($cm->id);
$PAGE->set_url('/mod/wiki/files.php', array('pageid'=>$pageid)); $PAGE->set_url('/mod/wiki/files.php', array('pageid'=>$pageid));
require_login($course, true, $cm); require_login($course, true, $cm);
$PAGE->set_context($context);
if (!wiki_user_can_view($subwiki, $wiki)) {
print_error('cannotviewfiles', 'wiki');
}
$PAGE->set_title(get_string('wikifiles', 'wiki')); $PAGE->set_title(get_string('wikifiles', 'wiki'));
$PAGE->set_heading($course->fullname); $PAGE->set_heading($course->fullname);
$PAGE->navbar->add(format_string(get_string('wikifiles', 'wiki'))); $PAGE->navbar->add(format_string(get_string('wikifiles', 'wiki')));
@ -95,12 +99,8 @@ echo $renderer->tabs($page, $tabitems, $options);
echo $OUTPUT->box_start('generalbox'); echo $OUTPUT->box_start('generalbox');
if (has_capability('mod/wiki:viewpage', $context)) {
echo $renderer->wiki_print_subwiki_selector($PAGE->activityrecord, $subwiki, $page, 'files'); echo $renderer->wiki_print_subwiki_selector($PAGE->activityrecord, $subwiki, $page, 'files');
echo $renderer->wiki_files_tree($context, $subwiki); echo $renderer->wiki_files_tree($context, $subwiki);
} else {
echo $OUTPUT->notification(get_string('cannotviewfiles', 'wiki'));
}
echo $OUTPUT->box_end(); echo $OUTPUT->box_end();
if (has_capability('mod/wiki:managefiles', $context)) { if (has_capability('mod/wiki:managefiles', $context)) {

4
mod/wiki/filesedit.php
View file

@ -53,6 +53,10 @@ $course = $DB->get_record('course', array('id' => $cm->course), '*', MUST_EXIST)
$context = context_module::instance($cm->id); $context = context_module::instance($cm->id);
require_login($course, true, $cm); require_login($course, true, $cm);
if (!wiki_user_can_view($subwiki, $wiki)) {
print_error('cannotviewpage', 'wiki');
}
require_capability('mod/wiki:managefiles', $context); require_capability('mod/wiki:managefiles', $context);
if (empty($returnurl)) { if (empty($returnurl)) {

7
mod/wiki/history.php
View file

@ -59,8 +59,11 @@ if (!$cm = get_coursemodule_from_instance('wiki', $wiki->id)) {
$course = $DB->get_record('course', array('id' => $cm->course), '*', MUST_EXIST); $course = $DB->get_record('course', array('id' => $cm->course), '*', MUST_EXIST);
require_login($course, true, $cm); require_login($course, true, $cm);
$context = context_module::instance($cm->id);
require_capability('mod/wiki:viewpage', $context); if (!wiki_user_can_view($subwiki, $wiki)) {
print_error('cannotviewpage', 'wiki');
}
add_to_log($course->id, 'wiki', 'history', "history.php?pageid=".$pageid, $pageid, $cm->id); add_to_log($course->id, 'wiki', 'history', "history.php?pageid=".$pageid, $pageid, $cm->id);
/// Print the page header /// Print the page header

45
mod/wiki/lib.php
View file

@ -280,7 +280,7 @@ function wiki_print_recent_activity($course, $viewfullnames, $timestart) {
global $CFG, $DB, $OUTPUT; global $CFG, $DB, $OUTPUT;
$usernamefields = get_all_user_name_fields(true, 'u'); $usernamefields = get_all_user_name_fields(true, 'u');
$sql = "SELECT p.*, w.id as wikiid, sw.groupid, $usernamefields $sql = "SELECT p.id, p.timemodified, p.subwikiid, sw.wikiid, w.wikimode, sw.userid, sw.groupid, $usernamefields
FROM {wiki_pages} p FROM {wiki_pages} p
JOIN {wiki_subwikis} sw ON sw.id = p.subwikiid JOIN {wiki_subwikis} sw ON sw.id = p.subwikiid
JOIN {wiki} w ON w.id = sw.wikiid JOIN {wiki} w ON w.id = sw.wikiid
@ -290,48 +290,25 @@ function wiki_print_recent_activity($course, $viewfullnames, $timestart) {
if (!$pages = $DB->get_records_sql($sql, array($timestart, $course->id))) { if (!$pages = $DB->get_records_sql($sql, array($timestart, $course->id))) {
return false; return false;
} }
$modinfo = get_fast_modinfo($course); require_once($CFG->dirroot . "/mod/wiki/locallib.php");
$wikis = array(); $wikis = array();
$modinfo = get_fast_modinfo($course); $modinfo = get_fast_modinfo($course);
$subwikivisible = array();
foreach ($pages as $page) { foreach ($pages as $page) {
if (!isset($modinfo->instances['wiki'][$page->wikiid])) { if (!isset($subwikivisible[$page->subwikiid])) {
// not visible $subwiki = (object)array('id' => $page->subwikiid, 'wikiid' => $page->wikiid,
continue; 'groupid' => $page->groupid, 'userid' => $page->userid);
} $wiki = (object)array('id' => $page->wikiid, 'course' => $course->id, 'wikimode' => $page->wikimode);
$cm = $modinfo->instances['wiki'][$page->wikiid]; $subwikivisible[$page->subwikiid] = wiki_user_can_view($subwiki, $wiki);
if (!$cm->uservisible) {
continue;
}
$context = context_module::instance($cm->id);
if (!has_capability('mod/wiki:viewpage', $context)) {
continue;
}
$groupmode = groups_get_activity_groupmode($cm, $course);
if ($groupmode) {
if ($groupmode == SEPARATEGROUPS and !has_capability('mod/wiki:managewiki', $context)) {
// separate mode
if (isguestuser()) {
// shortcut
continue;
}
if (is_null($modinfo->groups)) {
$modinfo->groups = groups_get_user_groups($course->id); // load all my groups and cache it in modinfo
}
if (!in_array($page->groupid, $modinfo->groups[0])) {
continue;
}
}
} }
if ($subwikivisible[$page->subwikiid]) {
$wikis[] = $page; $wikis[] = $page;
} }
}
unset($subwikivisible);
unset($pages); unset($pages);
if (!$wikis) { if (!$wikis) {

22
mod/wiki/locallib.php
View file

@ -719,13 +719,27 @@ function wiki_parser_get_token($markup, $name) {
/** /**
* Checks if current user can view a subwiki * Checks if current user can view a subwiki
* *
* @param $subwiki * @param stdClass $subwiki usually record from {wiki_subwikis}. Must contain fields 'wikiid', 'groupid', 'userid'.
* If it also contains fields 'course' and 'groupmode' from table {wiki} it will save extra DB query.
* @param stdClass $wiki optional wiki object if known
* @return bool
*/ */
function wiki_user_can_view($subwiki) { function wiki_user_can_view($subwiki, $wiki = null) {
global $USER; global $USER;
if (empty($wiki) || $wiki->id != $subwiki->wikiid) {
$wiki = wiki_get_wiki($subwiki->wikiid); $wiki = wiki_get_wiki($subwiki->wikiid);
$cm = get_coursemodule_from_instance('wiki', $wiki->id); }
$modinfo = get_fast_modinfo($wiki->course);
if (!isset($modinfo->instances['wiki'][$subwiki->wikiid])) {
// Module does not exist.
return false;
}
$cm = $modinfo->instances['wiki'][$subwiki->wikiid];
if (!$cm->uservisible) {
// The whole module is not visible to the current user.
return false;
}
$context = context_module::instance($cm->id); $context = context_module::instance($cm->id);
// Working depending on activity groupmode // Working depending on activity groupmode
@ -767,7 +781,7 @@ function wiki_user_can_view($subwiki) {
// Each person owns a wiki. // Each person owns a wiki.
if ($wiki->wikimode == 'collaborative' || $wiki->wikimode == 'individual') { if ($wiki->wikimode == 'collaborative' || $wiki->wikimode == 'individual') {
// Only members of subwiki group could view that wiki // Only members of subwiki group could view that wiki
if (groups_is_member($subwiki->groupid)) { if (in_array($subwiki->groupid, $modinfo->get_groups($cm->groupingid))) {
// Only view capability needed // Only view capability needed
return has_capability('mod/wiki:viewpage', $context); return has_capability('mod/wiki:viewpage', $context);

5
mod/wiki/lock.php
View file

@ -68,8 +68,9 @@ if (!empty($section) && !$sectioncontent = wiki_get_section_page($page, $section
require_login($course, false, $cm); require_login($course, false, $cm);
$context = context_module::instance($cm->id); if (!wiki_user_can_edit($subwiki)) {
require_capability('mod/wiki:editpage', $context); print_error('cannoteditpage', 'wiki');
}
$wikipage = new page_wiki_lock($wiki, $subwiki, $cm); $wikipage = new page_wiki_lock($wiki, $subwiki, $cm);
$wikipage->set_page($page); $wikipage->set_page($page);

6
mod/wiki/map.php
View file

@ -54,8 +54,10 @@ if (!$wiki = wiki_get_wiki($subwiki->wikiid)) {
} }
require_login($course, true, $cm); require_login($course, true, $cm);
$context = context_module::instance($cm->id);
require_capability('mod/wiki:viewpage', $context); if (!wiki_user_can_view($subwiki, $wiki)) {
print_error('cannotviewpage', 'wiki');
}
$wikipage = new page_wiki_map($wiki, $subwiki, $cm); $wikipage = new page_wiki_map($wiki, $subwiki, $cm);
add_to_log($course->id, "wiki", "map", "map.php?pageid=".$pageid, $pageid, $cm->id); add_to_log($course->id, "wiki", "map", "map.php?pageid=".$pageid, $pageid, $cm->id);

9
mod/wiki/overridelocks.php
View file

@ -64,13 +64,14 @@ if (!empty($section) && !$sectioncontent = wiki_get_section_page($page, $section
require_login($course, true, $cm); require_login($course, true, $cm);
require_sesskey();
if (!wiki_user_can_view($subwiki, $wiki)) {
print_error('cannotviewpage', 'wiki');
}
$context = context_module::instance($cm->id); $context = context_module::instance($cm->id);
require_capability('mod/wiki:overridelock', $context); require_capability('mod/wiki:overridelock', $context);
if (!confirm_sesskey()) {
print_error(get_string('invalidsesskey', 'wiki'));
}
$wikipage = new page_wiki_overridelocks($wiki, $subwiki, $cm); $wikipage = new page_wiki_overridelocks($wiki, $subwiki, $cm);
$wikipage->set_page($page); $wikipage->set_page($page);

5
mod/wiki/prettyview.php
View file

@ -53,8 +53,9 @@ if (!$wiki = wiki_get_wiki($subwiki->wikiid)) {
require_login($course, true, $cm); require_login($course, true, $cm);
$context = context_module::instance($cm->id); if (!wiki_user_can_view($subwiki, $wiki)) {
require_capability('mod/wiki:viewpage', $context); print_error('cannotviewpage', 'wiki');
}
$wikipage = new page_wiki_prettyview($wiki, $subwiki, $cm); $wikipage = new page_wiki_prettyview($wiki, $subwiki, $cm);

4
mod/wiki/restoreversion.php
View file

@ -60,6 +60,10 @@ $course = $DB->get_record('course', array('id' => $cm->course), '*', MUST_EXIST)
require_login($course, true, $cm); require_login($course, true, $cm);
if (!wiki_user_can_view($subwiki)) {
print_error('cannotviewpage', 'wiki');
}
if ($confirm) { if ($confirm) {
if (!confirm_sesskey()) { if (!confirm_sesskey()) {
print_error(get_string('invalidsesskey', 'wiki')); print_error(get_string('invalidsesskey', 'wiki'));

6
mod/wiki/search.php
View file

@ -45,12 +45,16 @@ if (!$gid = groups_get_activity_group($cm)) {
$gid = 0; $gid = 0;
} }
if (!$subwiki = wiki_get_subwiki_by_group($cm->instance, $gid)) { if (!$subwiki = wiki_get_subwiki_by_group($cm->instance, $gid)) {
return false; print_error('incorrectsubwikiid', 'wiki');
} }
if (!$wiki = wiki_get_wiki($subwiki->wikiid)) { if (!$wiki = wiki_get_wiki($subwiki->wikiid)) {
print_error('incorrectwikiid', 'wiki'); print_error('incorrectwikiid', 'wiki');
} }
if (!wiki_user_can_view($subwiki, $wiki)) {
print_error('cannotviewfiles', 'wiki');
}
$wikipage = new page_wiki_search($wiki, $subwiki, $cm); $wikipage = new page_wiki_search($wiki, $subwiki, $cm);
$wikipage->set_search_string($search, $searchcontent); $wikipage->set_search_string($search, $searchcontent);

6
mod/wiki/view.php
View file

@ -271,8 +271,9 @@ if ($id) {
print_error('incorrectparameters'); print_error('incorrectparameters');
} }
$context = context_module::instance($cm->id); if (!wiki_user_can_view($subwiki, $wiki)) {
require_capability('mod/wiki:viewpage', $context); print_error('cannotviewpage', 'wiki');
}
// Update 'viewed' state if required by completion system // Update 'viewed' state if required by completion system
require_once($CFG->libdir . '/completionlib.php'); require_once($CFG->libdir . '/completionlib.php');
@ -288,6 +289,7 @@ $wikipage = new page_wiki_view($wiki, $subwiki, $cm);
$wikipage->set_gid($currentgroup); $wikipage->set_gid($currentgroup);
$wikipage->set_page($page); $wikipage->set_page($page);
$context = context_module::instance($cm->id);
if($pageid) { if($pageid) {
add_to_log($course->id, 'wiki', 'view', "view.php?pageid=".$pageid, $pageid, $cm->id); add_to_log($course->id, 'wiki', 'view', "view.php?pageid=".$pageid, $pageid, $cm->id);
} else if($id) { } else if($id) {

4
mod/wiki/viewversion.php
View file

@ -60,6 +60,10 @@ $course = $DB->get_record('course', array('id' => $cm->course), '*', MUST_EXIST)
require_login($course, true, $cm); require_login($course, true, $cm);
if (!wiki_user_can_view($subwiki, $wiki)) {
print_error('cannotviewpage', 'wiki');
}
$wikipage = new page_wiki_viewversion($wiki, $subwiki, $cm); $wikipage = new page_wiki_viewversion($wiki, $subwiki, $cm);
$wikipage->set_page($page); $wikipage->set_page($page);