MDL-53566 core: Allow admins more control over locking
authorAndrew Nicols <andrew@nicols.co.uk>
Tue, 13 Nov 2018 01:14:34 +0000 (09:14 +0800)
committerAndrew Nicols <andrew@nicols.co.uk>
Tue, 13 Nov 2018 13:17:40 +0000 (21:17 +0800)
This change allows sites to configure locking such that it does not
apply to administrators at all.

admin/settings/development.php
lang/en/admin.php
lib/accesslib.php
lib/tests/accesslib_has_capability_test.php
version.php

index 54fe94b..61d82c3 100644 (file)
@@ -19,6 +19,13 @@ if ($hassiteconfig) { // speedup for non-admins, add all caps used on this page
     $temp->add(new admin_setting_configcheckbox('contextlocking', new lang_string('contextlocking', 'core_admin'),
         new lang_string('contextlocking_desc', 'core_admin'), 0));
 
+    $temp->add(new admin_setting_configcheckbox(
+            'contextlockappliestoadmin',
+            new lang_string('contextlockappliestoadmin', 'core_admin'),
+            new lang_string('contextlockappliestoadmin_desc', 'core_admin'),
+            1
+        ));
+
     $temp->add(new admin_setting_configcheckbox('forceclean', new lang_string('forceclean', 'core_admin'),
         new lang_string('forceclean_desc', 'core_admin'), 0));
 
index 4160854..6219a09 100644 (file)
@@ -385,6 +385,8 @@ $string['confirmdeletecomments'] = 'You are about to delete comments, are you su
 $string['confirmed'] = 'Confirmed';
 $string['contextlocking'] = 'Context locking';
 $string['contextlocking_desc'] = 'This setting allows you to lock categories, courses, activites, and blocks within the site by removing all write-access to those locations.';
+$string['contextlockappliestoadmin'] = 'Context locking applies to administrators';
+$string['contextlockappliestoadmin_desc'] = 'This setting allows administrators to make changes in any context which is locked.';
 $string['cookiehttponly'] = 'Only http cookies';
 $string['cookiesecure'] = 'Secure cookies only';
 $string['country'] = 'Default country';
index c95bdc5..9d6dc4f 100644 (file)
@@ -480,8 +480,16 @@ function has_capability($capability, context $context, $user = null, $doanything
 
     // Check whether context locking is enabled.
     if (!empty($CFG->contextlocking)) {
-        if ($capinfo->captype === 'write' && $context->locked && $capinfo->name !== 'moodle/site:managecontextlocks') {
-            return false;
+        if ($capinfo->captype === 'write' && $context->locked) {
+            // Context locking applies to any write capability in a locked context.
+            // It does not apply to moodle/site:managecontextlocks - this is to allow context locking to be unlocked.
+            if ($capinfo->name !== 'moodle/site:managecontextlocks') {
+                // It applies to all users who are not site admins.
+                // It also applies to site admins when contextlockappliestoadmin is set.
+                if (!is_siteadmin($userid) || !empty($CFG->contextlockappliestoadmin)) {
+                    return false;
+                }
+            }
         }
     }
 
index ccf6d44..905932a 100644 (file)
@@ -198,6 +198,168 @@ class accesslib_has_capability_testcase extends \advanced_testcase {
         }
     }
 
+    /**
+     * Unit tests to check the operation of locked contexts.
+     *
+     * Note: We only check the admin user here.
+     * If the admin cannot do it, then no-one can.
+     *
+     * @dataProvider locked_context_provider
+     * @param   string[]    $lockedcontexts The list of contexts, by name, to mark as locked
+     * @param   string[]    $blocked The list of contexts which will be 'blocked' by has_capability
+     */
+    public function test_locked_contexts_for_admin_with_config($lockedcontexts, $blocked) {
+        global $DB;
+
+        $this->resetAfterTest();
+        set_config('contextlocking', 1);
+        set_config('contextlockappliestoadmin', 0);
+
+        $generator = $this->getDataGenerator();
+        $otheruser = $generator->create_user();
+
+        // / (system)
+        // /Cat1
+        // /Cat1/Block
+        // /Cat1/Course1
+        // /Cat1/Course1/Block
+        // /Cat1/Course2
+        // /Cat1/Course2/Block
+        // /Cat1/Cat1a
+        // /Cat1/Cat1a/Block
+        // /Cat1/Cat1a/Course1
+        // /Cat1/Cat1a/Course1/Block
+        // /Cat1/Cat1a/Course2
+        // /Cat1/Cat1a/Course2/Block
+        // /Cat1/Cat1b
+        // /Cat1/Cat1b/Block
+        // /Cat1/Cat1b/Course1
+        // /Cat1/Cat1b/Course1/Block
+        // /Cat1/Cat1b/Course2
+        // /Cat1/Cat1b/Course2/Block
+        // /Cat2
+        // /Cat2/Block
+        // /Cat2/Course1
+        // /Cat2/Course1/Block
+        // /Cat2/Course2
+        // /Cat2/Course2/Block
+        // /Cat2/Cat2a
+        // /Cat2/Cat2a/Block
+        // /Cat2/Cat2a/Course1
+        // /Cat2/Cat2a/Course1/Block
+        // /Cat2/Cat2a/Course2
+        // /Cat2/Cat2a/Course2/Block
+        // /Cat2/Cat2b
+        // /Cat2/Cat2b/Block
+        // /Cat2/Cat2b/Course1
+        // /Cat2/Cat2b/Course1/Block
+        // /Cat2/Cat2b/Course2
+        // /Cat2/Cat2b/Course2/Block
+
+        $adminuser = \core_user::get_user_by_username('admin');
+        $contexts = (object) [
+            'system' => \context_system::instance(),
+            'adminuser' => \context_user::instance($adminuser->id),
+        ];
+
+        $cat1 = $generator->create_category();
+        $cat1a = $generator->create_category(['parent' => $cat1->id]);
+        $cat1b = $generator->create_category(['parent' => $cat1->id]);
+
+        $contexts->cat1 = \context_coursecat::instance($cat1->id);
+        $contexts->cat1a = \context_coursecat::instance($cat1a->id);
+        $contexts->cat1b = \context_coursecat::instance($cat1b->id);
+
+        $cat1course1 = $generator->create_course(['category' => $cat1->id]);
+        $cat1course2 = $generator->create_course(['category' => $cat1->id]);
+        $cat1acourse1 = $generator->create_course(['category' => $cat1a->id]);
+        $cat1acourse2 = $generator->create_course(['category' => $cat1a->id]);
+        $cat1bcourse1 = $generator->create_course(['category' => $cat1b->id]);
+        $cat1bcourse2 = $generator->create_course(['category' => $cat1b->id]);
+
+        $contexts->cat1course1 = \context_course::instance($cat1course1->id);
+        $contexts->cat1acourse1 = \context_course::instance($cat1acourse1->id);
+        $contexts->cat1bcourse1 = \context_course::instance($cat1bcourse1->id);
+        $contexts->cat1course2 = \context_course::instance($cat1course2->id);
+        $contexts->cat1acourse2 = \context_course::instance($cat1acourse2->id);
+        $contexts->cat1bcourse2 = \context_course::instance($cat1bcourse2->id);
+
+        $cat1block = $generator->create_block('online_users', ['parentcontextid' => $contexts->cat1->id]);
+        $cat1ablock = $generator->create_block('online_users', ['parentcontextid' => $contexts->cat1a->id]);
+        $cat1bblock = $generator->create_block('online_users', ['parentcontextid' => $contexts->cat1b->id]);
+        $cat1course1block = $generator->create_block('online_users', ['parentcontextid' => $contexts->cat1course1->id]);
+        $cat1course2block = $generator->create_block('online_users', ['parentcontextid' => $contexts->cat1course2->id]);
+        $cat1acourse1block = $generator->create_block('online_users', ['parentcontextid' => $contexts->cat1acourse1->id]);
+        $cat1acourse2block = $generator->create_block('online_users', ['parentcontextid' => $contexts->cat1acourse2->id]);
+        $cat1bcourse1block = $generator->create_block('online_users', ['parentcontextid' => $contexts->cat1bcourse1->id]);
+        $cat1bcourse2block = $generator->create_block('online_users', ['parentcontextid' => $contexts->cat1bcourse2->id]);
+
+        $contexts->cat1block = \context_block::instance($cat1block->id);
+        $contexts->cat1ablock = \context_block::instance($cat1ablock->id);
+        $contexts->cat1bblock = \context_block::instance($cat1bblock->id);
+        $contexts->cat1course1block = \context_block::instance($cat1course1block->id);
+        $contexts->cat1course2block = \context_block::instance($cat1course2block->id);
+        $contexts->cat1acourse1block = \context_block::instance($cat1acourse1block->id);
+        $contexts->cat1acourse2block = \context_block::instance($cat1acourse2block->id);
+        $contexts->cat1bcourse1block = \context_block::instance($cat1bcourse1block->id);
+        $contexts->cat1bcourse2block = \context_block::instance($cat1bcourse2block->id);
+
+        $writecapability = 'moodle/block:edit';
+        $readcapability = 'moodle/block:view';
+        $managecapability = 'moodle/site:managecontextlocks';
+
+        $this->setAdminUser();
+        $totest = (array) $contexts;
+        foreach ($totest as $context) {
+            $this->assertTrue(has_capability($writecapability, $context));
+            $this->assertTrue(has_capability($readcapability, $context));
+            $this->assertTrue(has_capability($managecapability, $context));
+        }
+
+        // Lock the specified contexts.
+        foreach ($lockedcontexts as $contextname => $value) {
+            $contexts->$contextname->set_locked($value);
+        }
+
+        // All read capabilities should remain.
+        foreach ((array) $contexts as $context) {
+            $this->assertTrue(has_capability($readcapability, $context));
+            $this->assertTrue(has_capability($managecapability, $context));
+        }
+
+        // Check writes.
+        foreach ((array) $contexts as $contextname => $context) {
+            $this->assertTrue(has_capability($writecapability, $context));
+        }
+
+        $this->setUser($otheruser);
+        // Check writes.
+        foreach ((array) $contexts as $contextname => $context) {
+            $this->assertFalse(has_capability($writecapability, $context));
+        }
+
+        // Disable the contextlocking experimental feature.
+        set_config('contextlocking', 0);
+
+        $this->setAdminUser();
+        // All read capabilities should remain.
+        foreach ((array) $contexts as $context) {
+            $this->assertTrue(has_capability($readcapability, $context));
+            $this->assertTrue(has_capability($managecapability, $context));
+        }
+
+        // All write capabilities should now be present again.
+        foreach ((array) $contexts as $contextname => $context) {
+            $this->assertTrue(has_capability($writecapability, $context));
+        }
+
+        $this->setUser($otheruser);
+        // Check writes.
+        foreach ((array) $contexts as $contextname => $context) {
+            $this->assertFalse(has_capability($writecapability, $context));
+        }
+    }
+
     /**
      * Data provider for testing that has_capability() deals with locked contexts.
      *
index a1b2728..c7d1815 100644 (file)
@@ -29,7 +29,7 @@
 
 defined('MOODLE_INTERNAL') || die();
 
-$version  = 2018111300.00;              // YYYYMMDD      = weekly release date of this DEV branch.
+$version  = 2018111301.00;              // YYYYMMDD      = weekly release date of this DEV branch.
                                         //         RR    = release increments - 00 in DEV branches.
                                         //           .XX = incremental changes.