Commit cf735e83 authored by Cecilia Vela Gurovic's avatar Cecilia Vela Gurovic

Bug 1666685: hide buttons from users with no access to group journal

When a member/tutor dont have access to edit or create
in the group, the buttons to edit, publish, create entry,
create journal, delete, are hidden.

Also, when a group edit/create access permission is
changed, we update the role permissions for each
blog and blogpost artefact in the group.

behatnotneeded

Change-Id: Ic06fbc7112f14a6038cdb0bb3beb8f93aed6f633
parent 759c87f8
......@@ -69,7 +69,7 @@ if ($institution = param_alphanum('institution', null)) {
}
else if ($groupid = param_alphanum('group', null)) {
$blogs->group = $groupid;
$group = get_group_by_id($groupid);
$group = get_group_by_id($groupid, false, true, true);
define('TITLE', $group->name);
}
else {
......@@ -101,6 +101,7 @@ $smarty = smarty(array('paginator'));
$smarty->assign('blogs', $blogs);
$smarty->assign('institutionname', $institutionname);
$smarty->assign('group', $groupid);
$smarty->assign('canedit', (!empty($group) ? $group->canedit : true));
$js = '';
if ($blogs->pagination_js) {
$js .= 'jQuery(function() {' . $blogs->pagination_js . '});';
......
......@@ -380,6 +380,7 @@ class ArtefactTypeBlog extends ArtefactType {
$sql .= ' AND b.group = ?';
$values = array($group);
$count = (int)get_field('artefact', 'COUNT(*)', 'group', $group, 'artefacttype', 'blog');
$groupdata = get_group_by_id($group, false, true, true);
}
else {
$sql .= ' AND b.owner = ?';
......@@ -394,6 +395,7 @@ class ArtefactTypeBlog extends ArtefactType {
if (!$r->locked) {
$r->deleteform = ArtefactTypeBlog::delete_form($r->id, $r->title);
}
$r->canedit = (!empty($groupdata) ? $groupdata->canedit : true);
}
return array($count, $result);
......@@ -982,7 +984,7 @@ class ArtefactTypeBlogPost extends ArtefactType {
SELECT
a.id, a.title, a.description, a.author, a.authorname, ' .
db_format_tsfield('a.ctime', 'ctime') . ', ' . db_format_tsfield('a.mtime', 'mtime') . ',
a.locked, bp.published, a.allowcomments ' . $from . '
a.locked, bp.published, a.allowcomments, a.group ' . $from . '
ORDER BY bp.published ASC, a.ctime DESC, a.id DESC',
array($id),
$offset, $limit
......@@ -1046,6 +1048,11 @@ class ArtefactTypeBlogPost extends ArtefactType {
safe_require('artefact', 'file');
$post->description = ArtefactTypeFolder::append_view_url($post->description, $viewoptions['viewid']);
}
if (isset($post->group)) {
$group = get_group_by_id($post->group, false, true, true);
}
$post->canedit = (isset($group) ? $group->canedit : true);
}
$results['data'] = array_values($data);
......
......@@ -51,7 +51,7 @@ if ($institution = param_alphanum('institution', null)) {
}
}
else if ($groupid = param_alphanum('group', null)) {
$group = get_group_by_id($groupid);
$group = get_group_by_id($groupid, false, true, true);
$title = get_string('groupblogs', 'artefact.blog', $group->name);
}
else if ($id) {
......@@ -59,7 +59,7 @@ else if ($id) {
$institution = $institutionname = $blogobj->get('institution');
$groupid = $blogobj->get('group');
if ($groupid) {
$group = get_group_by_id($groupid);
$group = get_group_by_id($groupid, false, true, true);
}
$title = get_string('viewbloggroup', 'artefact.blog', $blogobj->get('title'));
if ($institution && $institution != 'mahara') {
......@@ -212,6 +212,8 @@ else if (!$USER->get_account_preference('multipleblogs')) {
}
}
$smarty->assign('canedit', (!empty($group) ? $group->canedit : true));
$smarty->assign('blog', $blog);
$smarty->assign('posts', $posts);
$smarty->display('artefact:blog:view.tpl');
......
......@@ -589,6 +589,8 @@ function group_update($new, $create=false) {
// Institution cannot be updated (yet)
unset($new->institution);
$update_blog_access = ($new->editroles != $old->editroles);
foreach (array('id', 'grouptype', 'public', 'request', 'submittableto', 'allowarchives', 'editroles',
'hidden', 'hidemembers', 'hidemembersfrommembers', 'groupparticipationreports') as $f) {
if (!isset($new->$f)) {
......@@ -688,6 +690,38 @@ function group_update($new, $create=false) {
array_merge(array($new->id), $allowedroles)
);
// When the group type changes, make sure the access for tutors
// to the group artefacts are updated
if ($old->grouptype != $new->grouptype) {
if ($new->grouptype == 'course') {
$ids = get_records_select_array('artefact',
'"group" = ' . $new->id . ' AND artefacttype IN (\'blog\', \'blogpost\')',
null, '', 'id');
$access = ($old->editroles == 'all' || $old->editroles == 'notmember');
db_begin();
foreach ($ids as $i => $artefact) {log_debug($artefact->id);
insert_record('artefact_access_role', (object) array(
'artefact' => $artefact->id,
'role' => 'tutor',
'can_view' => 1,
'can_edit' => (int) $access,
'can_republish' => (int) $access,
));
}
db_commit();
}
else { //grouptype = standard
$query = 'DELETE FROM {artefact_access_role}
WHERE role = \'tutor\'
AND artefact IN (
SELECT a.id FROM {artefact} a
WHERE a.group = ?
AND a.artefacttype IN (\'blog\', \'blogpost\')
)';
execute_sql($query, array($new->id));
}
}
// When a group changes from public -> private or vice versa, set the
// appropriate access permissions on the group homepage view.
if ($old->public != $new->public) {
......@@ -710,6 +744,35 @@ function group_update($new, $create=false) {
}
}
// When the create/edit permissions change, update permissions on journal and posts
if ($update_blog_access) {
$edit_access = array();
if ($old->editroles == 'all') {
$edit_access['member'] = 0;
}
else if ($old->editroles == 'admin') {
$edit_access['tutor'] = 1;
}
if ($new->editroles == 'all') {
$edit_access['member'] = 1;
}
else if ($new->editroles == 'admin') {
$edit_access['tutor'] = 0;
}
foreach ($edit_access as $role => $value) {
$query = 'UPDATE {artefact_access_role}
SET can_edit = ?, can_republish = ?
WHERE role = \'' . $role . '\'
AND artefact IN (
SELECT a.id FROM {artefact} a
WHERE a.group = ?
AND a.artefacttype IN (\'blog\', \'blogpost\')
)';
execute_sql($query, array($value, $value, $new->id));
}
}
db_commit();
return $diff;
......
......@@ -22,12 +22,14 @@
</a>
</div>
{if $blog->canedit}
<div class="panel-footer has-form">
<a href="{$WWWROOT}artefact/blog/post.php?blog={$blog->id}" class="btn btn-default btn-sm">
<span class="icon icon-plus icon-lg left" role="presentation" aria-hidden="true"></span>
<span class="sr-only">{str tag=addpostspecific arg1=$blog->title section=artefact.blog |escape:html|safe}</span>
{str tag=addpost section=artefact.blog}
</a>
<div class="btn-group pull-right">
{if $blog->locked}
<span class="text-small">{str tag=submittedforassessment section=view}</span>
......@@ -37,8 +39,9 @@
<span class="sr-only">{str tag=editspecific arg1=$blog->title}</span>
</a>
{$blog->deleteform|safe}
{/if}
</div>
{/if}
</div>
{/if}
</div>
{/foreach}
{include file="header.tpl"}
{if !$group || $canedit}
<div class="btn-top-right btn-group btn-group-top">
<a class="btn btn-default settings" href="{$WWWROOT}artefact/blog/new/index.php{if $institutionname}?institution={$institutionname}{/if}{if $group}?group={$group}{/if}">
<span class="icon icon-lg icon-plus left" role="presentation" aria-hidden="true"></span>
{str section="artefact.blog" tag="addblog"}
</a>
</div>
{/if}
{if !$blogs->data}
<p class="no-results">{str tag=youhavenoblogs section=artefact.blog}</p>
{else}
......
......@@ -14,7 +14,7 @@
{/if}
</span>
{if !$post->locked}
{if !$post->locked && $post->canedit}
<span id="changepoststatus{$post->id}" class="changepoststatus text-inline">
{$post->changepoststatus|safe}
</span>
......@@ -25,7 +25,7 @@
<span class="icon icon-lock left" role="presentation" aria-hidden="true"></span>
{str tag=submittedforassessment section=view}
</span>
{else}
{elseif $post->canedit}
<div class="btn-group postcontrols">
<form name="edit_{$post->id}" action="{$WWWROOT}artefact/blog/post.php" class="form-as-button pull-left">
<input type="hidden" name="id" value="{$post->id}">
......
{include file="header.tpl"}
{if $canedit}
<div class="btn-top-right btn-group btn-group-top">
<a class="btn btn-default addpost" href="{$WWWROOT}artefact/blog/post.php?blog={$blog->get('id')}">
<span class="icon icon-lg icon-plus left" role="presentation" aria-hidden="true"></span>
......@@ -11,6 +12,7 @@
</a>
{/if}
</div>
{/if}
<div id="myblogs" class="myblogs view-container">
<p id="blogdescription">
{clean_html($blog->get('description'))|safe}
......
......@@ -58,7 +58,6 @@ if (!$can_edit) {
'count' => $data->count,
'limit' => $limit,
'offset' => $offset,
'orderby' => $orderby,
'group' => $group->id,
'databutton' => 'showmorebtn',
'jsonscript' => 'json/viewlist.php',
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment