mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-01-18 22:08:20 +01:00
Code Issues Projects Releases Wiki Activity

MDL-56565 core: fix user details disclosure in page context header

Browse Source 
Fixes a bug with context_header function in which user details were
displayed regardless of the current user's capabilities.
This commit is contained in:
Jake Dallimore 2017-01-09 12:09:21 +08:00 committed by Mr. Jenkins (CiBoT)
parent 2fe7f706d7
commit 08692e9736
1 changed files with 52 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
lib/outputrenderers.php
View File

@ -4076,15 +4076,14 @@ EOD;
public function context_header($headerinfo = null, $headinglevel = 1) {
global $DB, $USER, $CFG;
$context = $this->page->context;
// Make sure to use the heading if it has been set.
if (isset($headerinfo['heading'])) {
$heading = $headerinfo['heading'];
} else {
$heading = null;
}
$heading = null;
$imagedata = null;
$subheader = null;
$userbuttons = null;
// Make sure to use the heading if it has been set.
if (isset($headerinfo['heading'])) {
$heading = $headerinfo['heading'];
}
// The user context currently has images and buttons. Other contexts may follow.
if (isset($headerinfo['user']) || $context->contextlevel == CONTEXT_USER) {
if (isset($headerinfo['user'])) {
@ -4093,47 +4092,60 @@ EOD;
// Look up the user information if it is not supplied.
$user = $DB->get_record('user', array('id' => $context->instanceid));
}
// If the user context is set, then use that for capability checks.
if (isset($headerinfo['usercontext'])) {
$context = $headerinfo['usercontext'];
}
// Use the user's full name if the heading isn't set.
if (!isset($heading)) {
$heading = fullname($user);
// Only provide user information if the user is the current user, or a user which the current user can view.
$canviewdetails = false;
if ($user->id == $USER->id || has_capability('moodle/user:viewdetails', $this->page->context)) {
$canviewdetails = true;
}
$imagedata = $this->user_picture($user, array('size' => 100));
// Check to see if we should be displaying a message button.
if (!empty($CFG->messaging) && $USER->id != $user->id && has_capability('moodle/site:sendmessage', $context)) {
$iscontact = !empty(message_get_contact($user->id));
$contacttitle = $iscontact ? 'removefromyourcontacts' : 'addtoyourcontacts';
$contacturlaction = $iscontact ? 'removecontact' : 'addcontact';
$contactimage = $iscontact ? 'removecontact' : 'addcontact';
$userbuttons = array(
'messages' => array(
'buttontype' => 'message',
'title' => get_string('message', 'message'),
'url' => new moodle_url('/message/index.php', array('id' => $user->id)),
'image' => 'message',
'linkattributes' => array('role' => 'button'),
'page' => $this->page
),
'togglecontact' => array(
'buttontype' => 'togglecontact',
'title' => get_string($contacttitle, 'message'),
'url' => new moodle_url('/message/index.php', array(
'user1' => $USER->id,
'user2' => $user->id,
$contacturlaction => $user->id,
'sesskey' => sesskey())
),
'image' => $contactimage,
'linkattributes' => \core_message\helper::togglecontact_link_params($user, $iscontact),
'page' => $this->page
),
);
if ($canviewdetails) {
// Use the user's full name if the heading isn't set.
if (!isset($heading)) {
$heading = fullname($user);
}
$this->page->requires->string_for_js('changesmadereallygoaway', 'moodle');
$imagedata = $this->user_picture($user, array('size' => 100));
// Check to see if we should be displaying a message button.
if (!empty($CFG->messaging) && $USER->id != $user->id && has_capability('moodle/site:sendmessage', $context)) {
$iscontact = !empty(message_get_contact($user->id));
$contacttitle = $iscontact ? 'removefromyourcontacts' : 'addtoyourcontacts';
$contacturlaction = $iscontact ? 'removecontact' : 'addcontact';
$contactimage = $iscontact ? 'removecontact' : 'addcontact';
$userbuttons = array(
'messages' => array(
'buttontype' => 'message',
'title' => get_string('message', 'message'),
'url' => new moodle_url('/message/index.php', array('id' => $user->id)),
'image' => 'message',
'linkattributes' => array('role' => 'button'),
'page' => $this->page
),
'togglecontact' => array(
'buttontype' => 'togglecontact',
'title' => get_string($contacttitle, 'message'),
'url' => new moodle_url('/message/index.php', array(
'user1' => $USER->id,
'user2' => $user->id,
$contacturlaction => $user->id,
'sesskey' => sesskey())
),
'image' => $contactimage,
'linkattributes' => \core_message\helper::togglecontact_link_params($user, $iscontact),
'page' => $this->page
),
);
$this->page->requires->string_for_js('changesmadereallygoaway', 'moodle');
}
} else {
$heading = null;
}
}