From 2b6702ee310ee31d901d1bdc3194c2838197e197 Mon Sep 17 00:00:00 2001 From: Neill Magill Date: Fri, 15 Mar 2024 08:24:11 +0000 Subject: [PATCH] Improvement/59 Make board work with context freezing (#61) * Issue 59: Separate post and view capabilities This is so that when a context is frozen users will still be able to see the contents of the board, but not be able to edit anything. * Issue 59: Only delete comments when new ones can be posted This is to stop users being able to delete comments in a frozen context * #59 Version bump --- classes/board.php | 18 +++++++++++++----- classes/comment.php | 4 ++-- db/access.php | 14 +++++++++++++- external.php | 2 +- lang/en/board.php | 3 ++- version.php | 2 +- 6 files changed, 32 insertions(+), 11 deletions(-) diff --git a/classes/board.php b/classes/board.php index 1b8b068..100797f 100644 --- a/classes/board.php +++ b/classes/board.php @@ -610,7 +610,7 @@ public static function require_capability_for_note($id) { $context = static::context_for_column($note->columnid); if ($context) { - require_capability('mod/board:view', $context); + require_capability('mod/board:post', $context); if ($USER->id != $note->userid) { require_capability('mod/board:manageboard', $context); @@ -751,7 +751,7 @@ public static function board_add_note(int $columnid, int $ownerid, string $headi $context = static::context_for_column($columnid); if ($context) { - require_capability('mod/board:view', $context); + require_capability('mod/board:post', $context); } $heading = empty($heading) ? null : mb_substr($heading, 0, static::LENGTH_HEADING); @@ -1189,7 +1189,7 @@ public static function board_can_rate_note(int $noteid): array { } $context = static::context_for_board($board->id); - if (!has_capability('mod/board:view', $context)) { + if (!has_capability('mod/board:post', $context)) { return $result; } @@ -1339,10 +1339,17 @@ public static function board_is_editor($boardid) { * a particular board. * * @param int $boardid - * @return void + * @return boolean */ public static function board_users_can_edit($boardid) { global $DB; + + $context = static::context_for_board($boardid); + if (!has_capability('mod/board:post', $context)) { + // The user is not allowed to post via capabilities. + return false; + } + return $DB->get_field('board', 'userscanedit', ['id' => $boardid], IGNORE_MISSING); } @@ -1510,7 +1517,8 @@ public static function can_view_user($boardid, $userid): bool { public static function can_post(int $boardid, int $userid, int $ownerid): bool { global $USER; - if ($userid == $ownerid) { + $context = static::context_for_board($boardid); + if ($userid == $ownerid && has_capability('mod/board:post', $context)) { return true; } $board = static::get_board($boardid); diff --git a/classes/comment.php b/classes/comment.php index 32d214d..a855e5e 100644 --- a/classes/comment.php +++ b/classes/comment.php @@ -149,11 +149,11 @@ public static function can_create($context) { public function can_delete() { global $USER; - if ($this->userid == $USER->id) { + $context = $this->get_context(); + if ($this->userid == $USER->id && has_capability('mod/board:postcomment', $context)) { return true; } - $context = $this->get_context(); if (has_capability('mod/board:deleteallcomments', $context)) { return true; } diff --git a/db/access.php b/db/access.php index d5ed186..51121fc 100755 --- a/db/access.php +++ b/db/access.php @@ -26,7 +26,7 @@ $capabilities = array( 'mod/board:view' => array( - 'captype' => 'write', + 'captype' => 'read', 'contextlevel' => CONTEXT_MODULE, 'archetypes' => array( 'student' => CAP_ALLOW, @@ -35,6 +35,18 @@ 'manager' => CAP_ALLOW, ) ), + 'mod/board:post' => array( + 'riskbitmask' => RISK_SPAM, + 'captype' => 'write', + 'contextlevel' => CONTEXT_MODULE, + 'archetypes' => array( + 'student' => CAP_ALLOW, + 'teacher' => CAP_ALLOW, + 'editingteacher' => CAP_ALLOW, + 'manager' => CAP_ALLOW, + ), + 'clonepermissionsfrom' => 'mod/board:view', + ), 'mod/board:addinstance' => array( 'riskbitmask' => RISK_XSS, diff --git a/external.php b/external.php index cb20e42..c35cac0 100755 --- a/external.php +++ b/external.php @@ -709,7 +709,7 @@ public static function get_comments($noteid) { $comment->id = $note->id; $comment->noteid = $note->noteid; $comment->content = $note->content; - $comment->candelete = ($note->userid === $USER->id || $candeleteall) ? true : false; + $comment->candelete = (($canpost && $note->userid === $USER->id) || $candeleteall) ? true : false; $comment->date = userdate($note->timecreated); $comments[] = $comment; } diff --git a/lang/en/board.php b/lang/en/board.php index bf19c6a..6832358 100755 --- a/lang/en/board.php +++ b/lang/en/board.php @@ -31,7 +31,8 @@ $string['board:addinstance'] = 'Add a new board resource'; $string['board:deleteallcomments'] = 'View and delete all comments on posts'; $string['board:postcomment'] = 'Create and view comments on posts'; -$string['board:view'] = 'View board content and manage own posts.'; +$string['board:view'] = 'View board content.'; +$string['board:post'] = 'Manage own posts and potentially rate posts.'; $string['board:manageboard'] = 'Manage columns and manage all posts.'; $string['pluginadministration'] = 'Board module administration'; $string['hideheaders'] = 'Hide column headers from students'; diff --git a/version.php b/version.php index b32238b..3269252 100755 --- a/version.php +++ b/version.php @@ -25,7 +25,7 @@ defined('MOODLE_INTERNAL') || die; $plugin->component = 'mod_board'; // Full name of the plugin (used for diagnostics). -$plugin->version = 2022040112; // The current module version Use 2022.04.01 as base for 4.00. +$plugin->version = 2022040113; // The current module version Use 2022.04.01 as base for 4.00. $plugin->requires = 2022041900; // Moodle 4.00 and up. $plugin->release = '1.401.03 (Build 2022040112)'; $plugin->maturity = MATURITY_STABLE;