Commit a65e40c4 authored by Richard Mansfield's avatar Richard Mansfield
Browse files

Stop users from editing note text in the wrong context (bug #736665)



When a user is allowed to put (for example) a group textbox inside
a personal view, they should not be able to edit the contents of
that textbox inside their personal view, because it's not clear
enough that they may be about to modify a note with a different
owner.  This is especially dangerous when a group textbox has been
added to the individual views of different group members, and any
one member is able to modify the group textbox through their own
view.

When saving an html artefact from a textbox block configuration
form, this patch adds a check to ensure that the view owner is the
same as the artefact owner.  If not, an error is not thrown, but
the artefact description is not updated either.  A later commit
will ensure that users are made aware which html artefacts are
editable, and which are read-only before the configuration form is
submitted.

This change also allows users to include html artefacts in a
textbox even when they only have 'republish' permission on the
artefact.

Change-Id: I3ec49f59b04679853ecd57e300e72f23f6ff9c9d
Signed-off-by: default avatarRichard Mansfield <richard.mansfield@catalyst.net.nz>
parent 9503d300
......@@ -217,12 +217,12 @@ EOF;
public static function instance_config_save($values, $instance) {
global $USER;
$data = array();
$view = $instance->get_view();
foreach (array('owner', 'group', 'institution') as $f) {
$data[$f] = $view->get($f);
}
if (empty($values['artefactid'])) {
$view = $instance->get_view();
foreach (array('owner', 'group', 'institution') as $f) {
$data[$f] = $view->get($f);
}
// The artefact title will be the same as the block title when the
// artefact is first created, or, if there's no block title, generate
// 'Note (1)', 'Note (2)', etc. After that, the artefact title can't
......@@ -236,17 +236,30 @@ EOF;
else {
$title = $values['title'];
}
$artefact = new ArtefactTypeHtml(0, $data);
$artefact->set('title', $title);
$artefact->set('description', $values['text']);
}
else {
$artefact = new ArtefactTypeHtml((int)$values['artefactid']);
$artefact = new ArtefactTypeHtml((int)$values['artefactid'], $data);
if (!$USER->can_edit_artefact($artefact)) {
throw new AccessDeniedException(get_string('accessdenied', 'error'));
}
if (!$USER->can_publish_artefact($artefact)) {
throw new AccessDeniedException(get_string('nopublishpermissiononartefact', 'mahara', hsc($artefact->get('title'))));
}
if (isset($title)) {
$artefact->set('title', $title);
// Stop users from editing html artefacts whose owner is not the same as the
// view owner, even if they would normally be allowed to edit the artefact.
// It's too confusing. Html artefacts with other owners *can* be included in
// the view read-only, provided the artefact has the correct republish
// permission.
if ($artefact->get('owner') === $data['owner']
&& $artefact->get('group') === $data['group']
&& $artefact->get('institution') === $data['institution']
&& $USER->can_edit_artefact($artefact)) {
$artefact->set('description', $values['text']);
}
}
$artefact->set('description', $values['text']);
$artefact->commit();
$values['artefactid'] = $artefact->get('id');
......
......@@ -639,6 +639,7 @@ $string['Permissions'] = 'Permissions';
$string['republish'] = 'Publish';
$string['view'] = 'Page';
$string['artefactnotpublishable'] = 'Artefact %s is not publishable in page %s';
$string['nopublishpermissiononartefact'] = 'You don\'t have permission to publish %s';
$string['belongingto'] = 'Belonging to';
$string['allusers'] = 'All users';
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment