Check if the block instance belongs to the view Bug#1233500

When editing a page, check the ownership of blocks before 1. update the configuration data 2. delete/move them Change-Id: I0eab3d99ffe908db3b7c2e852dfdaabeafce1497 Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

Check if the block instance belongs to the view Bug#1233500
When editing a page, check the ownership of blocks before 1. update the configuration data 2. delete/move them Change-Id: I0eab3d99ffe908db3b7c2e852dfdaabeafce1497 Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>
1fb737b9 · Son Nguyen · f5cebdef · 1fb737b9 · 1fb737b9 · 1fb737b9
Commit 1fb737b9 authored Oct 02, 2013 by Son Nguyen
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 0 deletions

htdocs/lang/en.utf8/view.php htdocs/lang/en.utf8/view.php +1 -0

htdocs/lib/view.php htdocs/lib/view.php +12 -0

htdocs/view/blocks.php htdocs/view/blocks.php +4 -0

No files found.
--- a/htdocs/lang/en.utf8/view.php
+++ b/htdocs/lang/en.utf8/view.php
@@ -200,6 +200,7 @@ $string['canteditdontown'] = 'You cannot edit this page because you do not own i
 $string['canteditsubmitted'] = 'You cannot edit this page because it has been submitted for assessment to "%s". You will have to wait until a tutor releases the page.';
 $string['Submitted'] = 'Submitted';
 $string['submittedforassessment'] = 'Submitted for assessment';
+$string['blocknotinview'] = 'The block with ID "%d" is not in the page.';

 $string['viewcreatedsuccessfully'] = 'Page created successfully';
 $string['viewaccesseditedsuccessfully'] = 'Page access saved successfully';

--- a/htdocs/lib/view.php
+++ b/htdocs/lib/view.php
@@ -1680,6 +1680,10 @@ class View {
        }
        require_once(get_config('docroot') . 'blocktype/lib.php');
        $bi = new BlockInstance($values['id']); // get it so we can reshuffle stuff
+        // Check if the block_instance belongs to this view
+        if ($bi->get('view') != $this->get('id')) {
+            throw new AccessDeniedException(get_string('blocknotinview', 'view', $bi->get('id')));
+        }
        db_begin();
        $bi->delete();
        $this->shuffle_column($bi->get('column'), null, $bi->get('order'));
@@ -1704,6 +1708,10 @@ class View {
        }
        require_once(get_config('docroot') . 'blocktype/lib.php');
        $bi = new BlockInstance($values['id']);
+        // Check if the block_instance belongs to this view
+        if ($bi->get('view') != $this->get('id')) {
+            throw new AccessDeniedException(get_string('blocknotinview', 'view', $bi->get('id')));
+        }
        db_begin();
        // moving within the same column
        if ($bi->get('column') == $values['column']) {
@@ -1843,6 +1851,10 @@ class View {
    public function configureblockinstance($values) {
        require_once(get_config('docroot') . 'blocktype/lib.php');
        $bi = new BlockInstance($values['id']);
+        // Check if the block_instance belongs to this view
+        if ($bi->get('view') != $this->get('id')) {
+            throw new AccessDeniedException(get_string('blocknotinview', 'view', $bi->get('id')));
+        }
        return $bi->render_editing(true);
    }


--- a/htdocs/view/blocks.php
+++ b/htdocs/view/blocks.php
@@ -84,6 +84,10 @@ if ($blockid = param_integer('blockconfig', 0)) {
    if (!isset($_POST['cancel_action_configureblockinstance_id_' . $blockid]) || !param_integer('removeoncancel', 0) || param_integer('pieform_jssubmission', 0)) {
        require_once(get_config('docroot') . 'blocktype/lib.php');
        $bi = new BlockInstance($blockid);
+        // Check if the block_instance belongs to this view
+        if ($bi->get('view') != $view->get('id')) {
+            throw new AccessDeniedException(get_string('blocknotinview', 'view', $bi->get('id')));
+        }
        $bi->build_configure_form();
    }
 }