/** * Add capabilities to an existing role * * Usage: add_role_caps( 'contributor', array( 'upload_files' ) ); * * @param string $role Role name * @param array $caps Capabilities to add to the role */ function add_role_caps($role, $caps) { if (function_exists('wpcom_vip_add_role_caps')) { wpcom_vip_add_role_caps($role, $caps); } else { $filtered_caps = array(); foreach ((array) $caps as $cap) { $filtered_caps[$cap] = true; } merge_role_caps($role, $filtered_caps); } }
/** * This function checks that the current user is logged in and has the * required privileges * * This function checks that the current user is logged in, and optionally * whether they are allowed to be in a particular course and view a particular * course module. * If they are not logged in, then it redirects them to the site login unless * $autologinguest is set and {@link $CFG}->autologinguests is set to 1 in which * case they are automatically logged in as guests. * If $courseid is given and the user is not enrolled in that course then the * user is redirected to the course enrolment page. * If $cm is given and the coursemodule is hidden and the user is not a teacher * in the course then the user is redirected to the course home page. * * @uses $CFG * @uses $SESSION * @uses $USER * @uses $FULLME * @uses SITEID * @uses $COURSE * @param mixed $courseorid id of the course or course object * @param bool $autologinguest * @param object $cm course module object * @param bool $setwantsurltome Define if we want to set $SESSION->wantsurl, defaults to * true. Used to avoid (=false) some scripts (file.php...) to set that variable, * in order to keep redirects working properly. MDL-14495 */ function require_login($courseorid = 0, $autologinguest = true, $cm = null, $setwantsurltome = true) { global $CFG, $SESSION, $USER, $COURSE, $FULLME; /// setup global $COURSE, themes, language and locale course_setup($courseorid); /// If the user is not even logged in yet then make sure they are if (!isloggedin()) { //NOTE: $USER->site check was obsoleted by session test cookie, // $USER->confirmed test is in login/index.php if ($setwantsurltome) { $SESSION->wantsurl = $FULLME; } if (!empty($_SERVER['HTTP_REFERER'])) { $SESSION->fromurl = $_SERVER['HTTP_REFERER']; } if ($autologinguest and !empty($CFG->guestloginbutton) and !empty($CFG->autologinguests) and ($COURSE->id == SITEID or $COURSE->guest)) { $loginguest = '?loginguest=true'; } else { $loginguest = ''; } if (empty($CFG->loginhttps) or $loginguest) { //do not require https for guest logins redirect($CFG->wwwroot . '/login/index.php' . $loginguest); } else { $wwwroot = str_replace('http:', 'https:', $CFG->wwwroot); redirect($wwwroot . '/login/index.php'); } exit; } /// loginas as redirection if needed if ($COURSE->id != SITEID and !empty($USER->realuser)) { if ($USER->loginascontext->contextlevel == CONTEXT_COURSE) { if ($USER->loginascontext->instanceid != $COURSE->id) { print_error('loginasonecourse', '', $CFG->wwwroot . '/course/view.php?id=' . $USER->loginascontext->instanceid); } } } /// check whether the user should be changing password (but only if it is REALLY them) $userauth = get_auth_plugin($USER->auth); if (get_user_preferences('auth_forcepasswordchange') && empty($USER->realuser)) { if ($userauth->can_change_password()) { $SESSION->wantsurl = $FULLME; if ($userauth->change_password_url()) { //use plugin custom url redirect($userauth->change_password_url()); } else { //use moodle internal method if (empty($CFG->loginhttps)) { redirect($CFG->wwwroot . '/login/change_password.php'); } else { $wwwroot = str_replace('http:', 'https:', $CFG->wwwroot); redirect($wwwroot . '/login/change_password.php'); } } } else { error(get_string('nopasswordchangeforced', 'auth')); } } /// Check that the user account is properly set up if (user_not_fully_set_up($USER)) { $SESSION->wantsurl = $FULLME; redirect($CFG->wwwroot . '/user/edit.php?id=' . $USER->id . '&course=' . SITEID); } /// Make sure current IP matches the one for this session (if required) if (!empty($CFG->tracksessionip)) { if ($USER->sessionIP != md5(getremoteaddr())) { error(get_string('sessionipnomatch', 'error')); } } /// Make sure the USER has a sesskey set up. Used for checking script parameters. sesskey(); // Check that the user has agreed to a site policy if there is one if (!empty($CFG->sitepolicy)) { if (!$USER->policyagreed) { $SESSION->wantsurl = $FULLME; redirect($CFG->wwwroot . '/user/policy.php'); } } /// If the site is currently under maintenance, then print a message if (!has_capability('moodle/site:config', get_context_instance(CONTEXT_SYSTEM, SITEID))) { if (file_exists($CFG->dataroot . '/' . SITEID . '/maintenance.html')) { print_maintenance_message(); exit; } } if ($COURSE->id == SITEID) { /// We can eliminate hidden site activities straight away if (!empty($cm) && !$cm->visible and !has_capability('moodle/course:viewhiddenactivities', get_context_instance(CONTEXT_COURSE, $COURSE->id))) { redirect($CFG->wwwroot, get_string('activityiscurrentlyhidden')); } return; } else { /// Check if the user can be in a particular course if (!($context = get_context_instance(CONTEXT_COURSE, $COURSE->id))) { print_error('nocontext'); } if (empty($USER->switchrole[$context->id]) && !($COURSE->visible && course_parent_visible($COURSE)) && !has_capability('moodle/course:viewhiddencourses', get_context_instance(CONTEXT_COURSE, $COURSE->id))) { print_header_simple(); notice(get_string('coursehidden'), $CFG->wwwroot . '/'); } /// Non-guests who don't currently have access, check if they can be allowed in as a guest if ($USER->username != 'guest' and !has_capability('moodle/course:view', $context)) { if ($COURSE->guest == 1) { // Temporarily assign them guest role for this context, if it fails later user is asked to enrol has_capability('clearcache'); // Must clear cache $guestcaps = get_role_context_caps($CFG->guestroleid, $context); $USER->capabilities = merge_role_caps($USER->capabilities, $guestcaps); } } /// If the user is a guest then treat them according to the course policy about guests if (has_capability('moodle/legacy:guest', $context, NULL, false)) { if (has_capability('moodle/site:doanything', get_context_instance(CONTEXT_SYSTEM))) { // administrators must be able to access any course - even if somebody gives them guest access return; } switch ($COURSE->guest) { /// Check course policy about guest access case 1: /// Guests always allowed if (!has_capability('moodle/course:view', $context)) { // Prohibited by capability print_header_simple(); notice(get_string('guestsnotallowed', '', format_string($COURSE->fullname)), "{$CFG->wwwroot}/login/index.php"); } if (!empty($cm) and !$cm->visible) { // Not allowed to see module, send to course page redirect($CFG->wwwroot . '/course/view.php?id=' . $cm->course, get_string('activityiscurrentlyhidden')); } return; // User is allowed to see this course break; case 2: /// Guests allowed with key if (!empty($USER->enrolkey[$COURSE->id])) { // Set by enrol/manual/enrol.php return true; } // otherwise drop through to logic below (--> enrol.php) break; default: /// Guests not allowed print_header_simple('', '', get_string('loggedinasguest')); if (empty($USER->switchrole[$context->id])) { // Normal guest notice(get_string('guestsnotallowed', '', format_string($COURSE->fullname)), "{$CFG->wwwroot}/login/index.php"); } else { notify(get_string('guestsnotallowed', '', format_string($COURSE->fullname))); echo '<div class="notifyproblem">' . switchroles_form($COURSE->id) . '</div>'; print_footer($COURSE); exit; } break; } /// For non-guests, check if they have course view access } else { if (has_capability('moodle/course:view', $context)) { if (!empty($USER->realuser)) { // Make sure the REAL person can also access this course if (!has_capability('moodle/course:view', $context, $USER->realuser)) { print_header_simple(); notice(get_string('studentnotallowed', '', fullname($USER, true)), $CFG->wwwroot . '/'); } } /// Make sure they can read this activity too, if specified if (!empty($cm) and !$cm->visible and !has_capability('moodle/course:viewhiddenactivities', $context)) { redirect($CFG->wwwroot . '/course/view.php?id=' . $cm->course, get_string('activityiscurrentlyhidden')); } return; // User is allowed to see this course } } /// Currently not enrolled in the course, so see if they want to enrol $SESSION->wantsurl = $FULLME; redirect($CFG->wwwroot . '/course/enrol.php?id=' . $COURSE->id); die; } }
/** * A convenience function to completely load all the capabilities * for the current user. This is what gets called from login, for example. */ function load_all_capabilities() { global $USER; //caching - helps user switching in cron static $defcaps = false; unset($USER->mycourses); // Reset a cache used by get_my_courses if (isguestuser()) { load_guest_role(); // All non-guest users get this by default } else { if (isloggedin()) { if ($defcaps === false) { $defcaps = load_defaultuser_role(true); } load_user_capability(); // when in "course login as" - load only course caqpabilitites (it may not always work as expected) if (!empty($USER->realuser) and $USER->loginascontext->contextlevel != CONTEXT_SYSTEM) { $children = get_child_contexts($USER->loginascontext); $children[] = $USER->loginascontext->id; foreach ($USER->capabilities as $conid => $caps) { if (!in_array($conid, $children)) { unset($USER->capabilities[$conid]); } } } // handle role switching in courses if (!empty($USER->switchrole)) { foreach ($USER->switchrole as $contextid => $roleid) { $context = get_context_instance_by_id($contextid); // first prune context and any child contexts $children = get_child_contexts($context); foreach ($children as $childid) { unset($USER->capabilities[$childid]); } unset($USER->capabilities[$contextid]); // now merge all switched role caps in context and bellow $swithccaps = get_role_context_caps($roleid, $context); $USER->capabilities = merge_role_caps($USER->capabilities, $swithccaps); } } if (isset($USER->capabilities)) { $USER->capabilities = merge_role_caps($USER->capabilities, $defcaps); } else { $USER->capabilities = $defcaps; } } else { load_notloggedin_role(); } } }