From fae51910bf8d7e859f9dae807b9ca54089c5109e Mon Sep 17 00:00:00 2001
From: Adrian Greeve <adrian@moodle.com>
Date: Tue, 13 Nov 2012 09:42:45 +0800
Subject: [PATCH] MDL-31750 - course: Creating a consistent api for checking
 permissions for moving courses to different categories.

---
 course/category.php  | 16 ++++++-------
 course/edit.php      |  3 +++
 course/edit_form.php |  4 ++--
 course/lib.php       | 53 ++++++++++++++++++++++++++++++++++++++++++++
 lang/en/error.php    |  1 +
 5 files changed, 66 insertions(+), 11 deletions(-)

diff --git a/course/category.php b/course/category.php
index e363e4139fd..37b50a59b91 100644
--- a/course/category.php
+++ b/course/category.php
@@ -101,13 +101,8 @@ if ($editingon && $sesskeyprovided) {
 
     // Move a specified course to a new category
     if (!empty($moveto) and $data = data_submitted()) {
-        // Some courses are being moved
-        // user must have category update in both cats to perform this
-        require_capability('moodle/category:manage', $context);
-        require_capability('moodle/category:manage', context_coursecat::instance($moveto));
-
-        if (!$destcategory = $DB->get_record('course_categories', array('id' => $data->moveto))) {
-            print_error('cannotfindcategory', '', '', $data->moveto);
+        if (!$destcategory = $DB->get_record('course_categories', array('id' => $moveto))) {
+            print_error('cannotfindcategory', '', '', $moveto);
         }
 
         $courses = array();
@@ -126,7 +121,10 @@ if ($editingon && $sesskeyprovided) {
                 }
             }
         }
-        move_courses($courses, $data->moveto);
+        if (!can_move_courses_to_category($courses, $moveto, $category->id)) {
+            print_error('cannotmovecoursetocategory');
+        }
+        move_courses($courses, $moveto);
     }
 
     // Hide or show a course
@@ -435,7 +433,7 @@ if (!$courses) {
     if ($abletomovecourses) {
         $movetocategories = array();
         $notused = array();
-        make_categories_list($movetocategories, $notused, 'moodle/category:manage');
+        make_categories_list($movetocategories, $notused, array('moodle/course:create', 'moodle/course:delete', 'moodle/category:manage'));
         $movetocategories[$category->id] = get_string('moveselectedcoursesto');
         echo '<tr><td colspan="3" align="right">';
         echo html_writer::label(get_string('moveselectedcoursesto'), 'movetoid', false, array('class' => 'accesshide'));
diff --git a/course/edit.php b/course/edit.php
index 8fbb3a9f9bf..cc717aceb09 100644
--- a/course/edit.php
+++ b/course/edit.php
@@ -129,6 +129,9 @@ if ($editform->is_cancelled()) {
             }
         }
     } else {
+        if (!can_move_courses_to_category($course->id, $data->category)) {
+            print_error('cannotmovecoursetocategory');
+        }
         // Save any changes to the files used in the editor
         update_course($data, $editoroptions);
     }
diff --git a/course/edit_form.php b/course/edit_form.php
index 70b709a9978..d3bd38b0726 100644
--- a/course/edit_form.php
+++ b/course/edit_form.php
@@ -50,7 +50,7 @@ class course_edit_form extends moodleform {
             if (has_capability('moodle/course:create', $categorycontext)) {
                 $displaylist = array();
                 $parentlist = array();
-                make_categories_list($displaylist, $parentlist, 'moodle/course:create');
+                make_categories_list($displaylist, $parentlist, array('moodle/course:create', 'moodle/course:delete', 'moodle/category:manage'));
                 $mform->addElement('select', 'category', get_string('category'), $displaylist);
                 $mform->addHelpButton('category', 'category');
                 $mform->setDefault('category', $category->id);
@@ -63,7 +63,7 @@ class course_edit_form extends moodleform {
             if (has_capability('moodle/course:changecategory', $coursecontext)) {
                 $displaylist = array();
                 $parentlist = array();
-                make_categories_list($displaylist, $parentlist, 'moodle/course:create');
+                make_categories_list($displaylist, $parentlist, array('moodle/course:create', 'moodle/course:delete', 'moodle/category:manage'));
                 if (!isset($displaylist[$course->category])) {
                     //always keep current
                     $displaylist[$course->category] = format_string($DB->get_field('course_categories', 'name', array('id'=>$course->category)));
diff --git a/course/lib.php b/course/lib.php
index a772578334c..00d794f4777 100644
--- a/course/lib.php
+++ b/course/lib.php
@@ -4526,3 +4526,56 @@ function include_course_ajax($course, $usedmodules = array(), $enabledmodules =
 function course_get_url($courseorid, $section = null, $options = array()) {
     return course_get_format($courseorid)->get_view_url($section, $options);
 }
+
+/**
+ * Determine whether a user can move a course to a different category.
+ *
+ * @param int|array $courseid  The course ID (int) or course IDs (array) that are being moved.
+ * @param int       $moveto    The category ID of where we are moving the course to.
+ * @param int       $movefrom  The current category ID. If not provided will be looked up.
+ * @return bool  True if the user can move the course. False if the user can't move the course.
+ */
+function can_move_courses_to_category($courseid, $moveto, $movefrom = null) {
+    global $DB;
+
+    $tocontext = context_coursecat::instance($moveto);
+
+    if (!has_capability('moodle/category:manage', $tocontext)) {
+        return false;
+    }
+
+    if (is_array($courseid)) {
+        foreach ($courseid as $id) {
+            if (!$movefrom) {
+                $movefrom = $DB->get_field('course', 'category', array('id' => $id));
+            }
+
+            $fromcontext = context_coursecat::instance($movefrom);
+            if (!has_capability('moodle/category:manage', $fromcontext)) {
+                return false;
+            }
+
+            $coursecontext = context_course::instance($id);
+            $capabilities = array('moodle/course:delete', 'moodle/course:create');
+            if (!has_all_capabilities($capabilities, $coursecontext)) {
+                return false;
+            }
+        }
+    } else {
+        if (!$movefrom) {
+            $movefrom = $DB->get_field('course', 'category', array('id' => $courseid));
+        }
+
+        $fromcontext = context_coursecat::instance($movefrom);
+        if (!has_capability('moodle/category:manage', $fromcontext)) {
+            return false;
+        }
+
+        $coursecontext = context_course::instance($courseid);
+        $capabilities = array('moodle/course:delete', 'moodle/course:create');
+        if (!has_all_capabilities($capabilities, $coursecontext)) {
+            return false;
+        }
+    }
+    return true;
+}
diff --git a/lang/en/error.php b/lang/en/error.php
index bf9e294fe07..10bc020150f 100644
--- a/lang/en/error.php
+++ b/lang/en/error.php
@@ -105,6 +105,7 @@ $string['cannotmigratedatacomments'] = 'Cannot migrate data module comments';
 $string['cannotmodulename'] = 'Cannot get the module name in build navigation';
 $string['cannotmoduletype'] = 'Cannot get the module type in build navigation';
 $string['cannotmoverolewithid'] = 'Cannot move role with ID {$a}';
+$string['cannotmovecoursetocategory'] = 'You can not move this course to the category specified';
 $string['cannotopencsv'] = 'Cannot open CSV file';
 $string['cannotopenfile'] = 'Cannot open file ({$a})';
 $string['cannotopenforwrit'] = 'Cannot open for writing: {$a}';
-- 
2.43.0