Add group view setting to prevent editing by non-admins (bug #631189)

Admins can set the 'locked' property on a group view, and this will
stop non-admin members from editing the view, regardless of the view
editing permissions given to roles within the group.

Change-Id: I56c113a9d4e8fcab5463fa1c54bf456f7fc2364b
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

htdocs/auth/user.php

@@ -959,10 +959,10 @@ class User {
         $group = $v->get('group');
         if ($group) {
             $this->reset_grouproles();
-            if ($v->get('type') == 'grouphomepage' && $this->grouproles[$group] != 'admin') {
+            if (!isset($this->grouproles[$group])) {
                 return false;
             }
-            if (!isset($this->grouproles[$group])) {
+            if (($v->get('type') == 'grouphomepage' || $v->get('locked')) && $this->grouproles[$group] != 'admin') {
                 return false;
             }
             require_once('group.php');

htdocs/lang/en.utf8/view.php

@@ -47,6 +47,8 @@ $string['unrecogniseddateformat'] = 'Unrecognised date format';
 $string['allowcommentsonview']    = 'If checked, users will be allowed to leave comments.';
 $string['ownerformat']            = 'Name display format';
 $string['ownerformatdescription'] = 'How do you want people who look at your page to see your name?';
+$string['Locked']                 = 'Locked';
+$string['lockedgroupviewdesc']    = 'If you lock this page, only group admins will be able to edit it.';
 $string['profileviewtitle']       = 'Profile page';
 $string['dashboardviewtitle']     = 'Dashboard page';
 $string['grouphomepageviewtitle'] = 'Group Homepage';

htdocs/lib/db/install.xml

@@ -671,6 +671,7 @@
                 <FIELD NAME="allowcomments" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="1"  />
                 <FIELD NAME="approvecomments" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="0"  />
                 <FIELD NAME="accessconf" TYPE="char" LENGTH="40" NOTNULL="false"/>
+                <FIELD NAME="locked" TYPE="int" LENGTH="1" DEFAULT="0" NOTNULL="true" />
             </FIELDS>
             <KEYS>
                 <KEY NAME="primary" TYPE="primary" FIELDS="id" />

htdocs/lib/db/upgrade.php

@@ -2702,5 +2702,14 @@ function xmldb_core_upgrade($oldversion=0) {
         change_field_type($table, $field, true, true);
     }
 
+    if ($oldversion < 2011091200) {
+        // Locked group views (only editable by group admins)
+        $table = new XMLDBTable('view');
+        $field = new XMLDBField('locked');
+        $field->setAttributes(XMLDB_TYPE_INTEGER, 1, null, XMLDB_NOTNULL, null, null, null, 0);
+        add_field($table, $field);
+        set_field('view', 'locked', 1, 'type', 'grouphomepage');
+    }
+
     return $status;
 }

htdocs/lib/version.php

@@ -28,7 +28,7 @@
 defined('INTERNAL') || die();
 
 $config = new StdClass;
-$config->version = 2011090900;
+$config->version = 2011091200;
 $config->release = '1.5.0dev';
 $config->minupgradefrom = 2008040200;
 $config->minupgraderelease = '1.0.0 (release tag 1.0.0_RELEASE)';

htdocs/lib/view.php

@@ -70,6 +70,7 @@ class View {
     private $approvecomments;
     private $collection;
     private $accessconf;
+    private $locked;
 
     /**
      * Valid view layouts. These are read at install time and inserted into
@@ -2450,7 +2451,7 @@ class View {
         $userid = (!$groupid && !$institution) ? $USER->get('id') : null;
 
         $select = '
-            SELECT v.id,v.title,v.description,v.type,v.mtime';
+            SELECT v.id,v.title,v.description,v.type,v.mtime,v.locked';
         $from = '
             FROM {view} v';
         $where = '
@@ -2500,6 +2501,7 @@ class View {
                 $data[$i]['type'] = $viewdata[$i]->type;
                 $data[$i]['title'] = $viewdata[$i]->title;
                 $data[$i]['mtime'] = $viewdata[$i]->mtime;
+                $data[$i]['locked'] = $viewdata[$i]->locked;
                 $data[$i]['removable'] = self::can_remove_viewtype($viewdata[$i]->type);
                 $data[$i]['description'] = $viewdata[$i]->description;
                 if (!empty($viewdata[$i]->submitgroupid)) {
@@ -3719,6 +3721,7 @@ class View {
      * @return array, array
      */
     function get_views_and_collections($owner=null, $group=null, $institution=null, $matchconfig=null, $includeprofile=true) {
+        $excludelocked = $group && group_user_access($group) != 'admin';
         $ownersql = self::owner_sql((object) array('owner' => $owner, 'group' => $group, 'institution' => $institution));
         $sql = "
             SELECT v.id AS vid, v.type AS vtype, v.title AS vname, v.accessconf,
@@ -3729,6 +3732,7 @@ class View {
                 LEFT JOIN {collection} c ON cv.collection = c.id
             WHERE v.$ownersql AND v.type IN ('portfolio'";
         $sql .= $includeprofile ? ", 'profile') " : ') ';
+        $sql .= $excludelocked ? 'AND v.locked != 1 ' : '';
         $sql .= 'ORDER BY c.name, v.title';
         $records = get_records_sql_array($sql, array());
 

htdocs/theme/raw/templates/view/index.tpl

@@ -46,10 +46,10 @@
 {/if}
                         </td>
                         <td class="right buttonscell btns2">
-{if !$view.submittedto}
+{if !$view.submittedto && (!$view.locked || $editlocked)}
                                 <a href="{$WWWROOT}view/blocks.php?id={$view.id}" title="{str tag ="editcontentandlayout" section="view"}"><img src="{theme_url filename='images/edit.gif'}" alt="{str tag=edit}"></a>
 {/if}
-{if !$view.submittedto && $view.removable}
+{if !$view.submittedto && $view.removable && (!$view.locked || $editlocked)}
                                 <a href="{$WWWROOT}view/delete.php?id={$view.id}" title="{str tag=deletethisview section=view}"><img src="{theme_url filename='images/icon_close.gif'}" alt="{str tag=delete}"></a>
 {/if}
                         </td>{* rbuttons *}

htdocs/view/edit.php

@@ -125,6 +125,19 @@ $editview = array(
     ),
 );
 
+if ($group) {
+    $grouproles = $USER->get('grouproles');
+    if ($grouproles[$group] == 'admin') {
+        $editview['elements']['locked'] = array(
+            'type'         => 'checkbox',
+            'title'        => get_string('Locked', 'view'),
+            'description'  => get_string('lockedgroupviewdesc', 'view'),
+            'defaultvalue' => $view->get('locked'),
+            'disabled'     => $view->get('type') == 'grouphomepage', // This page unreachable for grouphomepage anyway
+        );
+    }
+}
+
 if (!($group || $institution)) {
     $default = $view->get('ownerformat');
     if (!$default) {
@@ -154,6 +167,9 @@ function editview_submit(Pieform $form, $values) {
     $view->set('title', $values['title']);
     $view->set('description', $values['description']);
     $view->set('tags', $values['tags']);
+    if (isset($values['locked'])) {
+        $view->set('locked', (int)$values['locked']);
+    }
     if (isset($values['ownerformat']) && $view->get('owner')) {
         $view->set('ownerformat', $values['ownerformat']);
     }

htdocs/view/groupviews.php

@@ -46,7 +46,8 @@ if (!is_logged_in() && !$group->public) {
 
 define('TITLE', $group->name . ' - ' . get_string('groupviews', 'view'));
 
-$can_edit = group_user_can_edit_views($group);
+$role = group_user_access($group->id);
+$can_edit = $role && group_role_can_edit_views($group, $role);
 
 // If the user can edit group views, show a page similar to the my views
 // page, otherwise just show a list of the views owned by this group that
@@ -85,6 +86,7 @@ list($searchform, $data, $pagination) = View::views_by_owner($group->id);
 $createviewform = pieform(create_view_form($group->id));
 
 $smarty = smarty();
+$smarty->assign('editlocked', $role == 'admin');
 $smarty->assign('views', $data->data);
 $smarty->assign('pagination', $pagination['html']);
 $smarty->assign('searchform', $searchform);