From 0e8f56103c3f0372177170d237e1c556dc387a84 Mon Sep 17 00:00:00 2001
From: Frederic Massart <fred@moodle.com>
Date: Mon, 29 Jul 2013 11:42:04 +0800
Subject: [PATCH 1/2] MDL-40737 tool_uploadcourse: Prevent update of frontpage

---
 admin/tool/uploadcourse/classes/course.php    | 15 ++++++-
 .../lang/en/tool_uploadcourse.php             |  1 +
 admin/tool/uploadcourse/tests/course_test.php | 43 +++++++++++++++++++
 3 files changed, 58 insertions(+), 1 deletion(-)

diff --git a/admin/tool/uploadcourse/classes/course.php b/admin/tool/uploadcourse/classes/course.php
index faa404d347f..782e1e843b6 100644
--- a/admin/tool/uploadcourse/classes/course.php
+++ b/admin/tool/uploadcourse/classes/course.php
@@ -399,7 +399,7 @@ class tool_uploadcourse_course {
      * @return bool false is any error occured.
      */
     public function prepare() {
-        global $DB;
+        global $DB, $SITE;
         $this->prepared = true;
 
         // Validate the shortname.
@@ -432,6 +432,12 @@ class tool_uploadcourse_course {
                 $this->error('courseexistsanduploadnotallowed',
                     new lang_string('courseexistsanduploadnotallowed', 'tool_uploadcourse'));
                 return false;
+            } else if ($this->can_update()) {
+                // We can never allow for any front page changes!
+                if ($this->shortname == $SITE->shortname) {
+                    $this->error('cannotupdatefrontpage', new lang_string('cannotupdatefrontpage', 'tool_uploadcourse'));
+                    return false;
+                }
             }
         } else {
             if (!$this->can_create()) {
@@ -608,6 +614,13 @@ class tool_uploadcourse_course {
         if ($exists) {
             $missingonly = ($updatemode === tool_uploadcourse_processor::UPDATE_MISSING_WITH_DATA_OR_DEFAUTLS);
             $coursedata = $this->get_final_update_data($coursedata, $usedefaults, $missingonly);
+
+            // Make sure we are not trying to mess with the front page, though we should never get here!
+            if ($coursedata['id'] == $SITE->id) {
+                $this->error('cannotupdatefrontpage', new lang_string('cannotupdatefrontpage', 'tool_uploadcourse'));
+                return false;
+            }
+
             $this->do = self::DO_UPDATE;
         } else {
             $coursedata = $this->get_final_create_data($coursedata);
diff --git a/admin/tool/uploadcourse/lang/en/tool_uploadcourse.php b/admin/tool/uploadcourse/lang/en/tool_uploadcourse.php
index 83138d36a49..3be7ec4eff7 100644
--- a/admin/tool/uploadcourse/lang/en/tool_uploadcourse.php
+++ b/admin/tool/uploadcourse/lang/en/tool_uploadcourse.php
@@ -32,6 +32,7 @@ $string['cannotreadbackupfile'] = 'Cannot read the backup file';
 $string['cannotrenamecoursenotexist'] = 'Cannot rename a course that does not exist';
 $string['cannotrenameidnumberconflict'] = 'Cannot rename the course, the ID number conflicts with an existing course';
 $string['cannotrenameshortnamealreadyinuse'] = 'Cannot rename the course, the shortname is already used';
+$string['cannotupdatefrontpage'] = 'It is forbidden to modify the front page';
 $string['canonlyrenameinupdatemode'] = 'Can only rename a course when update is allowed';
 $string['canonlyresetcourseinupdatemode'] = 'Can only reset a course in update mode';
 $string['couldnotresolvecatgorybyid'] = 'Could not resolve category by ID';
diff --git a/admin/tool/uploadcourse/tests/course_test.php b/admin/tool/uploadcourse/tests/course_test.php
index f04a2eae104..8f047c20709 100644
--- a/admin/tool/uploadcourse/tests/course_test.php
+++ b/admin/tool/uploadcourse/tests/course_test.php
@@ -920,4 +920,47 @@ class tool_uploadcourse_course_testcase extends advanced_testcase {
         $this->assertArrayHasKey('courseshortnameincremented', $co->get_statuses());
     }
 
+    public function test_mess_with_frontpage() {
+        global $SITE;
+        $this->resetAfterTest(true);
+
+        // Updating the front page.
+        $mode = tool_uploadcourse_processor::MODE_UPDATE_ONLY;
+        $updatemode = tool_uploadcourse_processor::UPDATE_ALL_WITH_DATA_ONLY;
+        $data = array('shortname' => $SITE->shortname, 'idnumber' => 'NewIDN');
+        $importoptions = array();
+        $co = new tool_uploadcourse_course($mode, $updatemode, $data, array(), $importoptions);
+        $this->assertFalse($co->prepare());
+        $this->assertArrayHasKey('cannotupdatefrontpage', $co->get_errors());
+
+        // Updating the front page.
+        $mode = tool_uploadcourse_processor::MODE_CREATE_OR_UPDATE;
+        $updatemode = tool_uploadcourse_processor::UPDATE_ALL_WITH_DATA_ONLY;
+        $data = array('shortname' => $SITE->shortname, 'idnumber' => 'NewIDN');
+        $importoptions = array();
+        $co = new tool_uploadcourse_course($mode, $updatemode, $data, array(), $importoptions);
+        $this->assertFalse($co->prepare());
+        $this->assertArrayHasKey('cannotupdatefrontpage', $co->get_errors());
+
+        // Generating a shortname should not be allowed in update mode, and so we cannot update the front page.
+        $mode = tool_uploadcourse_processor::MODE_CREATE_OR_UPDATE;
+        $updatemode = tool_uploadcourse_processor::UPDATE_ALL_WITH_DATA_ONLY;
+        $data = array('idnumber' => 'NewIDN', 'fullname' => 'FN', 'category' => 1);
+        $importoptions = array('shortnametemplate' => $SITE->shortname);
+        $co = new tool_uploadcourse_course($mode, $updatemode, $data, array(), $importoptions);
+        $this->assertFalse($co->prepare());
+        $this->assertArrayHasKey('cannotgenerateshortnameupdatemode', $co->get_errors());
+
+        // Renaming to the front page should not be allowed.
+        $c1 = $this->getDataGenerator()->create_course();
+        $mode = tool_uploadcourse_processor::MODE_CREATE_OR_UPDATE;
+        $updatemode = tool_uploadcourse_processor::UPDATE_ALL_WITH_DATA_ONLY;
+        $data = array('shortname' => $c1->shortname, 'fullname' => 'FN', 'idnumber' => 'NewIDN', 'rename' => $SITE->shortname);
+        $importoptions = array('canrename' => true);
+        $co = new tool_uploadcourse_course($mode, $updatemode, $data, array(), $importoptions);
+        $this->assertFalse($co->prepare());
+        $this->assertArrayHasKey('cannotrenameshortnamealreadyinuse', $co->get_errors());
+
+    }
+
 }

From 42f4ba9b65fdeb2254ad94e8043665a1c783869f Mon Sep 17 00:00:00 2001
From: Frederic Massart <fred@moodle.com>
Date: Mon, 5 Aug 2013 15:32:43 +0800
Subject: [PATCH 2/2] MDL-40737 tool_uploadcourse: Prove that category equals
 to 0 is handled

---
 admin/tool/uploadcourse/tests/course_test.php | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/admin/tool/uploadcourse/tests/course_test.php b/admin/tool/uploadcourse/tests/course_test.php
index 8f047c20709..ee979b42ea8 100644
--- a/admin/tool/uploadcourse/tests/course_test.php
+++ b/admin/tool/uploadcourse/tests/course_test.php
@@ -768,6 +768,7 @@ class tool_uploadcourse_course_testcase extends advanced_testcase {
     }
 
     public function test_create_bad_category() {
+        global $DB;
         $this->resetAfterTest(true);
 
         // Ensure fails when category cannot be resolved upon creation.
@@ -778,6 +779,14 @@ class tool_uploadcourse_course_testcase extends advanced_testcase {
         $this->assertFalse($co->prepare());
         $this->assertArrayHasKey('couldnotresolvecatgorybyid', $co->get_errors());
 
+        // Ensure fails when category is 0 on create.
+        $mode = tool_uploadcourse_processor::MODE_CREATE_NEW;
+        $updatemode = tool_uploadcourse_processor::UPDATE_ALL_WITH_DATA_ONLY;
+        $data = array('shortname' => 'c1', 'summary' => 'summary', 'fullname' => 'FN', 'category' => '0');
+        $co = new tool_uploadcourse_course($mode, $updatemode, $data);
+        $this->assertFalse($co->prepare());
+        $this->assertArrayHasKey('missingmandatoryfields', $co->get_errors());
+
         // Ensure fails when category cannot be resolved upon update.
         $c1 = $this->getDataGenerator()->create_course();
         $mode = tool_uploadcourse_processor::MODE_UPDATE_ONLY;
@@ -786,6 +795,31 @@ class tool_uploadcourse_course_testcase extends advanced_testcase {
         $co = new tool_uploadcourse_course($mode, $updatemode, $data);
         $this->assertFalse($co->prepare());
         $this->assertArrayHasKey('couldnotresolvecatgorybyid', $co->get_errors());
+
+        // Ensure does not update the category when it is 0.
+        $c1 = $this->getDataGenerator()->create_course();
+        $mode = tool_uploadcourse_processor::MODE_UPDATE_ONLY;
+        $updatemode = tool_uploadcourse_processor::UPDATE_ALL_WITH_DATA_ONLY;
+        $data = array('shortname' => $c1->shortname, 'category' => '0');
+        $co = new tool_uploadcourse_course($mode, $updatemode, $data);
+        $this->assertTrue($co->prepare());
+        $this->assertEmpty($co->get_errors());
+        $this->assertEmpty($co->get_statuses());
+        $co->proceed();
+        $this->assertEquals($c1->category, $DB->get_field('course', 'category', array('id' => $c1->id)));
+
+        // Ensure does not update the category when it is set to 0 in the defaults.
+        $c1 = $this->getDataGenerator()->create_course();
+        $mode = tool_uploadcourse_processor::MODE_UPDATE_ONLY;
+        $updatemode = tool_uploadcourse_processor::UPDATE_ALL_WITH_DATA_OR_DEFAUTLS;
+        $data = array('shortname' => $c1->shortname);
+        $defaults = array('category' => '0');
+        $co = new tool_uploadcourse_course($mode, $updatemode, $data, $defaults);
+        $this->assertTrue($co->prepare());
+        $this->assertEmpty($co->get_errors());
+        $this->assertEmpty($co->get_statuses());
+        $co->proceed();
+        $this->assertEquals($c1->category, $DB->get_field('course', 'category', array('id' => $c1->id)));
     }
 
     public function test_enrolment_data() {