From 737aefb454fca0544df35db3871ce08c2938e847 Mon Sep 17 00:00:00 2001 From: Mark Nelson Date: Tue, 20 Nov 2012 12:17:21 +0800 Subject: [PATCH] MDL-30377 forum: do not allow users to view not yet started or expired discussions --- mod/forum/discuss.php | 13 +----- mod/forum/lang/en/forum.php | 2 +- mod/forum/lib.php | 86 ++++++++++++++++++++++++++++--------- 3 files changed, 69 insertions(+), 32 deletions(-) diff --git a/mod/forum/discuss.php b/mod/forum/discuss.php index 774e7b0fe55..f86b5219eb2 100644 --- a/mod/forum/discuss.php +++ b/mod/forum/discuss.php @@ -59,14 +59,6 @@ rss_add_http_header($modcontext, 'mod_forum', $forum, $rsstitle); } - if ($forum->type == 'news') { - if (!($USER->id == $discussion->userid || (($discussion->timestart == 0 - || $discussion->timestart <= time()) - && ($discussion->timeend == 0 || $discussion->timeend > time())))) { - print_error('invaliddiscussionid', 'forum', "$CFG->wwwroot/mod/forum/view.php?f=$forum->id"); - } - } - /// move discussion if requested if ($move > 0 and confirm_sesskey()) { $return = $CFG->wwwroot.'/mod/forum/discuss.php?d='.$discussion->id; @@ -135,9 +127,8 @@ print_error("notexists", 'forum', "$CFG->wwwroot/mod/forum/view.php?f=$forum->id"); } - - if (!forum_user_can_view_post($post, $course, $cm, $forum, $discussion)) { - print_error('nopermissiontoview', 'forum', "$CFG->wwwroot/mod/forum/view.php?id=$forum->id"); + if (!forum_user_can_see_post($forum, $discussion, $post, null, $cm)) { + print_error('noviewdiscussionspermission', 'forum', "$CFG->wwwroot/mod/forum/view.php?id=$forum->id"); } if ($mark == 'read' or $mark == 'unread') { diff --git a/mod/forum/lang/en/forum.php b/mod/forum/lang/en/forum.php index 3f995da0350..8fad2a7dae9 100644 --- a/mod/forum/lang/en/forum.php +++ b/mod/forum/lang/en/forum.php @@ -159,7 +159,7 @@ $string['forum:addquestion'] = 'Add question'; $string['forum:allowforcesubscribe'] = 'Allow force subscribe'; $string['forumauthorhidden'] = 'Author (hidden)'; $string['forumblockingalmosttoomanyposts'] = 'You are approaching the posting threshold. You have posted {$a->numposts} times in the last {$a->blockperiod} and the limit is {$a->blockafter} posts.'; -$string['forumbodyhidden'] = 'This post cannot be viewed by you, probably because you have not posted in the discussion or the maximum editing time hasn\'t passed yet.'; +$string['forumbodyhidden'] = 'This post cannot be viewed by you, probably because you have not posted in the discussion, the maximum editing time hasn\'t passed yet, the discussion has not started or the discussion has expired.'; $string['forum:createattachment'] = 'Create attachments'; $string['forum:deleteanypost'] = 'Delete any posts (anytime)'; $string['forum:deleteownpost'] = 'Delete own posts (within deadline)'; diff --git a/mod/forum/lib.php b/mod/forum/lib.php index 822e177e450..42a15351c37 100644 --- a/mod/forum/lib.php +++ b/mod/forum/lib.php @@ -5213,45 +5213,70 @@ function forum_user_can_post($forum, $discussion, $user=NULL, $cm=NULL, $course= } } - /** - * checks to see if a user can view a particular post + * Checks to see if a user can view a particular post. + * + * @deprecated since Moodle 2.4 use forum_user_can_see_post() instead * - * @global object - * @global object - * @uses CONTEXT_MODULE - * @uses SEPARATEGROUPS * @param object $post * @param object $course * @param object $cm * @param object $forum * @param object $discussion * @param object $user + * @return boolean */ -function forum_user_can_view_post($post, $course, $cm, $forum, $discussion, $user=NULL){ +function forum_user_can_view_post($post, $course, $cm, $forum, $discussion, $user=null){ + debugging('forum_user_can_view_post() is deprecated. Please use forum_user_can_see_post() instead.', DEBUG_DEVELOPER); + return forum_user_can_see_post($forum, $discussion, $post, $user, $cm); +} - global $CFG, $USER; +/** +* Check to ensure a user can view a timed discussion. +* +* @param object $discussion +* @param object $user +* @param object $context +* @return boolean returns true if they can view post, false otherwise +*/ +function forum_user_can_see_timed_discussion($discussion, $user, $context) { + global $CFG; - if (!$user){ - $user = $USER; + // Check that the user can view a discussion that is normally hidden due to access times. + if (!empty($CFG->forum_enabletimedposts)) { + $time = time(); + if (($discussion->timestart != 0 && $discussion->timestart > $time) + || ($discussion->timeend != 0 && $discussion->timeend < $time)) { + if (!has_capability('mod/forum:viewhiddentimedposts', $context, $user->id)) { + return false; + } + } } - $modcontext = context_module::instance($cm->id); - if (!has_capability('mod/forum:viewdiscussion', $modcontext)) { - return false; - } + return true; +} -// If it's a grouped discussion, make sure the user is a member +/** +* Check to ensure a user can view a group discussion. +* +* @param object $discussion +* @param object $cm +* @param object $context +* @return boolean returns true if they can view post, false otherwise +*/ +function forum_user_can_see_group_discussion($discussion, $cm, $context) { + + // If it's a grouped discussion, make sure the user is a member. if ($discussion->groupid > 0) { $groupmode = groups_get_activity_groupmode($cm); if ($groupmode == SEPARATEGROUPS) { - return groups_is_member($discussion->groupid) || has_capability('moodle/site:accessallgroups', $modcontext); + return groups_is_member($discussion->groupid) || has_capability('moodle/site:accessallgroups', $context); } } + return true; } - /** * @global object * @global object @@ -5282,11 +5307,22 @@ function forum_user_can_see_discussion($forum, $discussion, $context, $user=NULL return false; } } + if (!$cm = get_coursemodule_from_instance('forum', $forum->id, $forum->course)) { + print_error('invalidcoursemodule'); + } if (!has_capability('mod/forum:viewdiscussion', $context)) { return false; } + if (!forum_user_can_see_timed_discussion($discussion, $user, $context)) { + return false; + } + + if (!forum_user_can_see_group_discussion($discussion, $cm, $context)) { + return false; + } + if ($forum->type == 'qanda' && !forum_user_has_posted($forum->id, $discussion->id, $user->id) && !has_capability('mod/forum:viewqandawithoutposting', $context)) { @@ -5295,7 +5331,6 @@ function forum_user_can_see_discussion($forum, $discussion, $context, $user=NULL return true; } - /** * @global object * @global object @@ -5309,6 +5344,9 @@ function forum_user_can_see_discussion($forum, $discussion, $context, $user=NULL function forum_user_can_see_post($forum, $discussion, $post, $user=NULL, $cm=NULL) { global $CFG, $USER, $DB; + // Context used throughout function. + $modcontext = context_module::instance($cm->id); + // retrieve objects (yuk) if (is_numeric($forum)) { debugging('missing full forum', DEBUG_DEVELOPER); @@ -5329,6 +5367,7 @@ function forum_user_can_see_post($forum, $discussion, $post, $user=NULL, $cm=NUL return false; } } + if (!isset($post->id) && isset($post->parent)) { $post->id = $post->parent; } @@ -5344,7 +5383,7 @@ function forum_user_can_see_post($forum, $discussion, $post, $user=NULL, $cm=NUL $user = $USER; } - $canviewdiscussion = !empty($cm->cache->caps['mod/forum:viewdiscussion']) || has_capability('mod/forum:viewdiscussion', context_module::instance($cm->id), $user->id); + $canviewdiscussion = !empty($cm->cache->caps['mod/forum:viewdiscussion']) || has_capability('mod/forum:viewdiscussion', $modcontext, $user->id); if (!$canviewdiscussion && !has_all_capabilities(array('moodle/user:viewdetails', 'moodle/user:readuserposts'), context_user::instance($post->userid))) { return false; } @@ -5359,9 +5398,16 @@ function forum_user_can_see_post($forum, $discussion, $post, $user=NULL, $cm=NUL } } + if (!forum_user_can_see_timed_discussion($discussion, $user, $modcontext)) { + return false; + } + + if (!forum_user_can_see_group_discussion($discussion, $cm, $modcontext)) { + return false; + } + if ($forum->type == 'qanda') { $firstpost = forum_get_firstpost_from_discussion($discussion->id); - $modcontext = context_module::instance($cm->id); $userfirstpost = forum_get_user_posted_time($discussion->id, $user->id); return (($userfirstpost !== false && (time() - $userfirstpost >= $CFG->maxeditingtime)) || -- 2.43.0