Moodle
  1. Moodle
  2. MDL-6477

Convert lesson to use new roles framework - patch attached

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 1.7
    • Fix Version/s: 1.7
    • Component/s: Lesson
    • Labels:
      None
    • Affected Branches:
      MOODLE_17_STABLE
    • Fixed Branches:
      MOODLE_17_STABLE
    • Rank:
      28352

      Description

      Could you please review/test the attached patch.

      thanks

        Activity

        Hide
        Mark Nielsen added a comment -

        I made some changes to the patched code but I don't know how to create a patch from the CVS like the one that you made. Also, when I applied the patch, it placed access.php in mod/lesson instead of mod/lesson/db. I might have done something wrong though.

        Also, while I was reviewing the code, I found a tremendous flaw. The essay editing interface never checks the role of the user. This means that when any user goes into a lesson and adds "&action=essayview" to the URL, then s/he can start grading essay questions. This problem goes all the way back to Moodle 1.5.3.

        I have a patch for fixing the problem. This is what the diff looks like off of MOODLE_16_STABLE:

        Index: view.php
        ===================================================================
        RCS file: /cvsroot/moodle/moodle/mod/lesson/view.php,v
        retrieving revision 1.91.2.5
        diff -u -r1.91.2.5 view.php
        — view.php 10 Aug 2006 15:30:57 -0000 1.91.2.5
        +++ view.php 7 Sep 2006 21:34:29 -0000
        @@ -28,6 +28,17 @@

        require_login($course->id, false, $cm);

        + switch ($action) {
        + case 'essayview':
        + case 'essaygrade':
        + case 'updategrade':
        + case 'emailessay':
        + if (!isteacheredit($course->id))

        { + error('You must be a teacher with editing rights to view this page'); + }

        + break;
        + }
        +
        /// Print the page header

        if ($course->category) {

        Let me know if I should commit it or if any other action on my part is necessary.

        Show
        Mark Nielsen added a comment - I made some changes to the patched code but I don't know how to create a patch from the CVS like the one that you made. Also, when I applied the patch, it placed access.php in mod/lesson instead of mod/lesson/db. I might have done something wrong though. Also, while I was reviewing the code, I found a tremendous flaw. The essay editing interface never checks the role of the user. This means that when any user goes into a lesson and adds "&action=essayview" to the URL, then s/he can start grading essay questions. This problem goes all the way back to Moodle 1.5.3. I have a patch for fixing the problem. This is what the diff looks like off of MOODLE_16_STABLE: Index: view.php =================================================================== RCS file: /cvsroot/moodle/moodle/mod/lesson/view.php,v retrieving revision 1.91.2.5 diff -u -r1.91.2.5 view.php — view.php 10 Aug 2006 15:30:57 -0000 1.91.2.5 +++ view.php 7 Sep 2006 21:34:29 -0000 @@ -28,6 +28,17 @@ require_login($course->id, false, $cm); + switch ($action) { + case 'essayview': + case 'essaygrade': + case 'updategrade': + case 'emailessay': + if (!isteacheredit($course->id)) { + error('You must be a teacher with editing rights to view this page'); + } + break; + } + /// Print the page header if ($course->category) { Let me know if I should commit it or if any other action on my part is necessary.
        Hide
        Petr Škoda added a comment -

        Hi!

        thanks for the review. Please commit all changes into CVS. If you want to make any changes in 1.6.1+ please hurry, the 1.6.2 release is going to be tagged tomorrow morning.

        I do not know what might be the problem with creation of access.php, the correct placement is db. I am using phpeclipse IDE to create the patches, what cvs client and editor are you using?

        Show
        Petr Škoda added a comment - Hi! thanks for the review. Please commit all changes into CVS. If you want to make any changes in 1.6.1+ please hurry, the 1.6.2 release is going to be tagged tomorrow morning. I do not know what might be the problem with creation of access.php, the correct placement is db. I am using phpeclipse IDE to create the patches, what cvs client and editor are you using?
        Hide
        Petr Škoda added a comment -

        ... in fact it is today - friday morning GMT I guess

        Show
        Petr Škoda added a comment - ... in fact it is today - friday morning GMT I guess
        Hide
        Mark Nielsen added a comment -

        > ... in fact it is today - friday morning GMT I guess

        Just added it to MOODLE_16_STABLE. Am I too late?

        I use the Mac OS X Terminal with command line for CVS and TextMate for my editor.

        Show
        Mark Nielsen added a comment - > ... in fact it is today - friday morning GMT I guess Just added it to MOODLE_16_STABLE. Am I too late? I use the Mac OS X Terminal with command line for CVS and TextMate for my editor.
        Hide
        Mark Nielsen added a comment -

        Commited the roles code into HEAD.

        Show
        Mark Nielsen added a comment - Commited the roles code into HEAD.

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: