MDL-59195 assignsubmission_comments: fix permission checks
[moodle.git] / mod / assign / submission / comments / lib.php
1 <?php
2 // This file is part of Moodle - http://moodle.org/
3 //
4 // Moodle is free software: you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License as published by
6 // the Free Software Foundation, either version 3 of the License, or
7 // (at your option) any later version.
8 //
9 // Moodle is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12 // GNU General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License
15 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
17 /**
18  * This file contains the moodle hooks for the submission comments plugin
19  *
20  * @package   assignsubmission_comments
21  * @copyright 2012 NetSpot {@link http://www.netspot.com.au}
22  * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
23  */
24 defined('MOODLE_INTERNAL') || die();
26 /**
27  *
28  * Callback method for data validation---- required method for AJAXmoodle based comment API
29  *
30  * @param stdClass $options
31  * @return bool
32  */
33 function assignsubmission_comments_comment_validate(stdClass $options) {
34     global $USER, $CFG, $DB;
36     if ($options->commentarea != 'submission_comments' &&
37             $options->commentarea != 'submission_comments_upgrade') {
38         throw new comment_exception('invalidcommentarea');
39     }
40     if (!$submission = $DB->get_record('assign_submission', array('id'=>$options->itemid))) {
41         throw new comment_exception('invalidcommentitemid');
42     }
43     $context = $options->context;
45     require_once($CFG->dirroot . '/mod/assign/locallib.php');
46     $assignment = new assign($context, null, null);
48     if ($assignment->get_instance()->id != $submission->assignment) {
49         throw new comment_exception('invalidcontext');
50     }
52     return true;
53 }
55 /**
56  * Permission control method for submission plugin ---- required method for AJAXmoodle based comment API
57  *
58  * @param stdClass $options
59  * @return array
60  */
61 function assignsubmission_comments_comment_permissions(stdClass $options) {
62     global $USER, $CFG, $DB;
64     if ($options->commentarea != 'submission_comments' &&
65             $options->commentarea != 'submission_comments_upgrade') {
66         throw new comment_exception('invalidcommentarea');
67     }
68     if (!$submission = $DB->get_record('assign_submission', array('id'=>$options->itemid))) {
69         throw new comment_exception('invalidcommentitemid');
70     }
71     $context = $options->context;
73     require_once($CFG->dirroot . '/mod/assign/locallib.php');
74     $assignment = new assign($context, null, null);
76     if ($assignment->get_instance()->id != $submission->assignment) {
77         throw new comment_exception('invalidcontext');
78     }
80     if ($assignment->get_instance()->teamsubmission &&
81         !$assignment->can_view_group_submission($submission->groupid)) {
82         return array('post' => false, 'view' => false);
83     }
85     if (!$assignment->get_instance()->teamsubmission &&
86         !$assignment->can_view_submission($submission->userid)) {
87         return array('post' => false, 'view' => false);
88     }
90     return array('post' => true, 'view' => true);
91 }
93 /**
94  * Callback called by comment::get_comments() and comment::add(). Gives an opportunity to enforce blind-marking.
95  *
96  * @param array $comments
97  * @param stdClass $options
98  * @return array
99  * @throws comment_exception
100  */
101 function assignsubmission_comments_comment_display($comments, $options) {
102     global $CFG, $DB, $USER;
104     if ($options->commentarea != 'submission_comments' &&
105         $options->commentarea != 'submission_comments_upgrade') {
106         throw new comment_exception('invalidcommentarea');
107     }
108     if (!$submission = $DB->get_record('assign_submission', array('id'=>$options->itemid))) {
109         throw new comment_exception('invalidcommentitemid');
110     }
111     $context = $options->context;
112     $cm = $options->cm;
113     $course = $options->courseid;
115     require_once($CFG->dirroot . '/mod/assign/locallib.php');
116     $assignment = new assign($context, $cm, $course);
118     if ($assignment->get_instance()->id != $submission->assignment) {
119         throw new comment_exception('invalidcontext');
120     }
122     if ($assignment->is_blind_marking() && !empty($comments)) {
123         // Blind marking is being used, may need to map unique anonymous ids to the comments.
124         $usermappings = array();
125         $guestuser = guest_user();
127         // Check group users first.
128         $userinteam = false;
129         if ($assignment->get_instance()->teamsubmission && has_capability('mod/assign:submit', $context)) {
130             $assignment->set_course(get_course($course));
131             $userinteam = $assignment->can_edit_group_submission($submission->groupid);
132         }
134         foreach ($comments as $comment) {
136             if (has_capability('mod/assign:viewblinddetails', $context) && $USER->id != $comment->userid) {
137                 $anonid = $assignment->get_uniqueid_for_user($comment->userid);
138                 // Show participant information and the user's full name to users with the view blind details capability.
139                 $a = new stdClass();
140                 $a->participantnumber = $anonid;
141                 $a->participantfullname = $comment->fullname;
142                 $comment->fullname = get_string('blindmarkingviewfullname', 'assignsubmission_comments', $a);
143             } else if ($USER->id == $comment->userid || $submission->userid == $USER->id || $userinteam) { //@codingStandardsIgnoreLine
144                 // Do not anonymize the user details for this comment.
145             } else {
146                 // Anonymize the comments.
147                 if (empty($usermappings[$comment->userid])) {
148                     $anonid = $assignment->get_uniqueid_for_user($comment->userid);
149                     // The blind-marking information for this commenter has not been generated; do so now.
150                     $commenter = new stdClass();
151                     $commenter->firstname = get_string('blindmarkingname', 'assignsubmission_comments', $anonid);
152                     $commenter->lastname = '';
153                     $commenter->firstnamephonetic = '';
154                     $commenter->lastnamephonetic = '';
155                     $commenter->middlename = '';
156                     $commenter->alternatename = '';
157                     $commenter->picture = 0;
158                     $commenter->id = $guestuser->id;
159                     $commenter->email = $guestuser->email;
160                     $commenter->imagealt = $guestuser->imagealt;
162                     // Temporarily store blind-marking information for use in later comments if necessary.
163                     $usermappings[$comment->userid] = new stdClass();
164                     $usermappings[$comment->userid]->fullname = fullname($commenter);
165                     $usermappings[$comment->userid]->avatar = $assignment->get_renderer()->user_picture($commenter,
166                             array('size' => 18, 'link' => false));
167                 }
169                 // Set blind-marking information for this comment.
170                 $comment->fullname = $usermappings[$comment->userid]->fullname;
171                 $comment->avatar = $usermappings[$comment->userid]->avatar;
172                 $comment->profileurl = null;
173             }
174         }
175     }
177     return $comments;
180 /**
181  * Callback to force the userid for all comments to be the userid of the submission and NOT the global $USER->id. This
182  * is required by the upgrade code. Note the comment area is used to identify upgrades.
183  *
184  * @param stdClass $comment
185  * @param stdClass $param
186  */
187 function assignsubmission_comments_comment_add(stdClass $comment, stdClass $param) {
189     global $DB;
190     if ($comment->commentarea == 'submission_comments_upgrade') {
191         $submissionid = $comment->itemid;
192         $submission = $DB->get_record('assign_submission', array('id' => $submissionid));
194         $comment->userid = $submission->userid;
195         $comment->commentarea = 'submission_comments';
196     }