Commit a37dd7e8 authored by Richard Mansfield's avatar Richard Mansfield
Browse files

Check user has edit permission on parent folder when uploading files

parent 4a2d44bd
......@@ -50,32 +50,36 @@ $data->title = $title;
$data->description = $description;
$data->tags = $tags;
$data->owner = null;
if ($institution) {
$data->institution = $institution;
} else if ($group) {
require_once(get_config('docroot') . 'artefact/lib.php');
require_once(get_config('libroot') . 'group.php');
if ($parentfolder && !$USER->can_edit_artefact(artefact_instance_from_id($parentfolder))) {
$result->error = 'local';
$result->message = get_string('cannoteditfolder', 'artefact.file');
} else if (!$parentfolder) {
$role = group_user_access($group);
if (!$role) {
$result->error = 'local';
$result->message = get_string('usernotingroup', 'mahara');
}
// Use default grouptype artefact permissions to check if the
// user can upload a file to the group's root directory
$permissions = group_get_default_artefact_permissions($group);
if (!$permissions[$role]->edit) {
$result->error = 'local';
$result->message = get_string('cannoteditfolder', 'artefact.file');
require_once(get_config('docroot') . 'artefact/lib.php');
if ($parentfolder && !$USER->can_edit_artefact(artefact_instance_from_id($parentfolder))) {
$result->error = 'local';
$result->message = get_string('cannoteditfolder', 'artefact.file');
}
else {
if ($institution) {
$data->institution = $institution;
} else if ($group) {
require_once(get_config('libroot') . 'group.php');
if (!$parentfolder) {
$role = group_user_access($group);
if (!$role) {
$result->error = 'local';
$result->message = get_string('usernotingroup', 'mahara');
}
// Use default grouptype artefact permissions to check if the
// user can upload a file to the group's root directory
$permissions = group_get_default_artefact_permissions($group);
if (!$permissions[$role]->edit) {
$result->error = 'local';
$result->message = get_string('cannoteditfolder', 'artefact.file');
}
}
$data->group = $group;
$data->rolepermissions = (array) json_decode(param_variable('permissions'));
} else {
$data->owner = $USER->get('id');
}
$data->group = $group;
$data->rolepermissions = (array) json_decode(param_variable('permissions'));
} else {
$data->owner = $USER->get('id');
}
$data->container = 0;
$data->locked = 0;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment