fix: Removed superflous user checks

lbplanner/classes/helpers/user_helper.php

@@ -40,39 +40,6 @@ class user_helper {
      */
     const LB_PLANNER_USER_TABLE = 'local_lbplanner_users';
 
-    /**
-     * Checks if the current user has access to the given user id.
-     *
-     * @param int $userid The id of the user to check access for.
-     *
-     * @return bool True if the current user has access to the given user id, false otherwise.
-     */
-    public static function check_access(int $userid): bool {
-        global $USER;
-
-        if (((int) $USER->id) === $userid) {
-            return true;
-        } else {
-            $context = context_system::instance();
-            return has_capability(CAPABILITY::ADMIN, $context, $USER->id);
-        }
-    }
-
-    /**
-     * Checks if the current user has access to the given user id.
-     * Throws an exception if the current user does not have access.
-     *
-     * @param int $userid The id of the user to check access for.
-     *
-     * @return void
-     * @throws moodle_exception
-     */
-    public static function assert_access(int $userid): void {
-        if (!self::check_access($userid)) {
-            throw new moodle_exception('Access denied');
-        }
-    }
-
     /**
      * Checks if the given user exists in the LB_PLANNER_USER database.
      *

lbplanner/services/modules/get_module.php

@@ -36,29 +36,21 @@ class modules_get_module extends external_api {
     public static function get_module_parameters(): external_function_parameters {
         return new external_function_parameters([
             'moduleid' => new external_value(PARAM_INT, 'The id of the module', VALUE_REQUIRED, null, NULL_NOT_ALLOWED),
-            'userid' => new external_value(PARAM_INT, 'The id of the user', VALUE_REQUIRED, null, NULL_NOT_ALLOWED),
         ]);
     }
 
     /**
      * Returns the data for a module
      *
      * @param int $moduleid The ID of the course
-     * @param int $userid The ID of the user
      * @return array the module
      */
-    public static function get_module(int $moduleid, int $userid): array {
-        global $DB;
+    public static function get_module(int $moduleid): array {
+        global $USER;
 
-        self::validate_parameters(self::get_module_parameters(), ['moduleid' => $moduleid, 'userid' => $userid]);
+        self::validate_parameters(self::get_module_parameters(), ['moduleid' => $moduleid, 'userid' => $USER->id]);
 
-        user_helper::assert_access($userid);
-
-        if (!$DB->record_exists(modules_helper::MDL_ASSIGN_TABLE, ['id' => $moduleid])) {
-            throw new \moodle_exception('Module not found');
-        }
-
-        return modules_helper::get_module($moduleid, $userid);
+        return modules_helper::get_module($moduleid, $USER->id);
     }
 
     /**

lbplanner/services/user/delete_user.php

@@ -38,30 +38,17 @@ class user_delete_user extends external_api {
      * @return external_function_parameters
      */
     public static function delete_user_parameters(): external_function_parameters {
-        global $USER;
-        return new external_function_parameters(
-            ['userid' => new external_value(
-                PARAM_INT,
-                'The id of the user to delete',
-                VALUE_DEFAULT,
-                $USER->id,
-                NULL_NOT_ALLOWED,
-            )]
-        );
+        return new external_function_parameters([]);
     }
 
     /**
      * Removes all user data stored by the lbplanner app
-     * @param int $userid (optional) the id of the user to delete
      * @throws dml_exception
      * @throws moodle_exception
      */
-    public static function delete_user($userid) {
-        global $DB;
-
-        self::validate_parameters(self::delete_user_parameters(), ['userid' => $userid]);
-
-        user_helper::assert_access($userid);
+    public static function delete_user() {
+        global $DB, $USER;
+        $userid = $USER->id;
 
         // Check if User is in user table.
         if (!$DB->record_exists(user_helper::LB_PLANNER_USER_TABLE, ['userid' => $userid])) {

lbplanner/services/user/get_all_users.php

@@ -51,14 +51,10 @@ public static function get_all_users_parameters(): external_function_parameters
      * @throws invalid_parameter_exception
      */
     public static function get_all_users(?string $vintage): array {
-        global $DB, $USER;
+        global $DB;
 
         self::validate_parameters(self::get_all_users_parameters(), ['vintage' => $vintage]);
 
-        // Check if token is allowed to access this function.
-
-        user_helper::assert_access($USER->id);
-
         $users = $DB->get_records(user_helper::LB_PLANNER_USER_TABLE);
 
         $results = [];

lbplanner/services/user/get_user.php

@@ -41,39 +41,23 @@ class user_get_user extends \core_external\external_api {
      * @return external_function_parameters
      */
     public static function get_user_parameters(): external_function_parameters {
-        global $USER;
-        return new external_function_parameters([
-            'userid' => new external_value(
-                PARAM_INT,
-                'The id of the user to get the data for. If not provided it will be inferred via the token',
-                VALUE_DEFAULT,
-                $USER->id,
-                NULL_NOT_ALLOWED,
-            ),
-        ]);
+        return new external_function_parameters([]);
     }
 
     /**
-     * Gives back the data of a user.
-     * Default: The user who calls this function
-     * @param int $userid gives back the data of the given user
+     * Gives back the data of the user calling the function.
      * @throws coding_exception
      * @throws dml_exception
      * @throws moodle_exception
      * @return array The data of the user
      */
-    public static function get_user(int $userid): array {
+    public static function get_user(): array {
         global $USER, $DB;
 
-        self::validate_parameters(self::get_user_parameters(), ['userid' => $userid]);
-
-        // Check if the user is allowed to get the data for this userid.
-        user_helper::assert_access($userid);
-
         // Checks if the user is enrolled in LB Planner.
-        if (!user_helper::check_user_exists($userid)) {
+        if (!user_helper::check_user_exists($USER->id)) {
             // Register user if not found.
-            $lbplanneruser = new user(0, $userid, 'default', 'en', 'none', 1);
+            $lbplanneruser = new user(0, $USER->id, 'default', 'en', 'none', 1);
             $lbpid = $DB->insert_record(user_helper::LB_PLANNER_USER_TABLE, $lbplanneruser->prepare_for_db());
             $lbplanneruser->set_fresh($lbpid);
 
@@ -86,15 +70,15 @@ public static function get_user(int $userid): array {
 
             // Set user as owner of new plan.
             $planaccess = new \stdClass();
-            $planaccess->userid = $userid;
+            $planaccess->userid = $USER->id;
             $planaccess->accesstype = PLAN_ACCESS_TYPE::OWNER;
             $planaccess->planid = $planid;
             $DB->insert_record(plan_helper::ACCESS_TABLE, $planaccess);
 
             // Notify the FE that this user likely hasn't used LBP before.
-            notifications_helper::notify_user($userid, -1, NOTIF_TRIGGER::USER_REGISTERED);
+            notifications_helper::notify_user($USER->id, -1, NOTIF_TRIGGER::USER_REGISTERED);
         } else {
-            $lbplanneruser = user_helper::get_user($userid);
+            $lbplanneruser = user_helper::get_user($USER->id);
         }
 
         return $lbplanneruser->prepare_for_api();

lbplanner/services/user/update_user.php

@@ -77,7 +77,6 @@ public static function update_user($lang, $theme, $colorblindness, $displaytaskc
                 'displaytaskcount' => $displaytaskcount,
             ]
         );
-        user_helper::assert_access($USER->id);
 
         // Look if User-Id is in the DB.
         if (!user_helper::check_user_exists($USER->id)) {