MDL-84303 qbanks: fix permission checks accessing shared banks

2025-04-22 08:55:15 +02:00 · 2025-04-07 12:50:50 +01:00 · 2025-04-07 12:50:50 +01:00 · e76afc9907
commit e76afc9907
parent 019e480c35
5 changed files with 12 additions and 8 deletions
--- a/mod/quiz/classes/question/bank/custom_view.php
+++ b/mod/quiz/classes/question/bank/custom_view.php
@ -316,12 +316,11 @@ class custom_view extends \core_question\local\bank\view {
     * @return void
     */
    public function display(): void {
-        $editcontexts = $this->contexts->having_one_edit_tab_cap('questions');

        echo \html_writer::start_div('questionbankwindow boxwidthwide boxaligncenter', [
            'data-component' => 'core_question',
            'data-callback' => 'display_question_bank',
-            'data-contextid' => $editcontexts[array_key_last($editcontexts)]->id,
+            'data-contextid' => $this->contexts->lowest()->id,
        ]);

        // Show the 'switch question bank' button.
--- a/mod/quiz/lib.php
+++ b/mod/quiz/lib.php
@ -2344,7 +2344,9 @@ function mod_quiz_output_fragment_quiz_question_bank($args): string {
            build_required_parameters_for_custom_view($params, $extraparams);

    $course = get_course($cm->course);
-    require_capability('mod/quiz:manage', $contexts->lowest());
+    if (!has_capability('moodle/question:useall', $contexts->lowest())) {
+        require_capability('moodle/question:usemine', $contexts->lowest());
+    }

    // Custom View.
    $questionbank = new $viewclass($contexts, $thispageurl, $course, $cm, $pagevars, $extraparams);
--- a/mod/quiz/tests/behat/editing_switch_bank.feature
+++ b/mod/quiz/tests/behat/editing_switch_bank.feature
@ -8,6 +8,9 @@ Feature: Switching question bank when adding questions to a quiz
    Given the following "users" exist:
      | username |
      | teacher  |
+    And the following "role capability" exists:
+      | role                   | teacher |
+      | moodle/question:useall | allow   |
    And the following "courses" exist:
      | fullname | shortname |
      | Course 1 | C1        |
@ -16,7 +19,7 @@ Feature: Switching question bank when adding questions to a quiz
    And the following "course enrolments" exist:
      | user    | course | role           |
      | teacher | C1     | editingteacher |
-      | teacher | C2     | editingteacher |
+      | teacher | C2     | teacher        |
    And the following "activities" exist:
      | activity   | name    | intro                                    | course | idnumber |
      | quiz       | Quiz 1  | Quiz 1 for testing the Add menu          | C1     | quiz1    |
--- a/question/classes/external/search_shared_banks.php
+++ b/question/classes/external/search_shared_banks.php
@ -76,7 +76,7 @@ class search_shared_banks extends external_api {

        $sharedbanks = question_bank_helper::get_activity_instances_with_shareable_questions(
            notincourseids: [$courseid],
-            havingcap: ['moodle/question:managecategory'],
+            havingcap: ['moodle/question:useall', 'moodle/question:usemine'],
            filtercontext: $modulecontext,
            search: $search,
            limit: self::MAX_RESULTS + 1, // Return up to 1 extra result, so we know there are more.
--- a/question/classes/local/bank/question_bank_helper.php
+++ b/question/classes/local/bank/question_bank_helper.php
@ -130,7 +130,7 @@ class question_bank_helper {
     *
     * @param array $incourseids array of course ids where you want instances included. Leave empty if you want from all courses.
     * @param array $notincourseids array of course ids where you do not want instances included.
-     * @param array $havingcap current user must have these capabilities on each bank context.
+     * @param array $havingcap current user must have at least one of these capabilities on each bank context.
     * @param bool $getcategories optionally return the categories belonging to these banks.
     * @param int $currentbankid optionally include the bank id you want included as the first result from the method return.
     * it will only be included if the other parameters allow it.
@ -167,7 +167,7 @@ class question_bank_helper {
     *
     * @param array $incourseids array of course ids where you want instances included. Leave empty if you want from all courses.
     * @param array $notincourseids array of course ids where you do not want instances included.
-     * @param array $havingcap current user must have these capabilities on each bank context.
+     * @param array $havingcap current user must have at least one of these capabilities on each bank context.
     * @param bool $getcategories optionally return the categories belonging to these banks.
     * @param int $currentbankid optionally include the bank id you want included as the first result from the method return.
     * it will only be included if the other parameters allow it.
@ -204,7 +204,7 @@ class question_bank_helper {
     * @param bool $getcategories optionally return the categories belonging to these banks.
     * @param int $currentbankid optionally include the bank id you want included as the first result from the method return.
     *  it will only be included if the other parameters allow it.
-     * @param array $havingcap current user must have these capabilities on each bank context.
+     * @param array $havingcap current user must have at least one of these capabilities on each bank context.
     * @param ?context $filtercontext Optional context to use for all string filtering, useful for performance when calling with
     *     parameters that will get banks across multiple contexts.
     * @param string $search Optional term to search question bank instances by name