From 915f801546a5c3618feab897072c985abfce57df Mon Sep 17 00:00:00 2001
From: Marina Glancy <marina@moodle.com>
Date: Thu, 29 Jun 2017 15:00:31 +0800
Subject: [PATCH] MDL-59409 admin: check access to every setting in category

---
 admin/category.php |  2 +-
 lib/adminlib.php   | 12 ++++++++----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/admin/category.php b/admin/category.php
index cb83e0d09b0..0a803940335 100644
--- a/admin/category.php
+++ b/admin/category.php
@@ -89,7 +89,7 @@ if ($PAGE->user_allowed_editing()) {
 $savebutton = false;
 $outputhtml = '';
 foreach ($settingspage->children as $childpage) {
-    if ($childpage->is_hidden()) {
+    if ($childpage->is_hidden() || !$childpage->check_access()) {
         continue;
     }
     if ($childpage instanceof admin_externalpage) {
diff --git a/lib/adminlib.php b/lib/adminlib.php
index 7fc7d302fca..53866698d66 100644
--- a/lib/adminlib.php
+++ b/lib/adminlib.php
@@ -8122,21 +8122,25 @@ function admin_find_write_settings($node, $data) {
     }
 
     if ($node instanceof admin_category) {
-        $entries = array_keys($node->children);
-        foreach ($entries as $entry) {
-            $return = array_merge($return, admin_find_write_settings($node->children[$entry], $data));
+        if ($node->check_access()) {
+            $entries = array_keys($node->children);
+            foreach ($entries as $entry) {
+                $return = array_merge($return, admin_find_write_settings($node->children[$entry], $data));
+            }
         }
 
     } else if ($node instanceof admin_settingpage) {
+        if ($node->check_access()) {
             foreach ($node->settings as $setting) {
                 $fullname = $setting->get_full_name();
                 if (array_key_exists($fullname, $data)) {
                     $return[$fullname] = $setting;
                 }
             }
-
         }
 
+    }
+
     return $return;
 }
 
-- 
2.43.0