From 1ba1235eb1341068eb9449112ea2602963755d4f Mon Sep 17 00:00:00 2001
From: Shamim Rezaie <shamim@moodle.com>
Date: Sun, 16 Jun 2019 16:39:38 +1000
Subject: [PATCH] MDL-34411 mod_quiz: Check if the teacher can access the
 override

---
 mod/quiz/overridedelete.php | 10 ++++++++++
 mod/quiz/overrideedit.php   | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git a/mod/quiz/overridedelete.php b/mod/quiz/overridedelete.php
index 5e88eeb50d6..c4b35c4bcb3 100644
--- a/mod/quiz/overridedelete.php
+++ b/mod/quiz/overridedelete.php
@@ -49,6 +49,16 @@ require_login($course, false, $cm);
 // Check the user has the required capabilities to modify an override.
 require_capability('mod/quiz:manageoverrides', $context);
 
+if ($override->groupid) {
+    if (!groups_group_visible($override->groupid, $course, $cm)) {
+        print_error('invalidoverrideid', 'quiz');
+    }
+} else {
+    if (!groups_user_groups_visible($course, $override->userid, $cm)) {
+        print_error('invalidoverrideid', 'quiz');
+    }
+}
+
 $url = new moodle_url('/mod/quiz/overridedelete.php', array('id'=>$override->id));
 $confirmurl = new moodle_url($url, array('id'=>$override->id, 'confirm'=>1));
 $cancelurl = new moodle_url('/mod/quiz/overrides.php', array('cmid'=>$cm->id));
diff --git a/mod/quiz/overrideedit.php b/mod/quiz/overrideedit.php
index ef1f416e7b4..e3c01eb9e18 100644
--- a/mod/quiz/overrideedit.php
+++ b/mod/quiz/overrideedit.php
@@ -76,6 +76,16 @@ require_capability('mod/quiz:manageoverrides', $context);
 if ($overrideid) {
     // Editing an override.
     $data = clone $override;
+
+    if ($override->groupid) {
+        if (!groups_group_visible($override->groupid, $course, $cm)) {
+            print_error('invalidoverrideid', 'quiz');
+        }
+    } else {
+        if (!groups_user_groups_visible($course, $override->userid, $cm)) {
+            print_error('invalidoverrideid', 'quiz');
+        }
+    }
 } else {
     // Creating a new override.
     $data = new stdClass();