MDL-46218 reshuffled access checks in blog and notes

diff --git a/blog/edit.php b/blog/edit.php
index fadc8ad..ebf4c96 100644 (file)
--- a/blog/edit.php
+++ b/blog/edit.php
@@ -31,8 +31,12 @@ include_once('locallib.php');
 $action   = required_param('action', PARAM_ALPHA);
 $id       = optional_param('entryid', 0, PARAM_INT);
 $confirm  = optional_param('confirm', 0, PARAM_BOOL);
-$modid    = optional_param('modid', 0, PARAM_INT); // To associate the entry with a module instance
-$courseid = optional_param('courseid', 0, PARAM_INT); // To associate the entry with a course
+$modid = optional_param('modid', 0, PARAM_INT); // To associate the entry with a module instance.
+$courseid = optional_param('courseid', 0, PARAM_INT); // To associate the entry with a course.
+
+if ($action == 'edit') {
+    $id = required_param('entryid', PARAM_INT);
+}
 
 $PAGE->set_url('/blog/edit.php', array('action' => $action, 'entryid' => $id, 'confirm' => $confirm, 'modid' => $modid, 'courseid' => $courseid));
 
@@ -41,6 +45,20 @@ if (!empty($id) && $action == 'add') {
     $id = null;
 }
 
+// Blogs are always in system context.
+$sitecontext = context_system::instance();
+$PAGE->set_context($sitecontext);
+
+require_login($courseid);
+
+if (empty($CFG->enableblogs)) {
+    print_error('blogdisable', 'blog');
+}
+
+if (isguestuser()) {
+    print_error('noguestentry', 'blog');
+}
+
 $returnurl = new moodle_url('/blog/index.php');
 
 if (!empty($courseid) && empty($modid)) {
@@ -54,27 +72,8 @@ if (!empty($modid)) {
     $returnurl->param('courseid', $courseid);
 }
 
-// Blogs are always in system context.
-$sitecontext = context_system::instance();
-$PAGE->set_context($sitecontext);
-
-
 $blogheaders = blog_get_headers();
 
-require_login($courseid);
-
-if ($action == 'edit') {
-    $id = required_param('entryid', PARAM_INT);
-}
-
-if (empty($CFG->enableblogs)) {
-    print_error('blogdisable', 'blog');
-}
-
-if (isguestuser()) {
-    print_error('noguestentry', 'blog');
-}
-
 if (!has_capability('moodle/blog:create', $sitecontext) && !has_capability('moodle/blog:manageentries', $sitecontext)) {
     print_error('cannoteditentryorblog');
 }

diff --git a/blog/index.php b/blog/index.php
index efa99ea..4bdfd35 100644 (file)
--- a/blog/index.php
+++ b/blog/index.php
@@ -34,10 +34,6 @@ foreach ($url_params as $var => $val) {
 }
 $PAGE->set_url('/blog/index.php', $url_params);
 
-if (empty($CFG->enableblogs)) {
-    print_error('blogdisable', 'blog');
-}
-
 //correct tagid if a text tag is provided as a param
 if (!empty($tag)) {
     if ($tagrec = $DB->get_record('tag', array('name' => $tag))) {
@@ -47,15 +43,6 @@ if (!empty($tag)) {
     }
 }
 
-// add courseid if modid or groupid is specified: This is used for navigation and title
-if (!empty($modid) && empty($courseid)) {
-    $courseid = $DB->get_field('course_modules', 'course', array('id'=>$modid));
-}
-
-if (!empty($groupid) && empty($courseid)) {
-    $courseid = $DB->get_field('groups', 'courseid', array('id'=>$groupid));
-}
-
 $sitecontext = context_system::instance();
 // Blogs are always in system context.
 $PAGE->set_context($sitecontext);
@@ -84,6 +71,19 @@ if ($CFG->bloglevel == BLOG_GLOBAL_LEVEL) {
     print_error('blogdisable', 'blog');
 }
 
+if (empty($CFG->enableblogs)) {
+    print_error('blogdisable', 'blog');
+}
+
+// Add courseid if modid or groupid is specified: This is used for navigation and title.
+if (!empty($modid) && empty($courseid)) {
+    $courseid = $DB->get_field('course_modules', 'course', array('id' => $modid));
+}
+
+if (!empty($groupid) && empty($courseid)) {
+    $courseid = $DB->get_field('groups', 'courseid', array('id' => $groupid));
+}
+
 
 if (!$userid && has_capability('moodle/blog:view', $sitecontext) && $CFG->bloglevel > BLOG_USER_LEVEL) {
     if ($entryid) {

diff --git a/notes/delete.php b/notes/delete.php
index 21b0f99..573d068 100644 (file)
--- a/notes/delete.php
+++ b/notes/delete.php
@@ -18,14 +18,17 @@ if (!$course = $DB->get_record('course', array('id'=>$note->courseid))) {
     print_error('invalidcourseid');
 }
 
-// locate user information
-    if (!$user = $DB->get_record('user', array('id'=>$note->userid))) {
-        print_error('invaliduserid');
-    }
-
 // require login to access notes
 require_login($course);
 
+if (empty($CFG->enablenotes)) {
+    print_error('notesdisabled', 'notes');
+}
+
+if (!$user = $DB->get_record('user', array('id' => $note->userid))) {
+    print_error('invaliduserid');
+}
+
 // locate context information
 $context = context_course::instance($course->id);
 
@@ -34,10 +37,6 @@ if (!has_capability('moodle/notes:manage', $context)) {
     print_error('nopermissiontodelete', 'notes');
 }
 
-if (empty($CFG->enablenotes)) {
-    print_error('notesdisabled', 'notes');
-}
-
 if (data_submitted() && confirm_sesskey()) {
 //if data was submitted and is valid, then delete note
     $returnurl = $CFG->wwwroot . '/notes/index.php?course=' . $course->id . '&user=' . $note->userid;

diff --git a/notes/edit.php b/notes/edit.php
index 32d3c02..be9ed29 100644 (file)
--- a/notes/edit.php
+++ b/notes/edit.php
@@ -41,20 +41,19 @@ if (!$course = $DB->get_record('course', array('id'=>$note->courseid))) {
     print_error('invalidcourseid');
 }
 
-/// locate user information
-if (!$user = $DB->get_record('user', array('id'=>$note->userid))) {
-    print_error('invaliduserid');
-}
-
 /// require login to access notes
 require_login($course);
 
+if (empty($CFG->enablenotes)) {
+    print_error('notesdisabled', 'notes');
+}
+
 /// locate context information
 $context = context_course::instance($course->id);
 require_capability('moodle/notes:manage', $context);
 
-if (empty($CFG->enablenotes)) {
-    print_error('notesdisabled', 'notes');
+if (!$user = $DB->get_record('user', array('id' => $note->userid))) {
+    print_error('invaliduserid');
 }
 
 /// create form