MDL-49246 gradebook: add capability checks on key manager pages.

2025-03-14 12:40:01 +01:00 · 2015-02-23 16:18:46 +08:00 · 2015-02-23 16:18:46 +08:00 · ead4d41e39
commit ead4d41e39
parent dba564c7db
5 changed files with 37 additions and 3 deletions
--- a/grade/export/key.php
+++ b/grade/export/key.php
@ -25,6 +25,7 @@

 require_once('../../config.php');
 require_once('key_form.php');
+require_once($CFG->dirroot.'/grade/lib.php');

 /// get url variables
 $courseid = optional_param('courseid', 0, PARAM_INT);
@ -62,6 +63,12 @@ require_login($course);
 $context = context_course::instance($course->id);
 require_capability('moodle/grade:export', $context);

+// Check if the user has at least one grade publishing capability.
+$plugins = grade_helper::get_plugins_export($course->id);
+if (!isset($plugins['keymanager'])) {
+    print_error('nopermissions');
+}
+
 // extra security check
 if (!empty($key->userid) and $USER->id != $key->userid) {
    print_error('notownerofkey');
--- a/grade/export/keymanager.php
+++ b/grade/export/keymanager.php
@ -39,6 +39,12 @@ $context = context_course::instance($id);

 require_capability('moodle/grade:export', $context);

+// Check if the user has at least one grade publishing capability.
+$plugins = grade_helper::get_plugins_export($course->id);
+if (!isset($plugins['keymanager'])) {
+    print_error('nopermissions');
+}
+
 print_grade_page_head($course->id, 'export', 'keymanager', get_string('keymanager', 'grades'));

 $stredit   = get_string('edit');
--- a/grade/import/key.php
+++ b/grade/import/key.php
@ -25,6 +25,7 @@

 require_once('../../config.php');
 require_once('key_form.php');
+require_once($CFG->dirroot.'/grade/lib.php');

 /// get url variables
 $courseid = optional_param('courseid', 0, PARAM_INT);
@ -62,6 +63,12 @@ require_login($course);
 $context = context_course::instance($course->id);
 require_capability('moodle/grade:import', $context);

+// Check if the user has at least one grade publishing capability.
+$plugins = grade_helper::get_plugins_import($course->id);
+if (!isset($plugins['keymanager'])) {
+    print_error('nopermissions');
+}
+
 // extra security check
 if (!empty($key->userid) and $USER->id != $key->userid) {
    print_error('notownerofkey');
--- a/grade/import/keymanager.php
+++ b/grade/import/keymanager.php
@ -39,6 +39,12 @@ $context = context_course::instance($id);

 require_capability('moodle/grade:import', $context);

+// Check if the user has at least one grade publishing capability.
+$plugins = grade_helper::get_plugins_import($course->id);
+if (!isset($plugins['keymanager'])) {
+    print_error('nopermissions');
+}
+
 print_grade_page_head($course->id, 'import', 'keymanager', get_string('keymanager', 'grades'));

 $stredit   = get_string('edit');
--- a/grade/lib.php
+++ b/grade/lib.php
@ -2847,8 +2847,9 @@ abstract class grade_helper {
                $importplugins[$plugin] = new grade_plugin_info($plugin, $url, $pluginstr);
            }

-
-            if ($CFG->gradepublishing) {
+            // Show key manager if grade publishing is enabled and the user has xml publishing capability.
+            // XML is the only grade import plugin that has publishing feature.
+            if ($CFG->gradepublishing && has_capability('gradeimport/xml:publish', $context)) {
                $url = new moodle_url('/grade/import/keymanager.php', array('id'=>$courseid));
                $importplugins['keymanager'] = new grade_plugin_info('keymanager', $url, get_string('keymanager', 'grades'));
            }
@ -2875,17 +2876,24 @@ abstract class grade_helper {
        }
        $context = context_course::instance($courseid);
        $exportplugins = array();
+        $canpublishgrades = 0;
        if (has_capability('moodle/grade:export', $context)) {
            foreach (core_component::get_plugin_list('gradeexport') as $plugin => $plugindir) {
                if (!has_capability('gradeexport/'.$plugin.':view', $context)) {
                    continue;
                }
+                // All the grade export plugins has grade publishing capabilities.
+                if (has_capability('gradeexport/'.$plugin.':publish', $context)) {
+                    $canpublishgrades++;
+                }
+
                $pluginstr = get_string('pluginname', 'gradeexport_'.$plugin);
                $url = new moodle_url('/grade/export/'.$plugin.'/index.php', array('id'=>$courseid));
                $exportplugins[$plugin] = new grade_plugin_info($plugin, $url, $pluginstr);
            }

-            if ($CFG->gradepublishing) {
+            // Show key manager if grade publishing is enabled and the user has at least one grade publishing capability.
+            if ($CFG->gradepublishing && $canpublishgrades != 0) {
                $url = new moodle_url('/grade/export/keymanager.php', array('id'=>$courseid));
                $exportplugins['keymanager'] = new grade_plugin_info('keymanager', $url, get_string('keymanager', 'grades'));
            }