MDL-52811 course: prevent setting of 'lang' without permission

2025-04-21 00:12:56 +02:00 · 2017-12-22 09:49:37 +00:00 · 2017-12-22 09:49:37 +00:00 · 1433a07881
commit 1433a07881
parent ecce451878
4 changed files with 36 additions and 4 deletions
--- a/admin/tool/uploadcourse/classes/course.php
+++ b/admin/tool/uploadcourse/classes/course.php
@ -592,6 +592,23 @@ class tool_uploadcourse_course {
            $coursedata['enddate'] = strtotime($coursedata['enddate']);
        }

+        // If lang is specified, check the user is allowed to set that field.
+        if (!empty($coursedata['lang'])) {
+            if ($exists) {
+                $courseid = $DB->get_field('course', 'id', ['shortname' => $this->shortname]);
+                if (!has_capability('moodle/course:setforcedlanguage', context_course::instance($courseid))) {
+                    $this->error('cannotforcelang', new lang_string('cannotforcelang', 'tool_uploadcourse'));
+                    return false;
+                }
+            } else {
+                $catcontext = context_coursecat::instance($coursedata['category']);
+                if (!guess_if_creator_will_have_course_capability('moodle/course:setforcedlanguage', $catcontext)) {
+                    $this->error('cannotforcelang', new lang_string('cannotforcelang', 'tool_uploadcourse'));
+                    return false;
+                }
+            }
+        }
+
        // Ultimate check mode vs. existence.
        switch ($mode) {
            case tool_uploadcourse_processor::MODE_CREATE_NEW:
--- a/admin/tool/uploadcourse/lang/en/tool_uploadcourse.php
+++ b/admin/tool/uploadcourse/lang/en/tool_uploadcourse.php
@ -30,6 +30,7 @@ $string['allowresets'] = 'Allow resets';
 $string['allowresets_help'] = 'Whether the reset field is accepted or not.';
 $string['cachedef_helper'] = 'Helper caching';
 $string['cannotdeletecoursenotexist'] = 'Cannot delete a course that does not exist';
+$string['cannotforcelang'] = 'No permission to force language for this course';
 $string['cannotgenerateshortnameupdatemode'] = 'Cannot generate a shortname when updates are allowed';
 $string['cannotreadbackupfile'] = 'Cannot read the backup file';
 $string['cannotrenamecoursenotexist'] = 'Cannot rename a course that does not exist';
--- a/backup/moodle2/restore_stepslib.php
+++ b/backup/moodle2/restore_stepslib.php
@ -1827,6 +1827,7 @@ class restore_course_structure_step extends restore_structure_step {
        // When restoring to a new course we can set all the things except for the ID number.
        $canchangeidnumber = $isnewcourse || has_capability('moodle/course:changeidnumber', $context, $userid);
        $canchangesummary = $isnewcourse || has_capability('moodle/course:changesummary', $context, $userid);
+        $canforcelanguage = has_capability('moodle/course:setforcedlanguage', $context);

        $data = (object)$data;
        $data->id = $this->get_courseid();
@ -1851,6 +1852,11 @@ class restore_course_structure_step extends restore_structure_step {
            unset($data->summaryformat);
        }

+        // Unset lang if user can't change it.
+        if (!$canforcelanguage) {
+            unset($data->lang);
+        }
+
        // Only allow the idnumber to be set if the user has permission and the idnumber is not already in use by
        // another course on this site.
        if (!empty($data->idnumber) && $canchangeidnumber && $this->task->is_samesite()
--- a/course/externallib.php
+++ b/course/externallib.php
@ -713,8 +713,13 @@ class core_course_external extends external_api {
            require_capability('moodle/course:create', $context);

            // Make sure lang is valid
-            if (array_key_exists('lang', $course) and empty($availablelangs[$course['lang']])) {
-                throw new moodle_exception('errorinvalidparam', 'webservice', '', 'lang');
+            if (array_key_exists('lang', $course)) {
+                if (empty($availablelangs[$course['lang']])) {
+                    throw new moodle_exception('errorinvalidparam', 'webservice', '', 'lang');
+                }
+                if (!has_capability('moodle/course:setforcedlanguage', $context)) {
+                    unset($course['lang']);
+                }
            }

            // Make sure theme is valid
@ -911,8 +916,11 @@ class core_course_external extends external_api {
                }

                // Make sure lang is valid.
-                if (array_key_exists('lang', $course) && empty($availablelangs[$course['lang']])) {
-                    throw new moodle_exception('errorinvalidparam', 'webservice', '', 'lang');
+                if (array_key_exists('lang', $course) && ($oldcourse->lang != $course['lang'])) {
+                    require_capability('moodle/course:setforcedlanguage', $context);
+                    if (empty($availablelangs[$course['lang']])) {
+                        throw new moodle_exception('errorinvalidparam', 'webservice', '', 'lang');
+                    }
                }

                // Make sure theme is valid.