Commit 144f7f1e authored by Richard Mansfield's avatar Richard Mansfield
Browse files

Check permissions on editing group views

parent 33c99283
......@@ -46,6 +46,7 @@ $string['ownerformatdescription'] = 'How do you want people who look at your Vie
// my views
$string['artefacts'] = 'Artefacts';
$string['myviews'] = 'My Views';
$string['groupviews'] = 'Group Views';
$string['groupviewsfor'] = 'Group Views for %s';
$string['reallyaddaccesstoemptyview'] = 'Your View contains no artefacts. Do you really want to give these users access to the View?';
$string['viewdeleted'] = 'View deleted';
......
......@@ -234,6 +234,37 @@ function group_user_access($groupid, $userid=null) {
return get_field('group_member', 'role', 'group', $groupid, 'member', $userid);
}
function group_user_can_edit_views($groupid, $userid=null) {
$groupid = (int)$groupid;
if ($groupid == 0) {
throw new InvalidArgumentException("group_user_access: group argument appears to be invalid: $groupid");
}
if (is_null($userid)) {
global $USER;
$userid = (int)$USER->get('id');
}
else {
$userid = (int)$userid;
}
if ($userid == 0) {
throw new InvalidArgumentException("group_user_access: user argument appears to be invalid: $userid");
}
return get_field_sql('
SELECT
r.edit_views
FROM
{group_member} m
INNER JOIN {group} g ON (m.group = g.id AND g.deleted = 0)
INNER JOIN {grouptype_roles} r ON (g.grouptype = r.grouptype AND m.role = r.role)
WHERE
m.group = ?
AND m.member = ?', array($groupid, $userid));
}
/**
* function to add a member to a group
* doesn't do any jointype checking, that should be handled by the caller
......
......@@ -2,9 +2,11 @@
{include file="sidebar.tpl"}
{include file="columnleftstart.tpl"}
{if (!$groupid || $caneditgroupview)}
<span class="addicon fr">
<a href="{$WWWROOT}view/edit.php{if $group}?group={$group}{/if}">{str tag="createview" section="view"}</a>
<a href="{$WWWROOT}view/edit.php{if $groupid}?group={$groupid}{/if}">{str tag="createview" section="view"}</a>
</span>
{/if}
<h2>{$heading}</h2>
{if $groupid}{include file="group/tabstart.tpl" current="views"}{/if}
......
......@@ -47,7 +47,7 @@ else {
define('TITLE', get_string('editaccessforview', 'view', $view->get('title')));
}
if ($group && !group_user_access($group)) {
if ($group && !group_user_can_edit_views($group)) {
throw new AccessDeniedException();
}
......
......@@ -51,7 +51,7 @@ else {
define('TITLE', get_string('editblocksforview', 'view', $view->get('title')));
}
if ($group && !group_user_access($group)) {
if ($group && !group_user_can_edit_views($group)) {
throw new AccessDeniedException();
}
......
......@@ -57,7 +57,7 @@ else {
$group = $view->get('group');
}
if ($group && !group_user_access($group)) {
if ($group && !group_user_can_edit_views($group)) {
throw new AccessDeniedException();
}
......
......@@ -33,6 +33,7 @@ define('SECTION_PAGE', 'groupviews');
require(dirname(dirname(__FILE__)) . '/init.php');
require_once(get_config('docroot') . 'lib/view.php');
require_once(get_config('docroot') . 'lib/group.php');
require_once('pieforms/pieform.php');
define('TITLE', get_string('groupviews', 'view'));
......@@ -58,6 +59,7 @@ $pagination = build_pagination(array(
$smarty = smarty();
$smarty->assign('groupid', $group);
$smarty->assign('views', $data->data);
$smarty->assign('caneditgroupviews', group_user_can_edit_views($group));
$smarty->assign('pagination', $pagination['html']);
$smarty->assign('heading', get_string('groupviewsfor', 'view', get_field('group', 'name', 'id', $group)));
$smarty->display('view/index.tpl');
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment