Student permission oversight

block_quickmail.php

@@ -30,7 +30,9 @@ function get_content() {
         $config = quickmail::load_config($COURSE->id);
         $permission = has_capability('block/quickmail:cansend', $context);
 
-        if ($permission or !empty($config['allowstudents'])) {
+        $can_send = ($permission or !empty($config['allowstudents']));
+
+        if ($can_send) {
             $cparam = array('courseid' => $COURSE->id);
 
             $send_email_str = quickmail::_s('composenew');
@@ -57,10 +59,7 @@ function get_content() {
             );
             $this->content->items[] = $drafts;
             $this->content->icons[] = $OUTPUT->pix_icon('i/settings', $drafts_email_str);
-        }
 
-        // History can't be view by students
-        if ($permission) {
             $history_str = quickmail::_s('history');
             $history = html_writer::link(
                 new moodle_url('/blocks/quickmail/emaillog.php', $cparam),

email.php

@@ -169,11 +169,11 @@
     // Store email; id is needed for file storage
     if (isset($email->send)) {
         $id = $DB->insert_record('block_quickmail_log', $email);
-        $table = 'log'; 
+        $table = 'log';
     } else if (isset($email->draft)) {
         $table = 'drafts';
 
-        if (!empty($typeid)) { 
+        if (!empty($typeid)) {
             $id = $email->id = $typeid;
             $DB->update_record('block_quickmail_drafts', $email);
         } else {
@@ -202,12 +202,12 @@
                 strip_tags($email->message), $email->message, $zip, $zipname);
 
             if(!$success) {
-                $warnings[] = get_string("no_email", 'block_quickmail', $selected[$userid]);
+                $warnings['fail'] = get_string("no_email", 'block_quickmail', $selected[$userid]);
             }
         }
 
         if ($email->receipt) {
-            email_to_user($USER, $USER, $email->subject, 
+            email_to_user($USER, $USER, $email->subject,
                 strip_tags($email->message), $email->message, $zip, $zipname);
         }
 

email_form.php

@@ -65,11 +65,18 @@ public function definition() {
         $draft_link = html_writer::link ($gen_url('drafts'), quickmail::_s('drafts'));
         $links[] =& $mform->createElement('static', 'draft_link', '', $draft_link);
 
-        $context= get_context_instance(CONTEXT_COURSE, $COURSE->id);
+        $context = get_context_instance(CONTEXT_COURSE, $COURSE->id);
 
-        if(has_capability('block/quickmail:cansend', $context)) {
+        $config = quickmail::load_config($COURSE->id);
+
+        $can_send = (
+            has_capability('block/quickmail:cansend', $context) or
+            !empty($config['allowstudents'])
+        );
+
+        if ($can_send) {
             $history_link = html_writer::link($gen_url('log'), quickmail::_s('history'));
-            $links[] =& $mform->createElement('static', 'history_link', '', $history_link); 
+            $links[] =& $mform->createElement('static', 'history_link', '', $history_link);
         }
 
         $mform->addGroup($links, 'links', ' ', array(' | '), false);

emaillog.php

@@ -33,16 +33,20 @@
 
 $config = quickmail::load_config($courseid);
 
-$proper_permission = (
-    has_capability('block/quickmail:cansend', $context) or
-    (!empty($config['allowstudents']) and $type == 'drafts')
-);
+$valid_actions = array('delete', 'confirm');
 
-if (!$proper_permission) {
+$can_send = has_capability('block/quickmail:cansend', $context);
+
+$proper_permission = ($can_send or !empty($config['allowstudents']));
+
+$can_delete = ($can_send or ($proper_permission and $type == 'drafts'));
+
+// Stops students from tempering with history
+if (!$proper_permission or (!$can_delete and in_array($action, $valid_actions))) {
     print_error('no_permission', 'block_quickmail');
 }
 
-if (isset($action) and !in_array($action, array('delete', 'confirm'))) {
+if (isset($action) and !in_array($action, $valid_actions)) {
     print_error('not_valid_action', 'block_quickmail', '', $action);
 }
 
@@ -81,7 +85,7 @@
         $html = quickmail::delete_dialog($courseid, $type, $typeid);
         break;
     default:
-        $html = quickmail::list_entries($courseid, $type, $page, $perpage, $userid, $count);
+        $html = quickmail::list_entries($courseid, $type, $page, $perpage, $userid, $count, $can_delete);
 }
 
 if($canimpersonate and $USER->id != $userid) {

lib.php

@@ -203,7 +203,7 @@ function delete_dialog($courseid, $type, $typeid) {
         return $html;
     }
 
-    function list_entries($courseid, $type, $page, $perpage, $userid, $count) {
+    function list_entries($courseid, $type, $page, $perpage, $userid, $count, $can_delete) {
         global $CFG, $DB, $OUTPUT;
 
         $dbtable = 'block_quickmail_'.$type;
@@ -230,21 +230,28 @@ function list_entries($courseid, $type, $page, $perpage, $userid, $count) {
                 'typeid' => $log->id
             );
 
+            $actions = array();
+
             $open_link = html_writer::link(
                 new moodle_url('/blocks/quickmail/email.php', $params),
                 $OUTPUT->pix_icon('i/search', 'Open Email')
             );
+            $actions[] = $open_link;
 
-            $delete_link = html_writer::link (
-                new moodle_url('/blocks/quickmail/emaillog.php',
-                    $params + array('action' => 'delete')
-                ),
-                $OUTPUT->pix_icon("i/cross_red_big", "Delete Email")
-            );
+            if ($can_delete) {
+                $delete_link = html_writer::link (
+                    new moodle_url('/blocks/quickmail/emaillog.php',
+                        $params + array('action' => 'delete')
+                    ),
+                    $OUTPUT->pix_icon("i/cross_red_big", "Delete Email")
+                );
+
+                $actions[] = $delete_link;
+            }
 
-            $actions = implode(' ', array($open_link, $delete_link));
+            $action_links = implode(' ', $actions);
 
-            $table->data[] = array($date, $subject, $attachments, $actions);
+            $table->data[] = array($date, $subject, $attachments, $action_links);
         }
 
         $paging = $OUTPUT->paging_bar($count, $page, $perpage,