diff --git a/blog/blogpage.php b/blog/blogpage.php index e2cddaeed2f..78013076f2d 100644 --- a/blog/blogpage.php +++ b/blog/blogpage.php @@ -9,7 +9,6 @@ define('PAGE_BLOG_VIEW', 'blog-view'); class page_blog extends page_base { var $editing = false; - var $bloginfo = NULL; var $courserecord = NULL; var $courseid = NULL; @@ -49,7 +48,7 @@ class page_blog extends page_base { } // I need to determine how best to utilize this function. Most init // is already done before we get here in blogFilter and blogInfo - //$this->bloginfo =& new BlogInfo($this->id); + if ($this->courseid == 0 || $this->courseid == 1 || !is_numeric($this->courseid) ) { $this->courseid = ''; $courserecord = NULL; @@ -64,8 +63,6 @@ class page_blog extends page_base { // For this test page, only admins are going to be allowed editing (for simplicity). function user_allowed_editing() { if (isloggedin() && !isguest()) { - - //if (isadmin() || ((isset($this->bloginfo) && blog_user_has_rights($this->bloginfo))) || ($this->courseid != '' && isteacher($this->courseid)) ) { return true; } return false; @@ -76,7 +73,6 @@ class page_blog extends page_base { function user_is_editing() { if (isloggedin() && !isguest()) { - //if (isadmin() || ((isset($this->bloginfo) && blog_user_has_rights($this->bloginfo))) || ($this->courseid != '' && isteacher($this->courseid)) ) { global $SESSION; if (empty($SESSION->blog_editing_enabled)) { $SESSION->blog_editing_enabled = false; @@ -168,7 +164,7 @@ class page_blog extends page_base { global $SESSION, $CFG, $USER; $editformstring = ''; - if (blog_isLoggedin()) { + if (isloggedin() && !isguest()) { if (!empty($SESSION->blog_editing_enabled) && ($SESSION->blog_editing_enabled)) { $editingString = get_string('turneditingoff'); } else { diff --git a/blog/edit.php b/blog/edit.php index 2ad0277e6ad..9f408038581 100755 --- a/blog/edit.php +++ b/blog/edit.php @@ -23,39 +23,31 @@ if (isguest()) { } $userid = optional_param('userid', 0, PARAM_INT); -$editid = optional_param('editid', 0, PARAM_INT); + +// make sure that the person trying to edit have access right +if ($editid = optional_param('editid', 0, PARAM_INT)) { + + $blogEntry = get_record('post', 'id', $editid); + + if (!blog_user_can_edit_post($blogEntry)) { + error( get_string('notallowedtoedit', 'blog'), $CFG->wwwroot .'/login/index.php'); + } + +} //check to see if there is a requested blog to edit -if (!empty($userid) && $userid != 0) { - if (blog_isLoggedIn() && $userid == $USER->id ) { - ; // Daryl Hawes note: is this a placeholder for missing functionality? - } -} else if ( blog_isLoggedIn() ) { +if (isloggedin() && !isguest()) { //the user is logged in and have not specified a blog - so they will be editing their own //$tempBlogInfo = blog_user_bloginfo(); - $userid = $USER->id;//$tempBlogInfo->userid; + $userid = $USER->id; //$tempBlogInfo->userid; //unset($tempBlogInfo); //free memory from temp object - bloginfo will be created again in the included header } else { error(get_string('noblogspecified', 'blog') .'' .get_string('viewentries', 'blog') .''); } $pageNavigation = 'edit'; - include($CFG->dirroot .'/blog/header.php'); -//check if user is in blog's acl -if ( !blog_user_has_rights($editid) ) { - if ($editid != '') { - $blogEntry = get_record('post','id',$editid); - if (! (isteacher($blogEntry->$entryCourseId)) ) { -// error( get_string('notallowedtoedit'.' You do not teach in this course.', 'blog'), $CFG->wwwroot .'/login/index.php'); - error( get_string('notallowedtoedit', 'blog'), $CFG->wwwroot .'/login/index.php'); - } - } else { - error( get_string('notallowedtoedit', 'blog'), $CFG->wwwroot .'/login/index.php'); - } -} - //////////// SECURITY AND SETUP COMPLETE - NOW PAGE LOGIC /////////////////// if (isset($act) && ($act == 'del') && confirm_sesskey()) @@ -64,16 +56,17 @@ if (isset($act) && ($act == 'del') && confirm_sesskey()) if (optional_param('confirm',0,PARAM_INT)) { do_delete($postid); } else { + /// prints blog entry and what confirmation form echo '
'; echo ''; echo ''; echo ''; echo ''; + print_string('blogdeleteconfirm', 'blog'); - - $post = get_record('post', 'id', $postid); - blog_print_entry($post); + blog_print_entry($blogEntry); + echo '
'; echo ' '; echo ' '; @@ -172,9 +165,9 @@ function do_delete($postid) { // make sure this user is authorized to delete this entry. // cannot use $post->pid because it may not have been initialized yet. Also the pid may be in get format rather than post. // check ownership - $post = get_record('post','id',$postid); + $blogEntry = get_record('post','id',$postid); - if (($USER->id == $post->userid) || (blog_is_blog_admin($post->userid)) || (isadmin())) { + if (blog_user_can_edit($blogEntry)) { if (delete_records('post','id',$postid)) { //echo "bloginfo_arg:"; //debug diff --git a/blog/lib.php b/blog/lib.php index be366625cc9..73ecef35251 100755 --- a/blog/lib.php +++ b/blog/lib.php @@ -32,59 +32,6 @@ $SESSION->blog_editing_enabled = false; } - /** - * blog_user_has_rights - returns true if user is the blog's owner or a moodle admin. - * - * @param BlogInfo blogInfo - a BlogInfo object passed by reference. This object represents the blog being accessed. - * @param int uid - numeric user id of the user whose rights are being tested against this blogInfo. If no uid is specified then the uid of the currently logged in user will be used. - */ - function blog_user_has_rights($entryID, $uid='') { - global $USER; - - if ($uid == '') { - if ( isset($USER) && isset($USER->id) ) { - $uid = $USER->id; - } - } - if ($uid == '') { - //if uid is still empty then the user is not logged in - return false; - } - if (blog_is_blog_admin($uid) || isadmin()) { - return true; - } - $blogEntry = get_record('post','id',$entryID); - - return ($blogEntry->userid == $uid); - - } - - /** - * Determines whether a user is an admin for a blog - * @param int $blog_userid The id of the blog being checked - */ - function blog_is_blog_admin($blog_userid) { - global $USER; - - //moodle admins are admins - if (isadmin()) { - return true; - } - if ( empty($USER) || !isset($USER->id) ) { - return false; - } - if ( empty($blog_userid)) { - return true; - } - - // Return true if the user is an admin for this blog - if ($blog_userid == $USER->id) { - return true; - } else { - return false; - } - } - /** * Adaptation of isediting in moodlelib.php for blog module * @return bool @@ -101,9 +48,10 @@ * This function is in lib and not in BlogInfo because entries being searched * might be found in any number of blogs rather than just one. * - * $@param BlogFilter blogFilter - a BlogFilter object containing the settings for finding appropriate entries for display + * $@param ... */ function blog_print_html_formatted_entries($userid, $postid, $limit, $start, $filtertype, $filterselect, $tagid, $tag, $filtertype, $filterselect) { + global $CFG, $USER; $blogpage = optional_param('blogpage', 0, PARAM_INT); @@ -115,14 +63,11 @@ $morelink = '
  '; // show personal or general heading block as applicable echo '
'; - //show blog title - blog tagline + print "
"; //don't print title. blog_get_title_text(); $blogEntries = fetch_entries($userid, $postid, $limit, $start, $filtertype, $filterselect, $tagid, $tag, $sort='lastmodified DESC', $limit=true); - //$blogFilter->get_filtered_entries(); - // show page next/previous links if applicable - print_paging_bar(get_viewable_entry_count($userid, $postid, $limit, $start,$filtertype, $filterselect, $tagid, $tag, $sort='lastmodified DESC'), $blogpage, $bloglimit, get_baseurl($filtertype, $filterselect), 'blogpage'); if ($CFG->enablerssfeeds) { @@ -151,7 +96,6 @@ } print $morelink.'
'."\n"; - return; } @@ -190,9 +134,12 @@ $template['publishstate'] = $blogEntry->publishstate; /// preventing user to browse blogs that they aren't supposed to see + /// This might not be too good since there are multiple calls per page + + /* if (!blog_user_can_view_user_post($template['userid'])) { error ('you can not view this post'); - } + }*/ $stredit = get_string('edit'); $strdelete = get_string('delete'); @@ -266,6 +213,7 @@ * choose_from_menu function. */ function blog_applicable_publish_states($courseid='') { + global $CFG; // everyone gets draft access @@ -276,18 +224,34 @@ return $options; } + // user can edit if he's an admin, or blog owner + function blog_user_can_edit_post($blogEntry) { + + global $CFG, $USER; + + return (isadmin() || ($blogEntry->userid == $USER->id)); + + } /// Checks to see if a user can view the blogs of another user. /// He can do so, if he is admin, in any same non-spg course, /// or spg group, but same group member - function blog_user_can_view_user_post($targetuserid) { + function blog_user_can_view_user_post($targetuserid, $blogEntry=null) { - global $CFG; + global $CFG, $USER; $canview = 0; //bad start if (isadmin()) { return true; } + + if ($USER->id == $targetuserid) { + return true; + } + + if ($blogEntry and $blogEntry->publishstate == 'draft') { // can not view draft + return false; + } $usercourses = get_my_courses($targetuserid); foreach ($usercourses as $usercourse) { @@ -328,51 +292,7 @@ return stripslashes_safe($body); } - - /// moved from BlogEntry class - function get_publish_to_menu($blogEntry, $return=true, $includehelp=true) { - $menu = ''; - if (user_can_change_publish_state($blogEntry) && blog_isediting() ) { - $menu .= '
'. get_string('publishto', 'blog').': '; - $options = blog_applicable_publish_states(); - $menu .= choose_from_menu($options, $blogEntry->userid .'-'. $blogEntry->id, $blogEntry->publishstate, '', '', '0', true); - $menu .= "\n".'
'."\n"; - /// batch publish might not be needed - if ($includehelp) { - $menu .= helpbutton('batch_publish', get_string('batchpublish', 'blog'), 'blog', true, false, '', true); - } - } - - if ($return) { - return $menu; - } - print $menu; - } - - - /** - * This function will determine if the user is logged in and - * able to make changes to the publish state of this entry - * - * @return bool True if user is allowed to change publish state - */ - function user_can_change_publish_state($blogEntry) { - // figure out who the currently logged in user is. - // to change any publish state one must be logged in - global $USER; - if ( !isset($USER) || empty($USER) || !isset($USER->id) ) { - // only site members are allowed to edit entries - return 'Only site members are allowed to edit entries'; - } else { - $uid = $USER->id; - } - if ( ($uid == $blogEntry->userid) || (blog_is_blog_admin($blogEntry->userid)) || (isadmin())) { - return true; - } - return false; - } - -/// Filter Class functions +/// Main filter function function fetch_entries($userid, $postid='', $fetchlimit=10, $fetchstart='', $filtertype='', $filterselect='', $tagid='', $tag ='', $sort='lastmodified DESC', $limit=true) { @@ -522,7 +442,6 @@ $orderby = ' ORDER BY '. $sort .' '; //echo 'Debug: BlogFilter fetch_entries() sql="'. $SQL . $orderby . $limit .'"
'. $this->categoryid; //debug - $records = get_records_sql($SQL . $orderby . $limit); // print_object($records); //debug @@ -537,6 +456,8 @@ /** * get the count of viewable entries, easiest way is to count fetch_entries * this is used for print_paging_bar + * this is not ideal, but because of the UNION in the sql in fetch_entries, + * it is hard to use count_records_sql */ function get_viewable_entry_count($userid, $postid='', $fetchlimit=10, $fetchstart='', $filtertype='', $filterselect='', $tagid='', $tag ='', $sort='lastmodified DESC') { @@ -544,7 +465,7 @@ return count($blogEntries); } - /// Find the base url from $_GET variables + /// Find the base url from $_GET variables, for print_paging_bar function get_baseurl($filtertype, $filterselect) { $getcopy = $_GET;