blocks editing ui: MDL-19398 permissions checks when deleting a block.

ralferlebach · Jul 14, 2009 · 02b126a · 02b126a
1 parent 1936f20
commit 02b126a
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/lang/en_utf8/moodle.php b/lang/en_utf8/moodle.php
@@ -403,6 +403,7 @@
 $string['defaultcourseteacherdescription'] = 'Teachers can do anything within a course, including changing the activities and grading students.';
 $string['defaultcourseteachers'] = 'Teachers';
 $string['delete'] = 'Delete';
+$string['deleteablock'] = 'Delete a block';
 $string['deleteall'] = 'Delete all';
 $string['deleteallcannotundo'] = 'Delete all - cannot be undone';
 $string['deleteallcomments'] = 'Delete all comments';

diff --git a/lib/blocklib.php b/lib/blocklib.php
@@ -948,8 +948,13 @@ function block_process_url_delete($page) {
 
     confirm_sesskey();
 
-    $instance = $page->blocks->find_instance($blockid);
-    blocks_delete_instance($instance->instance);
+    $block = $page->blocks->find_instance($blockid);
+
+    if (!$block->user_can_edit() || !$page->user_can_edit_blocks() || !$block->user_can_addto($page)) {
+        throw new moodle_exception('nopermissions', '', $page->url->out(), get_string('deleteablock'));
+    }
+
+    blocks_delete_instance($block->instance);
 
     // If the page URL was a guses, it will contain the bui_... param, so we must make sure it is not there.
     $page->ensure_param_not_in_url('bui_deleteid');
@@ -963,7 +968,7 @@ function block_process_url_delete($page) {
  * @return boolean true if anything was done. False if not.
  */
 function block_process_url_show_hide($page) {
-
+    // TODO MDL-19398
 }
 
 ///**