# This patch file was generated by NetBeans IDE # This patch can be applied using context Tools: Apply Diff Patch action on respective folder. # It uses platform neutral UTF-8 encoding. # Above lines and this line are ignored by the patching process. Index: moodle/rating/rate_ajax.php --- moodle/rating/rate_ajax.php Base (1.8) +++ moodle/rating/rate_ajax.php Locally Modified (Based On 1.8) @@ -105,7 +105,6 @@ //Future possible enhancement: add a setting to turn grade updating off for those who don't want them in gradebook //note that this would need to be done in both rate.php and rate_ajax.php -if(true){ if ($context->contextlevel==CONTEXT_MODULE) { //tell the module that its grades have changed if ( $modinstance = $DB->get_record($cm->modname, array('id' => $cm->instance)) ) { @@ -117,7 +116,6 @@ } } } -} //object to return to client as json $result = new stdClass; @@ -157,7 +155,12 @@ //we could do this check as "if $userid==$rateduserid" but going to the database to determine item owner id seems more secure //if we accept the item owner user id from the http request a user could alter the URL and erroneously get access to the rating aggregate if (($USER->id==$items[0]->rating->itemuserid && has_capability('moodle/rating:view',$context) && $pluginpermissionsarray['view']) - || ($USER->id!=$items[0]->rating->itemuserid && has_capability('moodle/rating:viewany',$context) && $pluginpermissionsarray['viewany'])) { \ No newline at end of file + //if no user created the item (the hub did), need to test if it's empty. + || (($USER->id!=$items[0]->rating->itemuserid or empty($items[0]->rating->itemuserid)) + && has_capability('moodle/rating:viewany',$context) + //if the context is not CONTEXT_MODULE, $pluginpermissionsarray will be null, so it will never pass here + // (see beginning of the code) + && (empty($pluginpermissionsarray) or $pluginpermissionsarray['viewany']))) { \ No newline at end of file $result->aggregate = $aggregatetoreturn; $result->count = $items[0]->rating->count; $result->itemid = $itemid;