From 2c8695502788fd623c4077d9d4fb5d9a70dafe29 Mon Sep 17 00:00:00 2001 From: Frederic Massart Date: Tue, 21 Aug 2012 17:40:03 +0800 Subject: [PATCH] MDL-34945 Repository: Creating an instance requires the user to have the permission to view it --- repository/lib.php | 6 ++++++ repository/manage_instances.php | 16 ++++++++++------ 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/repository/lib.php b/repository/lib.php index e8a60f4b72e..c5a93f58e95 100644 --- a/repository/lib.php +++ b/repository/lib.php @@ -1490,6 +1490,12 @@ abstract class repository { $types = repository::get_editable_types($context); foreach ($types as $type) { if (!empty($type) && $type->get_visible()) { + // If the user does not have the permission to view the repository, it won't be displayed in + // the list of instances. Hiding the link to create new instances will prevent the + // user from creating them without being able to find them afterwards, which looks like a bug. + if (!has_capability('repository/'.$type->get_typename().':view', $context)) { + continue; + } $instanceoptionnames = repository::static_function($type->get_typename(), 'get_instance_option_names'); if (!empty($instanceoptionnames)) { $baseurl->param('new', $type->get_typename()); diff --git a/repository/manage_instances.php b/repository/manage_instances.php index a6b1363798d..5d7f76c61d7 100644 --- a/repository/manage_instances.php +++ b/repository/manage_instances.php @@ -106,12 +106,16 @@ if (!empty($new)){ $type = repository::get_type_by_id($instance->options['typeid']); } -if (isset($type) && !$type->get_visible()) { - print_error('typenotvisible', 'repository', $baseurl); -} - -if (isset($type) && !$type->get_contextvisibility($context)) { - print_error('usercontextrepositorydisabled', 'repository', $baseurl); +if (isset($type)) { + if (!$type->get_visible()) { + print_error('typenotvisible', 'repository', $baseurl); + } + // Prevents the user from creating/editing an instance if the repository is not visible in + // this context OR if the user does not have the capability to view this repository in this context. + $canviewrepository = has_capability('repository/'.$type->get_typename().':view', $context); + if (!$type->get_contextvisibility($context) || !$canviewrepository) { + print_error('usercontextrepositorydisabled', 'repository', $baseurl); + } } /// Create navigation links