Commit f0a03781 authored by Richard Mansfield's avatar Richard Mansfield
Browse files

Permission checking for moving/deleting group artefacts

parent dc4f8c97
......@@ -36,10 +36,11 @@ $fileid = param_integer('id');
require_once(get_config('docroot') . 'artefact/lib.php');
$artefact = artefact_instance_from_id($fileid);
if (!$USER->can_edit_artefact($artefact)) {
json_reply('local', get_string('nodeletepermission', 'mahara'));
}
$artefact->delete();
global $USER;
json_reply(false, array('message' => get_string('filethingdeleted', 'artefact.file',
get_string($artefact->get('artefacttype'),
'artefact.file')),
......
......@@ -37,10 +37,7 @@ $newparentid = param_integer('newparent'); // Folder to move it to
require_once(get_config('docroot') . 'artefact/lib.php');
$artefact = artefact_instance_from_id($artefactid);
global $USER;
$userid = $USER->get('id');
if ($userid != $artefact->get('owner') && !$USER->can_edit_institution($artefact->get('institution'))) {
if (!$USER->can_edit_artefact($artefact)) {
json_reply(true, get_string('movefailednotowner', 'artefact.file'));
}
if (!in_array($artefact->get('artefacttype'), PluginArtefactFile::get_artefact_types())) {
......@@ -55,7 +52,11 @@ if ($newparentid > 0) {
json_reply(false, get_string('filealreadyindestination', 'artefact.file'));
}
$newparent = artefact_instance_from_id($newparentid);
if ($userid != $newparent->get('owner') && !$USER->can_edit_institution($newparent->get('institution'))) {
if (!$USER->can_edit_artefact($newparent)) {
json_reply(true, get_string('movefailednotowner', 'artefact.file'));
}
$group = $artefact->get('group');
if ($group && $group !== $newparent->get('group')) {
json_reply(true, get_string('movefailednotowner', 'artefact.file'));
}
if ($newparent->get('artefacttype') != 'folder') {
......
......@@ -403,6 +403,8 @@ abstract class ArtefactType {
delete_records('view_artefact', 'artefact', $this->id);
delete_records('artefact_feedback', 'artefact', $this->id);
delete_records('artefact_tag', 'artefact', $this->id);
delete_records('artefact_access_role', 'artefact', $this->id);
delete_records('artefact_access_usr', 'artefact', $this->id);
// Delete the record itself.
delete_records('artefact', 'id', $this->id);
......
......@@ -478,6 +478,7 @@ $string['Artefact'] = 'Artefact';
$string['Artefacts'] = 'Artefacts';
$string['artefactnotfound'] = 'Artefact with id %s not found';
$string['artefactnotrendered'] = 'Artefact not rendered';
$string['nodeletepermission'] = 'You do not have permission to delete this artefact';
$string['noeditpermission'] = 'You do not have permission to edit this artefact';
$string['Permissions'] = 'Permissions';
$string['republish'] = 'Publish';
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment