Also, while implementing fixes to Bug 1211758 and Bug 1236636 (where we weren't validating artefact ownership before putting artefacts into blocks), we universally used $USER->can_edit_artefact() to check whether a user had the right to put an artefact into a block. We *should* have been using $USER->can_view_artefact() or $USER->can_publish_artefact() in nearly every one of these cases.
In fact, this has caused a notable regression. Currently, if I set a file to "view" permission only, then as a group member I see the file in the file picker, but receive an error when I try to select it.
This will also be tricky to implement, because knowing whether you need to use $USER->can_view_artefact() or $USER->can_publish_artefact() is dependent upon whether the Page is your own or a Group's.
Also, while implementing fixes to Bug 1211758 and Bug 1236636 (where we weren't validating artefact ownership before putting artefacts into blocks), we universally used $USER-> can_edit_ artefact( ) to check whether a user had the right to put an artefact into a block. We *should* have been using $USER-> can_view_ artefact( ) or $USER-> can_publish_ artefact( ) in nearly every one of these cases.
In fact, this has caused a notable regression. Currently, if I set a file to "view" permission only, then as a group member I see the file in the file picker, but receive an error when I try to select it.
This will also be tricky to implement, because knowing whether you need to use $USER-> can_view_ artefact( ) or $USER-> can_publish_ artefact( ) is dependent upon whether the Page is your own or a Group's.