MDL-15516 prvent access to deleted profiles and other user areas

ralferlebach · Jul 5, 2008 · f5fc83e · f5fc83e
1 parent d6ace12
commit f5fc83e
Show file tree

Hide file tree

Showing 8 changed files with 60 additions and 4 deletions.
diff --git a/blog/index.php b/blog/index.php
@@ -122,6 +122,13 @@
         if (!$user = $DB->get_record('user', array('id'=>$filterselect))) {
             print_error('invaliduserid');
         }
+        if ($user->deleted) {
+            print_header();
+            print_heading(get_string('userdeleted'));
+            print_footer();
+            die;
+        }
+
         if ($USER->id == $filterselect) {
             if (!has_capability('moodle/blog:create', $sitecontext)
               and !has_capability('moodle/blog:view', $sitecontext)) {

diff --git a/course/user.php b/course/user.php
@@ -21,9 +21,16 @@
         print_error('invaliduserid', 'error');
     }
 
-    //require_login($course);
+    require_login();
     $COURSE = clone($course);
 
+    if ($user->deleted) {
+        print_header();
+        print_heading(get_string('userdeleted'));
+        print_footer();
+        die;
+    }
+
     $coursecontext = get_context_instance(CONTEXT_COURSE, $id);
     $personalcontext = get_context_instance(CONTEXT_USER, $user->id);
 

diff --git a/message/discussion.php b/message/discussion.php
@@ -22,6 +22,13 @@
         print_error('invaliduserid');
     }
 
+    if ($user->deleted) {
+        print_header();
+        print_heading(get_string('userdeleted'));
+        print_footer();
+        die;
+    }
+
 /// Check if frame&jsless mode selected
     if (!get_user_preferences('message_noframesjs', 0) and !$noframesjs) {
 

diff --git a/mod/forum/user.php b/mod/forum/user.php
@@ -33,6 +33,13 @@
         require_course_login($course);
     }
 
+    if ($user->deleted) {
+        print_header();
+        print_heading(get_string('userdeleted'));
+        print_footer($course);
+        die;
+    }
+
     add_to_log($course->id, "forum", "user report",
             "user.php?course=$course->id&amp;id=$user->id&amp;mode=$mode", "$user->id");
 

diff --git a/notes/index.php b/notes/index.php
@@ -37,6 +37,14 @@
         }
         $filtertype = 'user';
         $filterselect = $user->id;
+
+        if ($user->deleted) {
+            print_header();
+            print_heading(get_string('userdeleted'));
+            print_footer();
+            die;
+        }
+
     } else {
         $filtertype = 'course';
         $filterselect = $course->id;

diff --git a/user/edit.php b/user/edit.php
@@ -89,6 +89,13 @@
         }
     }
 
+    if ($user->deleted) {
+        print_header();
+        print_heading(get_string('userdeleted'));
+        print_footer($course);
+        die;
+    }
+
     //load user preferences
     useredit_load_preferences($user);
 

diff --git a/user/editadvanced.php b/user/editadvanced.php
@@ -52,6 +52,13 @@
         print_error('guestnoeditprofileother');
     }
 
+    if ($user->deleted) {
+        print_header();
+        print_heading(get_string('userdeleted'));
+        print_footer($course);
+        die;
+    }
+
     //load user preferences
     useredit_load_preferences($user);
 

diff --git a/user/view.php b/user/view.php
@@ -142,6 +142,10 @@
 
     if ($user->deleted) {
         print_heading(get_string('userdeleted'));
+        if (!has_capability('moodle/user:update', $coursecontext)) {
+            print_footer($course);
+            die;
+        }
     }
 
 /// OK, security out the way, now we are showing the user
@@ -171,7 +175,9 @@
 
     $currenttab = 'profile';
     $showroles = 1;
-    include('tabs.php');
+    if (!$user->deleted) {
+        include('tabs.php');
+    }
 
     if (is_mnet_remote_user($user)) {
         $sql = "
@@ -458,7 +464,7 @@
         }
     }
 
-    if ($USER->id != $user->id  && empty($USER->realuser) && has_capability('moodle/user:loginas', $coursecontext) &&
+    if (!$user->deleted and $USER->id != $user->id  && empty($USER->realuser) && has_capability('moodle/user:loginas', $coursecontext) &&
                                  ! has_capability('moodle/site:doanything', $coursecontext, $user->id, false)) {
         echo '<form action="'.$CFG->wwwroot.'/course/loginas.php" method="get">';
         echo '<div>';
@@ -470,7 +476,7 @@
         echo '</form>';
     }
 
-    if (!empty($CFG->messaging) and !isguest() and has_capability('moodle/site:sendmessage', get_context_instance(CONTEXT_SYSTEM))) {
+    if (!$user->deleted and !empty($CFG->messaging) and !isguest() and has_capability('moodle/site:sendmessage', get_context_instance(CONTEXT_SYSTEM))) {
         if (!empty($USER->id) and ($USER->id == $user->id)) {
             if ($countmessages = $DB->count_records('message', array('useridto'=>$user->id))) {
                 $messagebuttonname = get_string("messages", "message")."($countmessages)";