Permission checking for moving/deleting group artefacts

f0a03781 · Richard Mansfield · dc4f8c97 · f0a03781 · f0a03781 · f0a03781
Commit f0a03781 authored Jun 26, 2008 by Richard Mansfield
--- a/htdocs/artefact/file/delete.json.php
+++ b/htdocs/artefact/file/delete.json.php
@@ -36,10 +36,11 @@ $fileid = param_integer('id');
 require_once(get_config('docroot') . 'artefact/lib.php');

 $artefact = artefact_instance_from_id($fileid);
+if (!$USER->can_edit_artefact($artefact)) {
+    json_reply('local', get_string('nodeletepermission', 'mahara'));
+}
 $artefact->delete();

-global $USER;
-
 json_reply(false, array('message' => get_string('filethingdeleted', 'artefact.file', 
                                                get_string($artefact->get('artefacttype'),
                                                           'artefact.file')),

--- a/htdocs/artefact/file/move.json.php
+++ b/htdocs/artefact/file/move.json.php
@@ -37,10 +37,7 @@ $newparentid = param_integer('newparent');   // Folder to move it to
 require_once(get_config('docroot') . 'artefact/lib.php');
 $artefact = artefact_instance_from_id($artefactid);

-global $USER;
-$userid = $USER->get('id');
-
-if ($userid != $artefact->get('owner') && !$USER->can_edit_institution($artefact->get('institution'))) {
+if (!$USER->can_edit_artefact($artefact)) {
    json_reply(true, get_string('movefailednotowner', 'artefact.file'));
 }
 if (!in_array($artefact->get('artefacttype'), PluginArtefactFile::get_artefact_types())) {
@@ -55,7 +52,11 @@ if ($newparentid > 0) {
        json_reply(false, get_string('filealreadyindestination', 'artefact.file'));
    }
    $newparent = artefact_instance_from_id($newparentid);
-    if ($userid != $newparent->get('owner') && !$USER->can_edit_institution($newparent->get('institution'))) {
+    if (!$USER->can_edit_artefact($newparent)) {
+        json_reply(true, get_string('movefailednotowner', 'artefact.file'));
+    }
+    $group = $artefact->get('group');
+    if ($group && $group !== $newparent->get('group')) {
        json_reply(true, get_string('movefailednotowner', 'artefact.file'));
    }
    if ($newparent->get('artefacttype') != 'folder') {

--- a/htdocs/artefact/lib.php
+++ b/htdocs/artefact/lib.php
@@ -403,6 +403,8 @@ abstract class ArtefactType {
        delete_records('view_artefact', 'artefact', $this->id);
        delete_records('artefact_feedback', 'artefact', $this->id);
        delete_records('artefact_tag', 'artefact', $this->id);
+        delete_records('artefact_access_role', 'artefact', $this->id);
+        delete_records('artefact_access_usr', 'artefact', $this->id);
      
        // Delete the record itself.
        delete_records('artefact', 'id', $this->id);

--- a/htdocs/lang/en.utf8/mahara.php
+++ b/htdocs/lang/en.utf8/mahara.php
@@ -478,6 +478,7 @@ $string['Artefact'] = 'Artefact';
 $string['Artefacts'] = 'Artefacts';
 $string['artefactnotfound'] = 'Artefact with id %s not found';
 $string['artefactnotrendered'] = 'Artefact not rendered';
+$string['nodeletepermission'] = 'You do not have permission to delete this artefact';
 $string['noeditpermission'] = 'You do not have permission to edit this artefact';
 $string['Permissions'] = 'Permissions';
 $string['republish'] = 'Publish';