improved permission check for ownership

Author: Tamara Gunkel

changeowner.php

@@ -46,12 +46,14 @@
 $systemcontext = context_system::instance();
 
 if ($courseid == $SITE->id) {
-    course_require_view_participants($systemcontext);
+    require_capability('block/opencast:viewusers', $systemcontext);
+    $viewfullnames = has_capability('moodle/site:viewfullnames', $systemcontext);
 } else {
     course_require_view_participants($coursecontext);
+    $viewfullnames = has_capability('moodle/site:viewfullnames', $coursecontext);
 }
 
-if (empty(get_config('aclownerrole_' . $ocinstanceid, 'block_opencast'))) {
+if (empty(get_config('block_opencast', 'aclownerrole_' . $ocinstanceid))) {
     redirect($redirecturl, get_string('functionalitydisabled', 'block_opencast'), null,
         \core\output\notification::NOTIFY_ERROR);
 }
@@ -66,6 +68,7 @@
     }
     $title = $series->title;
     $acls = $series->acl;
+    $noowner = !$apibridge->has_owner($series->acl);
 
 } else {
     $video = $apibridge->get_opencast_video($identifier, false, true);
@@ -77,10 +80,20 @@
         $title = $video->video->title;
         $acls = $video->video->acl;
     }
+    $noowner = !$apibridge->has_owner($acls);
+    if ($noowner) {
+        // Check if user owns series.
+        $series = $apibridge->get_series_by_identifier($video->video->is_part_of, true);
+        if (!$series || (!$apibridge->is_owner($acls, $USER->id, $courseid) && $apibridge->has_owner($series->acl))) {
+            $noowner = false;
+        }
+    }
 }
 
 // Verify that current user is the owner or is admin.
-if (!$apibridge->is_owner($acls, $USER->id, $courseid) &&
+$isowner = $apibridge->is_owner($acls, $USER->id, $courseid);
+if (!$isowner &&
+    !$noowner &&
     !has_capability('block/opencast:canchangeownerforallvideos', $systemcontext)) {
     throw new moodle_exception(get_string('userisntowner', 'block_opencast'));
 } else {
@@ -90,12 +103,18 @@
     $PAGE->navbar->add(get_string('pluginname', 'block_opencast'), $redirecturl);
     $PAGE->navbar->add(get_string('changeowner', 'block_opencast'), $baseurl);
 
+    $excludeusers = array();
+    if ($isowner) {
+        $excludeusers = [$USER->id];
+    }
+
     $userselector = new block_opencast_enrolled_user_selector('ownerselect',
-        array('context' => $coursecontext, 'multiselect' => false));
+        array('context' => $coursecontext, 'multiselect' => false, 'exclude' => $excludeusers));
+    $userselector->viewfullnames = $viewfullnames;
 
     $changeownerform = new \block_opencast\local\changeowner_form(null,
         array('courseid' => $courseid, 'title' => $title, 'identifier' => $identifier,
-            'ocinstanceid' => $ocinstanceid, 'userselector' => $userselector, 'isseries' => $isseries));
+            'ocinstanceid' => $ocinstanceid, 'userselector' => $userselector, 'isseries' => $isseries, 'noowner' => $noowner));
 
     if ($changeownerform->is_cancelled()) {
         redirect($redirecturl);

classes/local/apibridge.php

@@ -2103,6 +2103,37 @@ public function is_owner($acls, $userid, $courseid) {
         return in_array($roletosearch, $acls);
     }
 
+    /**
+     * Checks if a given event/series has an owner.
+     * @param string[] $acls ACLs
+     * @return bool
+     */
+    public function has_owner($acls) {
+        $ownerrole = get_config('block_opencast', 'aclownerrole_' . $this->ocinstanceid);
+        $ownerroleregex = false;
+        foreach (self::$userplaceholders as $userplaceholder) {
+            $r = str_replace($userplaceholder, '.*?', $ownerrole);
+            if ($r != $ownerrole) {
+                $ownerroleregex = $r;
+                break;
+            }
+        }
+
+        if (!$ownerroleregex) {
+            return false;
+        }
+
+        $ownerroleregex = '/' . $ownerroleregex . '/';
+
+        foreach (array_column($acls, 'role') as $role) {
+            if (preg_match($ownerroleregex, $role)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
     /**
      * Returns the owner rolename for a given user.
      * @param int $userid

classes/local/changeowner_form.php

@@ -62,11 +62,21 @@ public function definition() {
         $mform->setType('isseries', PARAM_BOOL);
 
         if ($this->_customdata['isseries']) {
-            $notification = $renderer->wizard_intro_notification(
-                get_string('changeownerseries_explanation', 'block_opencast', $this->_customdata['title']));
+            if ($this->_customdata['noowner']) {
+                $notification = $renderer->wizard_intro_notification(
+                    get_string('claimownerseries_explanation', 'block_opencast', $this->_customdata['title']));
+            } else {
+                $notification = $renderer->wizard_intro_notification(
+                    get_string('changeownerseries_explanation', 'block_opencast', $this->_customdata['title']));
+            }
         } else {
-            $notification = $renderer->wizard_intro_notification(
-                get_string('changeowner_explanation', 'block_opencast', $this->_customdata['title']));
+            if ($this->_customdata['noowner']) {
+                $notification = $renderer->wizard_intro_notification(
+                    get_string('claimowner_explanation', 'block_opencast', $this->_customdata['title']));
+            } else {
+                $notification = $renderer->wizard_intro_notification(
+                    get_string('changeowner_explanation', 'block_opencast', $this->_customdata['title']));
+            }
         }
 
         $mform->addElement('html', $notification);

db/access.php

@@ -32,6 +32,14 @@
         ),
         'clonepermissionsfrom' => 'moodle/my:manageblocks'
     ),
+    'block/opencast:viewusers' => array(
+        'captype' => 'read',
+        'riskbitmask' => RISK_PERSONAL,
+        'contextlevel' => CONTEXT_SYSTEM,
+        'archetypes' => array(
+            'manager' => CAP_ALLOW
+        )
+    ),
     'block/opencast:addinstance' => array(
         'riskbitmask' => RISK_SPAM,
         'captype' => 'write',

index.php

@@ -312,18 +312,16 @@
 
 
 foreach ($seriesvideodata as $series => $videodata) {
-    // Get series title from first video.
-    if ($videodata->videos && $videodata->videos[0]) {
-        echo $renderer->render_series_intro($coursecontext, $ocinstanceid, $courseid, $series, $videodata->videos[0]->series);
+    // Try to retrieve name from opencast.
+    $ocseries = $apibridge->get_series_by_identifier($series, true);
+    $isseriesowner = false;
+
+    if ($ocseries) {
+        echo $renderer->render_series_intro($coursecontext, $ocinstanceid, $courseid, $series, $ocseries->title);
+        $isseriesowner = $opencast->is_owner($ocseries->acl, $USER->id, $courseid) || !$opencast->has_owner($ocseries->acl);
     } else {
-        // Try to retrieve name from opencast.
-        $ocseries = $apibridge->get_series_by_identifier($series);
-        if ($ocseries) {
-            echo $renderer->render_series_intro($coursecontext, $ocinstanceid, $courseid, $series, $ocseries->title);
-        } else {
-            // If that fails use id.
-            echo $renderer->render_series_intro($coursecontext, $ocinstanceid, $courseid, $series, $series);
-        }
+        // If that fails use id.
+        echo $renderer->render_series_intro($coursecontext, $ocinstanceid, $courseid, $series, $series);
     }
 
     if ($videodata->error == 0) {
@@ -415,8 +413,10 @@
                 $updatemetadata = $opencast->can_update_event_metadata($video, $courseid);
                 $useeditor = $opencast->can_edit_event_in_editor($video, $courseid);
                 $canchangeowner = ($opencast->is_owner($video->acl, $USER->id, $courseid) ||
+                        ($isseriesowner && !$opencast->has_owner($video->acl)) ||
                         has_capability('block/opencast:canchangeownerforallvideos', context_system::instance())) &&
-                    !empty(get_config('aclownerrole_' . $ocinstanceid, 'block_opencast'));
+                    !empty(get_config('block_opencast', 'aclownerrole_' . $ocinstanceid));
+
                 $actions .= $renderer->render_edit_functions($ocinstanceid, $courseid, $video->identifier, $updatemetadata,
                     $workflowsavailable, $coursecontext, $useeditor, $canchangeowner);
 

lang/en/block_opencast.php

@@ -207,6 +207,8 @@
 $string['changeowner'] = 'Change owner';
 $string['changeowner_explanation'] = 'Currently, you are the owner of the video {$a}.<br>You can transfer the ownership to another person.<br><b>Notice:</b> You might loose the right to access the video.';
 $string['changeownerseries_explanation'] = 'Currently, you are the owner of the series {$a}.<br>You can transfer the ownership to another person.<br><b>Notice:</b> You might loose the right to access the series.';
+$string['claimowner_explanation'] = 'Currently, nobody owns the video {$a}.<br>You can claim the ownership or set another person as owner.<br><b>Notice:</b> You might loose the right to access the video if you do not claim the ownership yourself.';
+$string['claimownerseries_explanation'] = 'Currently, nobody owns the series {$a}.<br>You can claim the ownership or set another person as owner.<br><b>Notice:</b> You might loose the right to access the series if you do not claim the ownership yourself.';
 $string['changevisibility_header'] = 'Change visibility for {$a->title}';
 $string['changevisibility'] = 'Alter visibility';
 $string['connection_failure'] = 'Could not reach Opencast server.';
@@ -529,6 +531,7 @@
 $string['opencast:myaddinstance'] = 'Add a new opencast upload block to Dashboard';
 $string['opencast:unassignevent'] = 'Unassign a video from the course, where the video was uploaded.';
 $string['opencast:viewunpublishedvideos'] = 'View all the videos from opencast server, even when they are not published';
+$string['opencast:viewusers'] = 'View all users so that the series/event owner can be changed in dashboard.';
 $string['opencaststudiointegration'] = 'Opencast studio integration';
 $string['opencastseries'] = 'Opencast Series';
 $string['owner'] = 'Owner';

overview.php

@@ -87,14 +87,17 @@
 $sortcolumns = $table->get_sort_columns();
 
 $activityinstalled = \core_plugin_manager::instance()->get_plugin_info('mod_opencast') != null;
-$showchangeownerlink = course_can_view_participants(context_system::instance()) &&
-    !empty(get_config('aclownerrole_' . $ocinstanceid, 'block_opencast'));
+$showchangeownerlink = has_capability('block/opencast:viewusers', context_system::instance()) &&
+    !empty(get_config('block_opencast', 'aclownerrole_' . $ocinstanceid));
 
 foreach ($myseries as $seriesid) {
     $row = array();
 
+    // Try to retrieve name from opencast.
+    $ocseries = $apibridge->get_series_by_identifier($seriesid, true);
+
     // Check if current user is owner of the series.
-    if (in_array($seriesid, $ownedseries)) {
+    if (in_array($seriesid, $ownedseries) || ($ocseries && !$apibridge->has_owner($ocseries->acl))) {
         if ($showchangeownerlink) {
             $row[] = html_writer::link(new moodle_url('/blocks/opencast/changeowner.php',
                 array('ocinstanceid' => $ocinstanceid, 'identifier' => $seriesid, 'isseries' => true)),
@@ -107,8 +110,6 @@
         $row[] = '';
     }
 
-    // Try to retrieve name from opencast.
-    $ocseries = $apibridge->get_series_by_identifier($seriesid);
     if ($ocseries) {
         $row[] = $ocseries->title;
     } else {

overview_videos.php

@@ -76,6 +76,9 @@
     }
 }
 
+
+$isseriesowner = $ocseries && ($apibridge->is_owner($ocseries->acl, $USER->id, $SITE->id) || !$apibridge->has_owner($ocseries->acl));
+
 $PAGE->navbar->add(get_string('opencastseries', 'block_opencast'),
     new moodle_url('/blocks/opencast/overview.php', array('ocinstanceid' => $ocinstanceid)));
 $PAGE->navbar->add(get_string('pluginname', 'block_opencast'), $baseurl);
@@ -103,11 +106,11 @@
 
 $videos = $apibridge->get_series_videos($series)->videos;
 $activityinstalled = \core_plugin_manager::instance()->get_plugin_info('mod_opencast') != null;
-$showchangeownerlink = course_can_view_participants(context_system::instance()) &&
-    !empty(get_config('aclownerrole_' . $ocinstanceid, 'block_opencast'));
+$showchangeownerlink = has_capability('block/opencast:viewusers', context_system::instance()) &&
+    !empty(get_config('block_opencast', 'aclownerrole_' . $ocinstanceid));
 
 foreach ($renderer->create_overview_videos_rows($videos, $apibridge, $ocinstanceid,
-    $activityinstalled, $showchangeownerlink) as $row) {
+    $activityinstalled, $showchangeownerlink, false, $isseriesowner) as $row) {
     $table->add_data($row);
 }
 

renderer.php

@@ -359,7 +359,7 @@ public function create_overview_videos_table($id, $headers, $columns, $baseurl)
      * @throws moodle_exception
      */
     public function create_overview_videos_rows($videos, $apibridge, $ocinstanceid, $activityinstalled,
-                                                $showchangeownerlink, $isownerverified = false) {
+                                                $showchangeownerlink, $isownerverified = false, $isseriesowner = false) {
         global $USER, $SITE, $DB;
         $rows = array();
 
@@ -372,7 +372,8 @@ public function create_overview_videos_rows($videos, $apibridge, $ocinstanceid,
 
             $row = array();
 
-            if ($isownerverified || $apibridge->is_owner($video->acl, $USER->id, $SITE->id)) {
+            if ($isownerverified || $apibridge->is_owner($video->acl, $USER->id, $SITE->id) ||
+                ($isseriesowner && !$apibridge->has_owner($video->acl))) {
                 if ($showchangeownerlink) {
                     $row[] = html_writer::link(new moodle_url('/blocks/opencast/changeowner.php',
                         array('ocinstanceid' => $ocinstanceid, 'identifier' => $video->identifier, 'isseries' => false)),

version.php

@@ -23,7 +23,7 @@
  */
 defined('MOODLE_INTERNAL') || die();
 
-$plugin->version = 2022022200;
+$plugin->version = 2022022201;
 $plugin->requires = 2017111300;
 $plugin->maturity = MATURITY_STABLE;
 $plugin->release = 'v3.11-r7';