mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-01-18 22:08:20 +01:00
Code Issues Projects Releases Wiki Activity

MDL-56565 navigation: fix for cap checks in nav and context header

Browse Source 
Fix to:
- Make sure we properly check both user and course contexts in
the load_for_user function in navigation lib and user the
user_can_view_profile function for same-course access checks.
- Use user_can_view_profile in the renderer's context_header to
properly decide whether a user can view another user's picture
and messaging options in the page header.
This commit is contained in:
Jake Dallimore 2017-03-09 15:50:24 +08:00 committed by Mr. Jenkins (CiBoT)
parent 02e5a9d766
commit 012555492e
2 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
lib/navigationlib.php
View File

@ -2273,12 +2273,27 @@ class global_navigation extends navigation_node {
} }
// Add a branch for the current user. // Add a branch for the current user.
// Only reveal user details if $user is the current user, or a user to which the current user has access. // Only reveal user details if $user is the current user, or a user to which the current user has access.
if ($USER->id != $user->id && !has_capability('moodle/user:viewdetails', $coursecontext)) { $viewprofile = true;
$usernode = $usersnode->add(get_string('user')); if (!$iscurrentuser) {
} else { require_once($CFG->dirroot . '/user/lib.php');
if ($this->page->context->contextlevel == CONTEXT_USER && !has_capability('moodle/user:viewdetails', $usercontext) ) {
$viewprofile = false;
} else if ($this->page->context->contextlevel != CONTEXT_USER && !user_can_view_profile($user, $course, $usercontext)) {
$viewprofile = false;
}
if (!$viewprofile) {
$viewprofile = user_can_view_profile($user, null, $usercontext);
}
}
// Now, conditionally add the user node.
if ($viewprofile) {
$canseefullname = has_capability('moodle/site:viewfullnames', $coursecontext); $canseefullname = has_capability('moodle/site:viewfullnames', $coursecontext);
$usernode = $usersnode->add(fullname($user, $canseefullname), $userviewurl, self::TYPE_USER, null, 'user' . $user->id); $usernode = $usersnode->add(fullname($user, $canseefullname), $userviewurl, self::TYPE_USER, null, 'user' . $user->id);
} else {
$usernode = $usersnode->add(get_string('user'));
} }
if ($this->page->context->contextlevel == CONTEXT_USER && $user->id == $this->page->context->instanceid) { if ($this->page->context->contextlevel == CONTEXT_USER && $user->id == $this->page->context->instanceid) {
$usernode->make_active(); $usernode->make_active();
} }

3
lib/outputrenderers.php
View File

@ -4075,6 +4075,7 @@ EOD;
public function context_header($headerinfo = null, $headinglevel = 1) { public function context_header($headerinfo = null, $headinglevel = 1) {
global $DB, $USER, $CFG; global $DB, $USER, $CFG;
require_once($CFG->dirroot . '/user/lib.php');
$context = $this->page->context; $context = $this->page->context;
$heading = null; $heading = null;
$imagedata = null; $imagedata = null;
@ -4100,7 +4101,7 @@ EOD;
// Only provide user information if the user is the current user, or a user which the current user can view. // Only provide user information if the user is the current user, or a user which the current user can view.
$canviewdetails = false; $canviewdetails = false;
if ($user->id == $USER->id || has_capability('moodle/user:viewdetails', $this->page->context)) { if ($user->id == $USER->id || user_can_view_profile($user)) {
$canviewdetails = true; $canviewdetails = true;
} }