Commit 12c28574 authored by Frederic Massart's avatar Frederic Massart Committed by Andrew Nicols

MDL-51369 backup: Respect capabilities when restoring course info

In short, when a user is creating a new course they can set
the ID number, shortname, fullname and summary. However, when
they merge a backup into a course they need the permissions to do so.
parent fada0691
......@@ -1686,27 +1686,54 @@ class restore_course_structure_step extends restore_structure_step {
*/
public function process_course($data) {
global $CFG, $DB;
$context = context::instance_by_id($this->task->get_contextid());
$userid = $this->task->get_userid();
$target = $this->get_task()->get_target();
$isnewcourse = $target != backup::TARGET_CURRENT_ADDING && $target != backup::TARGET_EXISTING_ADDING;
// When restoring to a new course we can set all the things except for the ID number.
$canchangeidnumber = $isnewcourse || has_capability('moodle/course:changeidnumber', $context, $userid);
$canchangeshortname = $isnewcourse || has_capability('moodle/course:changeshortname', $context, $userid);
$canchangefullname = $isnewcourse || has_capability('moodle/course:changefullname', $context, $userid);
$canchangesummary = $isnewcourse || has_capability('moodle/course:changesummary', $context, $userid);
$data = (object)$data;
$data->id = $this->get_courseid();
$fullname = $this->get_setting_value('course_fullname');
$shortname = $this->get_setting_value('course_shortname');
$startdate = $this->get_setting_value('course_startdate');
// Calculate final course names, to avoid dupes
// Calculate final course names, to avoid dupes.
list($fullname, $shortname) = restore_dbops::calculate_course_names($this->get_courseid(), $fullname, $shortname);
// Need to change some fields before updating the course record
$data->id = $this->get_courseid();
$data->fullname = $fullname;
$data->shortname= $shortname;
if ($canchangefullname) {
$data->fullname = $fullname;
} else {
unset($data->fullname);
}
if ($canchangeshortname) {
$data->shortname = $shortname;
} else {
unset($data->shortname);
}
if (!$canchangesummary) {
unset($data->summary);
unset($data->summaryformat);
}
// Only allow the idnumber to be set if the user has permission and the idnumber is not already in use by
// another course on this site.
$context = context::instance_by_id($this->task->get_contextid());
if (!empty($data->idnumber) && has_capability('moodle/course:changeidnumber', $context, $this->task->get_userid()) &&
$this->task->is_samesite() && !$DB->record_exists('course', array('idnumber' => $data->idnumber))) {
if (!empty($data->idnumber) && $canchangeidnumber && $this->task->is_samesite()
&& !$DB->record_exists('course', array('idnumber' => $data->idnumber))) {
// Do not reset idnumber.
} else if (!$isnewcourse) {
// Prevent override when restoring as merge.
unset($data->idnumber);
} else {
$data->idnumber = '';
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment