MDL-53210 mod_feedback: fixes in check feedback access

1. show only uservisible feedbacks in block_feedback
2. nicer error message when user opens feedback on frontpage instead of from the mapped course
3. corrected cap check in view.php page before displaying link to complete.php

diff --git a/mod/feedback/lang/en/feedback.php b/mod/feedback/lang/en/feedback.php
index c24e4c5..c05b93a 100644 (file)
--- a/mod/feedback/lang/en/feedback.php
+++ b/mod/feedback/lang/en/feedback.php
@@ -38,6 +38,7 @@ $string['autonumbering_help'] = 'Enables or disables automated numbers for each
 $string['average'] = 'Average';
 $string['bold'] = 'Bold';
 $string['cancel_moving'] = 'Cancel moving';
+$string['cannotaccess'] = 'You can only access this feedback from a course';
 $string['cannotmapfeedback'] = 'Database problem, unable to map feedback to course';
 $string['cannotsavetempl'] = 'saving templates is not allowed';
 $string['cannotunmap'] = 'Database problem, unable to unmap';

diff --git a/mod/feedback/lib.php b/mod/feedback/lib.php
index 1b68cd5..ea98a20 100644 (file)
--- a/mod/feedback/lib.php
+++ b/mod/feedback/lib.php
@@ -2815,7 +2815,11 @@ function feedback_get_feedbacks_from_sitecourse_map($courseid) {
         }
     }
 
-    return array_merge($feedbacks1, $feedbacks2);
+    $feedbacks = array_merge($feedbacks1, $feedbacks2);
+    $modinfo = get_fast_modinfo(SITEID);
+    return array_filter($feedbacks, function($f) use ($modinfo) {
+        return ($cm = $modinfo->get_cm($f->cmid)) && $cm->uservisible;
+    });
 
 }
 

diff --git a/mod/feedback/view.php b/mod/feedback/view.php
index 83dec27..52a5df7 100644 (file)
--- a/mod/feedback/view.php
+++ b/mod/feedback/view.php
@@ -49,11 +49,11 @@ if (has_capability('mod/feedback:complete', $context)) {
     $feedback_complete_cap = true;
 }
 
-if (isset($CFG->feedback_allowfullanonymous)
-            AND $CFG->feedback_allowfullanonymous
+if (!empty($CFG->feedback_allowfullanonymous)
             AND $course->id == SITEID
-            AND (!$courseid OR $courseid == SITEID)
-            AND $feedback->anonymous == FEEDBACK_ANONYMOUS_YES ) {
+            AND $feedback->anonymous == FEEDBACK_ANONYMOUS_YES
+            AND (!isloggedin() OR isguestuser())) {
+    // Guests are allowed to complete fully anonymous feedback without having 'mod/feedback:complete' capability.
     $feedback_complete_cap = true;
 }
 
@@ -62,16 +62,6 @@ if ($course->id == SITEID AND !$courseid) {
     $courseid = SITEID;
 }
 
-//check whether the feedback is mapped to the given courseid
-if ($course->id == SITEID AND !has_capability('mod/feedback:edititems', $context)) {
-    if ($DB->get_records('feedback_sitecourse_map', array('feedbackid'=>$feedback->id))) {
-        $params = array('feedbackid'=>$feedback->id, 'courseid'=>$courseid);
-        if (!$DB->get_record('feedback_sitecourse_map', $params)) {
-            print_error('invalidcoursemodule');
-        }
-    }
-}
-
 if ($feedback->anonymous != FEEDBACK_ANONYMOUS_YES) {
     if ($course->id == SITEID) {
         require_login($course, true);
@@ -86,6 +76,32 @@ if ($feedback->anonymous != FEEDBACK_ANONYMOUS_YES) {
     }
 }
 
+if ($course->id == SITEID) {
+    $PAGE->set_context($context);
+    $PAGE->set_cm($cm, $course);
+    $PAGE->set_pagelayout('incourse');
+}
+$PAGE->set_url('/mod/feedback/view.php', array('id'=>$cm->id, 'do_show'=>'view'));
+$PAGE->set_title($feedback->name);
+$PAGE->set_heading($course->fullname);
+
+// Check whether the feedback is mapped to the given courseid.
+if ($course->id == SITEID AND !has_capability('mod/feedback:edititems', $context)) {
+    if ($DB->get_records('feedback_sitecourse_map', array('feedbackid' => $feedback->id))) {
+        $params = array('feedbackid' => $feedback->id, 'courseid' => $courseid);
+        if (!$DB->get_record('feedback_sitecourse_map', $params)) {
+            if ($courseid == SITEID) {
+                echo $OUTPUT->header();
+                echo $OUTPUT->notification(get_string('cannotaccess', 'mod_feedback'));
+                echo $OUTPUT->footer();
+                exit;
+            } else {
+                print_error('invalidcoursemodule');
+            }
+        }
+    }
+}
+
 //check whether the given courseid exists
 if ($courseid AND $courseid != SITEID) {
     if ($course2 = $DB->get_record('course', array('id'=>$courseid))) {
@@ -113,15 +129,6 @@ $event->trigger();
 /// Print the page header
 $strfeedbacks = get_string("modulenameplural", "feedback");
 $strfeedback  = get_string("modulename", "feedback");
-
-if ($course->id == SITEID) {
-    $PAGE->set_context($context);
-    $PAGE->set_cm($cm, $course); // set's up global $COURSE
-    $PAGE->set_pagelayout('incourse');
-}
-$PAGE->set_url('/mod/feedback/view.php', array('id'=>$cm->id, 'do_show'=>'view'));
-$PAGE->set_title($feedback->name);
-$PAGE->set_heading($course->fullname);
 echo $OUTPUT->header();
 
 //ishidden check.