From 0f7fb9874713aed5283a536cf8718acf7d759a66 Mon Sep 17 00:00:00 2001 From: Jun Pataleta Date: Sat, 12 May 2018 16:58:51 +0800 Subject: [PATCH] MDL-62299 tool_dataprivacy: Show requests correctly in mydatarequests For DPOs viewing their personal data requests page (mydatarequests.php), show only the requests they made for themselves and for their children. --- admin/tool/dataprivacy/classes/api.php | 18 +++++++++-- admin/tool/dataprivacy/classes/local/helper.php | 38 +++++++++++++++++++++++ admin/tool/dataprivacy/createdatarequest_form.php | 28 +++++------------ 3 files changed, 61 insertions(+), 23 deletions(-) diff --git a/admin/tool/dataprivacy/classes/api.php b/admin/tool/dataprivacy/classes/api.php index 9054612f966..a6d5ab51d3a 100644 --- a/admin/tool/dataprivacy/classes/api.php +++ b/admin/tool/dataprivacy/classes/api.php @@ -37,6 +37,7 @@ use moodle_url; use required_capability_exception; use stdClass; use tool_dataprivacy\external\data_request_exporter; +use tool_dataprivacy\local\helper; use tool_dataprivacy\task\initiate_data_request_task; use tool_dataprivacy\task\process_data_request_task; @@ -218,16 +219,29 @@ class api { * @throws dml_exception */ public static function get_data_requests($userid = 0) { - global $USER; + global $DB, $USER; $results = []; $sort = 'status ASC, timemodified ASC'; if ($userid) { // Get the data requests for the user or data requests made by the user. - $select = "userid = :userid OR requestedby = :requestedby"; + $select = "(userid = :userid OR requestedby = :requestedby)"; $params = [ 'userid' => $userid, 'requestedby' => $userid ]; + + // Build a list of user IDs that the user is allowed to make data requests for. + // Of course, the user should be included in this list. + $alloweduserids = [$userid]; + // Get any users that the user can make data requests for. + if ($children = helper::get_children_of_user($userid)) { + // Get the list of user IDs of the children and merge to the allowed user IDs. + $alloweduserids = array_merge($alloweduserids, array_keys($children)); + } + list($insql, $inparams) = $DB->get_in_or_equal($alloweduserids, SQL_PARAMS_NAMED); + $select .= " AND userid $insql"; + $params = array_merge($params, $inparams); + $results = data_request::get_records_select($select, $params, $sort); } else { // If the current user is one of the site's Data Protection Officers, then fetch all data requests. diff --git a/admin/tool/dataprivacy/classes/local/helper.php b/admin/tool/dataprivacy/classes/local/helper.php index 77664b8c42b..d7c3436c388 100644 --- a/admin/tool/dataprivacy/classes/local/helper.php +++ b/admin/tool/dataprivacy/classes/local/helper.php @@ -108,4 +108,42 @@ class helper { throw new moodle_exception('errorinvalidrequeststatus', 'tool_dataprivacy'); } } + + /** + * Get the users that a user can make data request for. + * + * E.g. User having a parent role and has the 'tool/dataprivacy:makedatarequestsforchildren' capability. + * @param int $userid The user's ID. + * @return array + */ + public static function get_children_of_user($userid) { + global $DB; + + // Get users that the user has role assignments to. + $allusernames = get_all_user_name_fields(true, 'u'); + $sql = "SELECT u.id, $allusernames + FROM {role_assignments} ra, {context} c, {user} u + WHERE ra.userid = :userid + AND ra.contextid = c.id + AND c.instanceid = u.id + AND c.contextlevel = :contextlevel"; + $params = [ + 'userid' => $userid, + 'contextlevel' => CONTEXT_USER + ]; + + // The final list of users that we will return; + $finalresults = []; + + // Our prospective list of users. + if ($candidates = $DB->get_records_sql($sql, $params)) { + foreach ($candidates as $key => $child) { + $childcontext = \context_user::instance($child->id); + if (has_capability('tool/dataprivacy:makedatarequestsforchildren', $childcontext, $userid)) { + $finalresults[$key] = $child; + } + } + } + return $finalresults; + } } diff --git a/admin/tool/dataprivacy/createdatarequest_form.php b/admin/tool/dataprivacy/createdatarequest_form.php index b42aaf3de4a..c02d9d4ffa4 100644 --- a/admin/tool/dataprivacy/createdatarequest_form.php +++ b/admin/tool/dataprivacy/createdatarequest_form.php @@ -23,6 +23,7 @@ */ use tool_dataprivacy\api; +use tool_dataprivacy\local\helper; defined('MOODLE_INTERNAL') || die(); @@ -58,27 +59,12 @@ class tool_dataprivacy_data_request_form extends moodleform { } else { // Get users whom you are being a guardian to if your role has the capability to make data requests for children. - $allusernames = get_all_user_name_fields(true, 'u'); - $sql = "SELECT u.id, $allusernames - FROM {role_assignments} ra, {context} c, {user} u - WHERE ra.userid = :userid - AND ra.contextid = c.id - AND c.instanceid = u.id - AND c.contextlevel = :contextlevel"; - $params = [ - 'userid' => $USER->id, - 'contextlevel' => CONTEXT_USER - ]; - $children = $DB->get_records_sql($sql, $params); - - if ($children) { - $useroptions = []; - $useroptions[$USER->id] = fullname($USER); - foreach ($children as $child) { - $childcontext = context_user::instance($child->id); - if (has_capability('tool/dataprivacy:makedatarequestsforchildren', $childcontext)) { - $useroptions[$child->id] = fullname($child); - } + if ($children = helper::get_children_of_user($USER->id)) { + $useroptions = [ + $USER->id => fullname($USER) + ]; + foreach ($children as $key => $child) { + $useroptions[$key] = fullname($child); } $mform->addElement('autocomplete', 'userid', get_string('requestfor', 'tool_dataprivacy'), $useroptions); $mform->addRule('userid', null, 'required', null, 'client'); -- 2.11.4.GIT