MDL-40854 fix mod/...:view capabilities

Prior to the fix, if you did not have a capability like mod/page:view, then you woulds still see the link to the Page activity in the course section, but when you clicked on it, you would run into a require_capability error. It is a principle that we never show users a link to a page they are not allowed to access, therefore, when users do not have mod/...:view, they should not see the link on the course page. This patch implements this in the cm_info class, in a similar way to how access restrictions by groups works. It does not assume that the mod/...:view capability exists. If the capability does not exist, then users are not prevented from seeing the link.
2025-04-21 16:32:18 +02:00 · 2013-07-24 19:14:15 +01:00 · 2013-07-24 19:14:15 +01:00 · 9e1fe42150
commit 9e1fe42150
parent bdd045c5ec
2 changed files with 21 additions and 2 deletions
--- a/grade/report/user/lib.php
+++ b/grade/report/user/lib.php
@ -365,7 +365,8 @@ class grade_report_user extends grade_report {
                    $cm = $instances[$grade_object->iteminstance];
                    if (!$cm->uservisible) {
                        // Further checks are required to determine whether the activity is entirely hidden or just greyed out.
-                        if ($cm->is_user_access_restricted_by_group() || $cm->is_user_access_restricted_by_conditional_access()) {
+                        if ($cm->is_user_access_restricted_by_group() || $cm->is_user_access_restricted_by_conditional_access() ||
+                                $cm->is_user_access_restricted_by_capability()) {
                            $hide = true;
                        }
                    }
--- a/lib/modinfolib.php
+++ b/lib/modinfolib.php
@ -1203,7 +1203,8 @@ class cm_info extends stdClass {
        }

        // Check group membership.
-        if ($this->is_user_access_restricted_by_group()) {
+        if ($this->is_user_access_restricted_by_group() ||
+                $this->is_user_access_restricted_by_capability()) {

             $this->uservisible = false;
            // Ensure activity is completely hidden from the user.
@ -1234,6 +1235,23 @@ class cm_info extends stdClass {
        return false;
    }

+    /**
+     * Checks whether mod/...:view capability restricts the current user's access.
+     *
+     * @return bool True if the user access is restricted.
+     */
+    public function is_user_access_restricted_by_capability() {
+        $capability = 'mod/' . $this->modname . ':view';
+        $capabilityinfo = get_capability_info($capability);
+        if (!$capabilityinfo) {
+            // Capability does not exist, no one is prevented from seeing the activity.
+            return false;
+        }
+
+        // You are blocked if you don't have the capability.
+        return !has_capability($capability, context_module::instance($this->id));
+    }
+
    /**
     * Checks whether the module's conditional access settings mean that the user cannot see the activity at all
     *