MDL-37244 Assignment: Submission comments plugin does not implement comments callbacks.

This allows anyone to view or modify anyone elses submission comments.
2025-05-13 03:36:09 +02:00 · 2012-12-20 15:19:14 +08:00 · 2012-12-20 15:19:14 +08:00 · e00b5c454c
commit e00b5c454c
parent 986095771b
1 changed files with 66 additions and 0 deletions
--- a/mod/assign/submission/comments/lib.php
+++ b/mod/assign/submission/comments/lib.php
@ -31,6 +31,39 @@ defined('MOODLE_INTERNAL') || die();
 * @return bool
 */
 function assignsubmission_comments_comment_validate(stdClass $options) {
+    global $USER, $CFG, $DB;
+
+    if ($options->commentarea != 'submission_comments' &&
+            $options->commentarea != 'submission_comments_upgrade') {
+        throw new comment_exception('invalidcommentarea');
+    }
+    if (!$submission = $DB->get_record('assign_submission', array('id'=>$options->itemid))) {
+        throw new comment_exception('invalidcommentitemid');
+    }
+    $context = $options->context;
+
+    require_once($CFG->dirroot . '/mod/assign/locallib.php');
+    $assignment = new assign($context, null, null);
+
+    if ($assignment->get_instance()->id != $submission->assignment) {
+        throw new comment_exception('invalidcontext');
+    }
+    if (!has_capability('mod/assign:grade', $context)) {
+        if (!has_capability('mod/assign:submit', $context)) {
+            throw new comment_exception('nopermissiontocomment');
+        } else if ($assignment->get_instance()->teamsubmission) {
+            $group = $assignment->get_submission_group($USER->id);
+            $groupid = 0;
+            if ($group) {
+                $groupid = $group->id;
+            }
+            if ($groupid != $submission->groupid) {
+                throw new comment_exception('nopermissiontocomment');
+            }
+        } else if ($submission->userid != $USER->id) {
+            throw new comment_exception('nopermissiontocomment');
+        }
+    }

    return true;
 }
@ -42,6 +75,39 @@ function assignsubmission_comments_comment_validate(stdClass $options) {
 * @return array
 */
 function assignsubmission_comments_comment_permissions(stdClass $options) {
+    global $USER, $CFG, $DB;
+
+    if ($options->commentarea != 'submission_comments' &&
+            $options->commentarea != 'submission_comments_upgrade') {
+        throw new comment_exception('invalidcommentarea');
+    }
+    if (!$submission = $DB->get_record('assign_submission', array('id'=>$options->itemid))) {
+        throw new comment_exception('invalidcommentitemid');
+    }
+    $context = $options->context;
+
+    require_once($CFG->dirroot . '/mod/assign/locallib.php');
+    $assignment = new assign($context, null, null);
+
+    if ($assignment->get_instance()->id != $submission->assignment) {
+        throw new comment_exception('invalidcontext');
+    }
+    if (!has_capability('mod/assign:grade', $context)) {
+        if (!has_capability('mod/assign:submit', $context)) {
+            return array('post' => false, 'view' => false);
+        } else if ($assignment->get_instance()->teamsubmission) {
+            $group = $assignment->get_submission_group($USER->id);
+            $groupid = 0;
+            if ($group) {
+                $groupid = $group->id;
+            }
+            if ($groupid != $submission->groupid) {
+                return array('post' => false, 'view' => false);
+            }
+        } else if ($submission->userid != $USER->id) {
+            return array('post' => false, 'view' => false);
+        }
+    }

    return array('post' => true, 'view' => true);
 }