From 02b126af8afc533e8fc78135db3a5d8ba9c58780 Mon Sep 17 00:00:00 2001 From: tjhunt Date: Tue, 14 Jul 2009 11:16:21 +0000 Subject: [PATCH] blocks editing ui: MDL-19398 permissions checks when deleting a block. --- lang/en_utf8/moodle.php | 1 + lib/blocklib.php | 11 ++++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/lang/en_utf8/moodle.php b/lang/en_utf8/moodle.php index c32233df69349..799660494e038 100644 --- a/lang/en_utf8/moodle.php +++ b/lang/en_utf8/moodle.php @@ -403,6 +403,7 @@ $string['defaultcourseteacherdescription'] = 'Teachers can do anything within a course, including changing the activities and grading students.'; $string['defaultcourseteachers'] = 'Teachers'; $string['delete'] = 'Delete'; +$string['deleteablock'] = 'Delete a block'; $string['deleteall'] = 'Delete all'; $string['deleteallcannotundo'] = 'Delete all - cannot be undone'; $string['deleteallcomments'] = 'Delete all comments'; diff --git a/lib/blocklib.php b/lib/blocklib.php index 17686d36df61c..46baf109482f2 100644 --- a/lib/blocklib.php +++ b/lib/blocklib.php @@ -948,8 +948,13 @@ function block_process_url_delete($page) { confirm_sesskey(); - $instance = $page->blocks->find_instance($blockid); - blocks_delete_instance($instance->instance); + $block = $page->blocks->find_instance($blockid); + + if (!$block->user_can_edit() || !$page->user_can_edit_blocks() || !$block->user_can_addto($page)) { + throw new moodle_exception('nopermissions', '', $page->url->out(), get_string('deleteablock')); + } + + blocks_delete_instance($block->instance); // If the page URL was a guses, it will contain the bui_... param, so we must make sure it is not there. $page->ensure_param_not_in_url('bui_deleteid'); @@ -963,7 +968,7 @@ function block_process_url_delete($page) { * @return boolean true if anything was done. False if not. */ function block_process_url_show_hide($page) { - + // TODO MDL-19398 } ///**