Commit 1e4f1c55 authored by Richard Mansfield's avatar Richard Mansfield

Add group view setting to prevent editing by non-admins (bug #631189)

Admins can set the 'locked' property on a group view, and this will
stop non-admin members from editing the view, regardless of the view
editing permissions given to roles within the group.

Change-Id: I56c113a9d4e8fcab5463fa1c54bf456f7fc2364b
Signed-off-by: default avatarRichard Mansfield <richard.mansfield@catalyst.net.nz>
parent 76516823
......@@ -959,10 +959,10 @@ class User {
$group = $v->get('group');
if ($group) {
$this->reset_grouproles();
if ($v->get('type') == 'grouphomepage' && $this->grouproles[$group] != 'admin') {
if (!isset($this->grouproles[$group])) {
return false;
}
if (!isset($this->grouproles[$group])) {
if (($v->get('type') == 'grouphomepage' || $v->get('locked')) && $this->grouproles[$group] != 'admin') {
return false;
}
require_once('group.php');
......
......@@ -47,6 +47,8 @@ $string['unrecogniseddateformat'] = 'Unrecognised date format';
$string['allowcommentsonview'] = 'If checked, users will be allowed to leave comments.';
$string['ownerformat'] = 'Name display format';
$string['ownerformatdescription'] = 'How do you want people who look at your page to see your name?';
$string['Locked'] = 'Locked';
$string['lockedgroupviewdesc'] = 'If you lock this page, only group admins will be able to edit it.';
$string['profileviewtitle'] = 'Profile page';
$string['dashboardviewtitle'] = 'Dashboard page';
$string['grouphomepageviewtitle'] = 'Group Homepage';
......
......@@ -671,6 +671,7 @@
<FIELD NAME="allowcomments" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="1" />
<FIELD NAME="approvecomments" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="0" />
<FIELD NAME="accessconf" TYPE="char" LENGTH="40" NOTNULL="false"/>
<FIELD NAME="locked" TYPE="int" LENGTH="1" DEFAULT="0" NOTNULL="true" />
</FIELDS>
<KEYS>
<KEY NAME="primary" TYPE="primary" FIELDS="id" />
......
......@@ -2702,5 +2702,14 @@ function xmldb_core_upgrade($oldversion=0) {
change_field_type($table, $field, true, true);
}
if ($oldversion < 2011091200) {
// Locked group views (only editable by group admins)
$table = new XMLDBTable('view');
$field = new XMLDBField('locked');
$field->setAttributes(XMLDB_TYPE_INTEGER, 1, null, XMLDB_NOTNULL, null, null, null, 0);
add_field($table, $field);
set_field('view', 'locked', 1, 'type', 'grouphomepage');
}
return $status;
}
......@@ -28,7 +28,7 @@
defined('INTERNAL') || die();
$config = new StdClass;
$config->version = 2011090900;
$config->version = 2011091200;
$config->release = '1.5.0dev';
$config->minupgradefrom = 2008040200;
$config->minupgraderelease = '1.0.0 (release tag 1.0.0_RELEASE)';
......
......@@ -70,6 +70,7 @@ class View {
private $approvecomments;
private $collection;
private $accessconf;
private $locked;
/**
* Valid view layouts. These are read at install time and inserted into
......@@ -2450,7 +2451,7 @@ class View {
$userid = (!$groupid && !$institution) ? $USER->get('id') : null;
$select = '
SELECT v.id,v.title,v.description,v.type,v.mtime';
SELECT v.id,v.title,v.description,v.type,v.mtime,v.locked';
$from = '
FROM {view} v';
$where = '
......@@ -2500,6 +2501,7 @@ class View {
$data[$i]['type'] = $viewdata[$i]->type;
$data[$i]['title'] = $viewdata[$i]->title;
$data[$i]['mtime'] = $viewdata[$i]->mtime;
$data[$i]['locked'] = $viewdata[$i]->locked;
$data[$i]['removable'] = self::can_remove_viewtype($viewdata[$i]->type);
$data[$i]['description'] = $viewdata[$i]->description;
if (!empty($viewdata[$i]->submitgroupid)) {
......@@ -3719,6 +3721,7 @@ class View {
* @return array, array
*/
function get_views_and_collections($owner=null, $group=null, $institution=null, $matchconfig=null, $includeprofile=true) {
$excludelocked = $group && group_user_access($group) != 'admin';
$ownersql = self::owner_sql((object) array('owner' => $owner, 'group' => $group, 'institution' => $institution));
$sql = "
SELECT v.id AS vid, v.type AS vtype, v.title AS vname, v.accessconf,
......@@ -3729,6 +3732,7 @@ class View {
LEFT JOIN {collection} c ON cv.collection = c.id
WHERE v.$ownersql AND v.type IN ('portfolio'";
$sql .= $includeprofile ? ", 'profile') " : ') ';
$sql .= $excludelocked ? 'AND v.locked != 1 ' : '';
$sql .= 'ORDER BY c.name, v.title';
$records = get_records_sql_array($sql, array());
......
......@@ -46,10 +46,10 @@
{/if}
</td>
<td class="right buttonscell btns2">
{if !$view.submittedto}
{if !$view.submittedto && (!$view.locked || $editlocked)}
<a href="{$WWWROOT}view/blocks.php?id={$view.id}" title="{str tag ="editcontentandlayout" section="view"}"><img src="{theme_url filename='images/edit.gif'}" alt="{str tag=edit}"></a>
{/if}
{if !$view.submittedto && $view.removable}
{if !$view.submittedto && $view.removable && (!$view.locked || $editlocked)}
<a href="{$WWWROOT}view/delete.php?id={$view.id}" title="{str tag=deletethisview section=view}"><img src="{theme_url filename='images/icon_close.gif'}" alt="{str tag=delete}"></a>
{/if}
</td>{* rbuttons *}
......
......@@ -125,6 +125,19 @@ $editview = array(
),
);
if ($group) {
$grouproles = $USER->get('grouproles');
if ($grouproles[$group] == 'admin') {
$editview['elements']['locked'] = array(
'type' => 'checkbox',
'title' => get_string('Locked', 'view'),
'description' => get_string('lockedgroupviewdesc', 'view'),
'defaultvalue' => $view->get('locked'),
'disabled' => $view->get('type') == 'grouphomepage', // This page unreachable for grouphomepage anyway
);
}
}
if (!($group || $institution)) {
$default = $view->get('ownerformat');
if (!$default) {
......@@ -154,6 +167,9 @@ function editview_submit(Pieform $form, $values) {
$view->set('title', $values['title']);
$view->set('description', $values['description']);
$view->set('tags', $values['tags']);
if (isset($values['locked'])) {
$view->set('locked', (int)$values['locked']);
}
if (isset($values['ownerformat']) && $view->get('owner')) {
$view->set('ownerformat', $values['ownerformat']);
}
......
......@@ -46,7 +46,8 @@ if (!is_logged_in() && !$group->public) {
define('TITLE', $group->name . ' - ' . get_string('groupviews', 'view'));
$can_edit = group_user_can_edit_views($group);
$role = group_user_access($group->id);
$can_edit = $role && group_role_can_edit_views($group, $role);
// If the user can edit group views, show a page similar to the my views
// page, otherwise just show a list of the views owned by this group that
......@@ -85,6 +86,7 @@ list($searchform, $data, $pagination) = View::views_by_owner($group->id);
$createviewform = pieform(create_view_form($group->id));
$smarty = smarty();
$smarty->assign('editlocked', $role == 'admin');
$smarty->assign('views', $data->data);
$smarty->assign('pagination', $pagination['html']);
$smarty->assign('searchform', $searchform);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment