From 0a3bdfaf79031e7f4afe4488b57804cc8a105fea Mon Sep 17 00:00:00 2001 From: skodak Date: Thu, 27 Sep 2007 06:51:54 +0000 Subject: [PATCH] MDL-11451 grade publishing security/privacy improved - new capabilities needed for publishing, by default allowed only for admins; added warning to publishing option --- grade/export/ods/db/access.php | 10 ++++++++++ grade/export/ods/dump.php | 6 ++++++ grade/export/ods/index.php | 4 ++++ grade/export/ods/version.php | 2 +- grade/export/txt/db/access.php | 10 ++++++++++ grade/export/txt/dump.php | 6 ++++++ grade/export/txt/index.php | 4 ++++ grade/export/txt/version.php | 2 +- grade/export/xls/db/access.php | 10 ++++++++++ grade/export/xls/dump.php | 6 ++++++ grade/export/xls/index.php | 4 ++++ grade/export/xls/version.php | 2 +- grade/export/xml/db/access.php | 10 ++++++++++ grade/export/xml/dump.php | 6 ++++++ grade/export/xml/index.php | 4 ++++ grade/export/xml/version.php | 2 +- grade/import/xml/db/access.php | 8 ++++++++ grade/import/xml/fetch.php | 6 ++++++ grade/import/xml/index.php | 4 ++++ grade/import/xml/version.php | 2 +- lang/en_utf8/gradeexport_csv.php | 1 + lang/en_utf8/gradeexport_ods.php | 1 + lang/en_utf8/gradeexport_txt.php | 1 + lang/en_utf8/gradeexport_xls.php | 1 + lang/en_utf8/gradeexport_xml.php | 1 + lang/en_utf8/gradeimport_xml.php | 1 + lang/en_utf8/grades.php | 2 +- 27 files changed, 110 insertions(+), 6 deletions(-) diff --git a/grade/export/ods/db/access.php b/grade/export/ods/db/access.php index b7b6c2df093..8c2b7712b01 100644 --- a/grade/export/ods/db/access.php +++ b/grade/export/ods/db/access.php @@ -11,7 +11,17 @@ $gradeexport_ods_capabilities = array( 'editingteacher' => CAP_ALLOW, 'admin' => CAP_ALLOW ) + ), + + 'gradeexport/ods:publish' => array( + 'riskbitmask' => RISK_PERSONAL, + 'captype' => 'read', + 'contextlevel' => CONTEXT_COURSE, + 'legacy' => array( + 'admin' => CAP_ALLOW + ) ) + ); ?> diff --git a/grade/export/ods/dump.php b/grade/export/ods/dump.php index fb7c17ece84..f1dd09b8122 100644 --- a/grade/export/ods/dump.php +++ b/grade/export/ods/dump.php @@ -4,6 +4,9 @@ $nomoodlecookie = true; // session not used here require '../../../config.php'; $id = required_param('id', PARAM_INT); // course id +if (!$course = get_record('course', 'id', $id)) { + print_error('nocourseid'); +} require_user_key_login('grade/export', $id); // we want different keys for each course @@ -11,6 +14,9 @@ if (empty($CFG->gradepublishing)) { error('Grade publishing disabled'); } +$context = get_context_instance(CONTEXT_COURSE, $id); +require_capability('gradeexport/ods:pusblish', $context); + // use the same page parameters as export.php and append &key=sdhakjsahdksahdkjsahksadjksahdkjsadhksa require 'export.php'; diff --git a/grade/export/ods/index.php b/grade/export/ods/index.php index c3d01ccba99..36015d13c4e 100755 --- a/grade/export/ods/index.php +++ b/grade/export/ods/index.php @@ -47,6 +47,10 @@ $navigation = grade_build_nav(__FILE__, $actionstr, array('courseid' => $course- print_header($course->shortname.': '.get_string('grades'), $course->fullname, $navigation); print_grade_plugin_selector($id, 'export', 'ods'); +if (!empty($CFG->gradepublishing)) { + $CFG->gradepublishing = has_capability('gradeexport/ods:publish', $context); +} + $mform = new grade_export_form(null, array('publishing' => true)); // process post information diff --git a/grade/export/ods/version.php b/grade/export/ods/version.php index 55d7451372e..c68c6e13e40 100644 --- a/grade/export/ods/version.php +++ b/grade/export/ods/version.php @@ -1,6 +1,6 @@ version = 2007072500; +$plugin->version = 2007092701; $plugin->requires = 2007072402; ?> diff --git a/grade/export/txt/db/access.php b/grade/export/txt/db/access.php index 243bd9b0270..5141e1aaa0f 100644 --- a/grade/export/txt/db/access.php +++ b/grade/export/txt/db/access.php @@ -11,7 +11,17 @@ $gradeexport_txt_capabilities = array( 'editingteacher' => CAP_ALLOW, 'admin' => CAP_ALLOW ) + ), + + 'gradeexport/txt:publish' => array( + 'riskbitmask' => RISK_PERSONAL, + 'captype' => 'read', + 'contextlevel' => CONTEXT_COURSE, + 'legacy' => array( + 'admin' => CAP_ALLOW + ) ) + ); ?> diff --git a/grade/export/txt/dump.php b/grade/export/txt/dump.php index fb7c17ece84..dd6be185f23 100644 --- a/grade/export/txt/dump.php +++ b/grade/export/txt/dump.php @@ -4,6 +4,9 @@ $nomoodlecookie = true; // session not used here require '../../../config.php'; $id = required_param('id', PARAM_INT); // course id +if (!$course = get_record('course', 'id', $id)) { + print_error('nocourseid'); +} require_user_key_login('grade/export', $id); // we want different keys for each course @@ -11,6 +14,9 @@ if (empty($CFG->gradepublishing)) { error('Grade publishing disabled'); } +$context = get_context_instance(CONTEXT_COURSE, $id); +require_capability('gradeexport/txt:pusblish', $context); + // use the same page parameters as export.php and append &key=sdhakjsahdksahdkjsahksadjksahdkjsadhksa require 'export.php'; diff --git a/grade/export/txt/index.php b/grade/export/txt/index.php index 56e287cdad2..0f537d8dc82 100755 --- a/grade/export/txt/index.php +++ b/grade/export/txt/index.php @@ -47,6 +47,10 @@ $navigation = grade_build_nav(__FILE__, $actionstr, array('courseid' => $course- print_header($course->shortname.': '.get_string('grades'), $course->fullname, $navigation); print_grade_plugin_selector($id, 'export', 'txt'); +if (!empty($CFG->gradepublishing)) { + $CFG->gradepublishing = has_capability('gradeexport/txt:publish', $context); +} + $mform = new grade_export_form(null, array('includeseparator'=>true, 'publishing' => true)); // process post information diff --git a/grade/export/txt/version.php b/grade/export/txt/version.php index 55d7451372e..c8a85f377d9 100755 --- a/grade/export/txt/version.php +++ b/grade/export/txt/version.php @@ -1,6 +1,6 @@ version = 2007072500; +$plugin->version = 2007092700; $plugin->requires = 2007072402; ?> diff --git a/grade/export/xls/db/access.php b/grade/export/xls/db/access.php index 6ea4d57c135..eabce41c29a 100644 --- a/grade/export/xls/db/access.php +++ b/grade/export/xls/db/access.php @@ -11,7 +11,17 @@ $gradeexport_xls_capabilities = array( 'editingteacher' => CAP_ALLOW, 'admin' => CAP_ALLOW ) + ), + + 'gradeexport/xls:publish' => array( + 'riskbitmask' => RISK_PERSONAL, + 'captype' => 'read', + 'contextlevel' => CONTEXT_COURSE, + 'legacy' => array( + 'admin' => CAP_ALLOW + ) ) + ); ?> diff --git a/grade/export/xls/dump.php b/grade/export/xls/dump.php index fb7c17ece84..d2985d74214 100644 --- a/grade/export/xls/dump.php +++ b/grade/export/xls/dump.php @@ -4,6 +4,9 @@ $nomoodlecookie = true; // session not used here require '../../../config.php'; $id = required_param('id', PARAM_INT); // course id +if (!$course = get_record('course', 'id', $id)) { + print_error('nocourseid'); +} require_user_key_login('grade/export', $id); // we want different keys for each course @@ -11,6 +14,9 @@ if (empty($CFG->gradepublishing)) { error('Grade publishing disabled'); } +$context = get_context_instance(CONTEXT_COURSE, $id); +require_capability('gradeexport/xls:pusblish', $context); + // use the same page parameters as export.php and append &key=sdhakjsahdksahdkjsahksadjksahdkjsadhksa require 'export.php'; diff --git a/grade/export/xls/index.php b/grade/export/xls/index.php index edf8e1b7043..5c3803d3a9b 100755 --- a/grade/export/xls/index.php +++ b/grade/export/xls/index.php @@ -47,6 +47,10 @@ $navigation = grade_build_nav(__FILE__, $actionstr, array('courseid' => $course- print_header($course->shortname.': '.get_string('grades'), $course->fullname, $navigation); print_grade_plugin_selector($id, 'export', 'xls'); +if (!empty($CFG->gradepublishing)) { + $CFG->gradepublishing = has_capability('gradeexport/xls:publish', $context); +} + $mform = new grade_export_form(null, array('publishing' => true)); // process post information diff --git a/grade/export/xls/version.php b/grade/export/xls/version.php index 55d7451372e..c8a85f377d9 100644 --- a/grade/export/xls/version.php +++ b/grade/export/xls/version.php @@ -1,6 +1,6 @@ version = 2007072500; +$plugin->version = 2007092700; $plugin->requires = 2007072402; ?> diff --git a/grade/export/xml/db/access.php b/grade/export/xml/db/access.php index 51233ab985f..e95ce44b794 100644 --- a/grade/export/xml/db/access.php +++ b/grade/export/xml/db/access.php @@ -11,7 +11,17 @@ $gradeexport_xml_capabilities = array( 'editingteacher' => CAP_ALLOW, 'admin' => CAP_ALLOW ) + ), + + 'gradeexport/xml:publish' => array( + 'riskbitmask' => RISK_PERSONAL, + 'captype' => 'read', + 'contextlevel' => CONTEXT_COURSE, + 'legacy' => array( + 'admin' => CAP_ALLOW + ) ) + ); ?> diff --git a/grade/export/xml/dump.php b/grade/export/xml/dump.php index fb7c17ece84..198260a86e7 100644 --- a/grade/export/xml/dump.php +++ b/grade/export/xml/dump.php @@ -4,6 +4,9 @@ $nomoodlecookie = true; // session not used here require '../../../config.php'; $id = required_param('id', PARAM_INT); // course id +if (!$course = get_record('course', 'id', $id)) { + print_error('nocourseid'); +} require_user_key_login('grade/export', $id); // we want different keys for each course @@ -11,6 +14,9 @@ if (empty($CFG->gradepublishing)) { error('Grade publishing disabled'); } +$context = get_context_instance(CONTEXT_COURSE, $id); +require_capability('gradeexport/xml:pusblish', $context); + // use the same page parameters as export.php and append &key=sdhakjsahdksahdkjsahksadjksahdkjsadhksa require 'export.php'; diff --git a/grade/export/xml/index.php b/grade/export/xml/index.php index 245601fbb01..483e64ad50d 100755 --- a/grade/export/xml/index.php +++ b/grade/export/xml/index.php @@ -47,6 +47,10 @@ $navigation = grade_build_nav(__FILE__, $actionstr, array('courseid' => $course- print_header($course->shortname.': '.get_string('grades'), $course->fullname, $navigation); print_grade_plugin_selector($id, 'export', 'xml'); +if (!empty($CFG->gradepublishing)) { + $CFG->gradepublishing = has_capability('gradeexport/xml:publish', $context); +} + $mform = new grade_export_form(null, array('idnumberrequired'=>true, 'publishing' => true)); // process post information diff --git a/grade/export/xml/version.php b/grade/export/xml/version.php index 55d7451372e..c8a85f377d9 100644 --- a/grade/export/xml/version.php +++ b/grade/export/xml/version.php @@ -1,6 +1,6 @@ version = 2007072500; +$plugin->version = 2007092700; $plugin->requires = 2007072402; ?> diff --git a/grade/import/xml/db/access.php b/grade/import/xml/db/access.php index c221c464523..b4558d678cb 100644 --- a/grade/import/xml/db/access.php +++ b/grade/import/xml/db/access.php @@ -9,6 +9,14 @@ $gradeimport_xml_capabilities = array( 'editingteacher' => CAP_ALLOW, 'admin' => CAP_ALLOW ) + ), + + 'gradeimport/xml:publish' => array( + 'captype' => 'write', + 'contextlevel' => CONTEXT_COURSE, + 'legacy' => array( + 'admin' => CAP_ALLOW + ) ) ); diff --git a/grade/import/xml/fetch.php b/grade/import/xml/fetch.php index 37a69bc5332..b04e27f23c7 100644 --- a/grade/import/xml/fetch.php +++ b/grade/import/xml/fetch.php @@ -4,6 +4,9 @@ $nomoodlecookie = true; // session not used here require '../../../config.php'; $id = required_param('id', PARAM_INT); // course id +if (!$course = get_record('course', 'id', $id)) { + print_error('nocourseid'); +} require_user_key_login('grade/import', $id); // we want different keys for each course @@ -11,6 +14,9 @@ if (empty($CFG->gradepublishing)) { error('Grade publishing disabled'); } +$context = get_context_instance(CONTEXT_COURSE, $id); +require_capability('gradeimport/xml:pusblish', $context); + // use the same page parameters as import.php and append &key=sdhakjsahdksahdkjsahksadjksahdkjsadhksa require 'import.php'; diff --git a/grade/import/xml/index.php b/grade/import/xml/index.php index 912eedfd8eb..1e4ea1e40dd 100755 --- a/grade/import/xml/index.php +++ b/grade/import/xml/index.php @@ -43,6 +43,10 @@ $strgrades = get_string('grades', 'grades'); $actionstr = get_string('modulename', 'gradeimport_xml'); $navigation = grade_build_nav(__FILE__, $actionstr, array('courseid' => $course->id)); +if (!empty($CFG->gradepublishing)) { + $CFG->gradepublishing = has_capability('gradeimport/xml:publish', $context); +} + $mform = new grade_import_form(); if ($data = $mform->get_data()) { diff --git a/grade/import/xml/version.php b/grade/import/xml/version.php index d616882fb9b..2aebb9ce746 100644 --- a/grade/import/xml/version.php +++ b/grade/import/xml/version.php @@ -1,6 +1,6 @@ version = 2007092600; +$plugin->version = 2007092700; $plugin->requires = 2007092002; ?> diff --git a/lang/en_utf8/gradeexport_csv.php b/lang/en_utf8/gradeexport_csv.php index 216a15a0b81..3ccf9a43ffb 100644 --- a/lang/en_utf8/gradeexport_csv.php +++ b/lang/en_utf8/gradeexport_csv.php @@ -2,5 +2,6 @@ $string['modulename'] = 'CSV file'; $string['cvs:view'] = 'Use CSV grade export'; +$string['cvs:publish'] = 'Publish CSV grade export'; ?> diff --git a/lang/en_utf8/gradeexport_ods.php b/lang/en_utf8/gradeexport_ods.php index 90eee3b7820..b002037434c 100644 --- a/lang/en_utf8/gradeexport_ods.php +++ b/lang/en_utf8/gradeexport_ods.php @@ -2,5 +2,6 @@ $string['modulename'] = 'OpenOffice spreadsheet'; $string['ods:view'] = 'Use Openoffice grade export'; +$string['ods:publish'] = 'Publish ODS grade export'; ?> diff --git a/lang/en_utf8/gradeexport_txt.php b/lang/en_utf8/gradeexport_txt.php index 242e2da8159..45cd6dabff5 100644 --- a/lang/en_utf8/gradeexport_txt.php +++ b/lang/en_utf8/gradeexport_txt.php @@ -2,5 +2,6 @@ $string['modulename'] = 'Plain text file'; $string['txt:view'] = 'Use text grade export'; +$string['txt:publish'] = 'Publish TXT grade export'; ?> diff --git a/lang/en_utf8/gradeexport_xls.php b/lang/en_utf8/gradeexport_xls.php index 74d94749e09..3a65e05fbc3 100644 --- a/lang/en_utf8/gradeexport_xls.php +++ b/lang/en_utf8/gradeexport_xls.php @@ -2,5 +2,6 @@ $string['modulename'] = 'Excel spreadsheet'; $string['xls:view'] = 'Use Excel grade export'; +$string['xls:publish'] = 'Publish XLS grade export'; ?> diff --git a/lang/en_utf8/gradeexport_xml.php b/lang/en_utf8/gradeexport_xml.php index 534da619864..6d85861222e 100644 --- a/lang/en_utf8/gradeexport_xml.php +++ b/lang/en_utf8/gradeexport_xml.php @@ -2,5 +2,6 @@ $string['modulename'] = 'XML file'; $string['xml:view'] = 'Use XML grade export'; +$string['xml:publish'] = 'Publish XML grade export'; ?> diff --git a/lang/en_utf8/gradeimport_xml.php b/lang/en_utf8/gradeimport_xml.php index 6b76b910eb9..1cd932f1f0a 100644 --- a/lang/en_utf8/gradeimport_xml.php +++ b/lang/en_utf8/gradeimport_xml.php @@ -6,5 +6,6 @@ $string['errincorrectidnumber'] = 'Error - incorrect idnumber'; $string['fileurl'] = 'Remote file URL'; $string['modulename'] = 'XML file'; $string['xml:view'] = 'Import grades from XML'; +$string['xml:publish'] = 'Publish import grades from XML'; ?> diff --git a/lang/en_utf8/grades.php b/lang/en_utf8/grades.php index 6f053664ce3..93caa384fbe 100644 --- a/lang/en_utf8/grades.php +++ b/lang/en_utf8/grades.php @@ -71,7 +71,7 @@ $string['configgradeboundary'] = 'A percentage boundary over which grades will b $string['configgradedisplaytype'] = 'Grades can be shown as real grades, as percentages (in reference to the minimum and maximum grades) or as letters (A, B, C etc..)'; $string['configgradeletter'] = 'A letter or other symbol used to represent a range of grades.'; $string['configgradeletterdefault'] = 'A letter or other symbol used to represent a range of grades. Leave this field empty to use the site default (currently $a).'; -$string['configgradepublishing'] = 'Enable publishing in exports and imports: Exported grades can be accessed by accessing a URL, without having to log on to a Moodle site. Grades can be imported by accessing such a URL (which means that a moodle site can import grades published by another site).'; +$string['configgradepublishing'] = 'Enable publishing in exports and imports: Exported grades can be accessed by accessing a URL, without having to log on to a Moodle site. Grades can be imported by accessing such a URL (which means that a moodle site can import grades published by another site). By default only administrators may use this feature, please educate users before adding required capabilities to other roles (dangers of bookmark sharing and download accelerators, IP restrictions, etc.).'; $string['configmeanselection'] = 'Select which types of grades will be included in the column averages. Cells with no grade can be ignored, or counted as 0 (default setting).'; $string['configquickfeedback'] = 'Quick Feedback adds a text input element in each grade cell on the grader report, allowing you to edit many grades at once. You can then click the Update button to perform all these changes at once, instead of one at a time.'; $string['configquickgrading'] = 'Quick Grading adds a text input element in each grade cell on the grader report, allowing you to edit the feedback for many grades at once. You can then click the Update button to perform all these changes at once, instead of one at a time.';