From 85a12491834f89605832174b0f7d4f78d86df380 Mon Sep 17 00:00:00 2001
From: Richard Mansfield <richard.mansfield@catalyst.net.nz>
Date: Thu, 31 Mar 2011 15:52:02 +1300
Subject: [PATCH]     Fix start/stop date overrides (bug #722475, bug #746182)

    Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>
    (cherry picked from commit 59b718c8e5b9aa881c384ffcac2e6047840c6f42)
---
 htdocs/lib/mahara.php |   17 +++++++++++++++--
 1 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/htdocs/lib/mahara.php b/htdocs/lib/mahara.php
index b983b6b..4292c87 100644
--- a/htdocs/lib/mahara.php
+++ b/htdocs/lib/mahara.php
@@ -1598,12 +1598,22 @@ function can_view_view($view_id, $user_id=null) {
         return false;
     }
 
+    // Overriding start/stop dates are set by the owner to deny access
+    // to users who would otherwise be allowed to see the view.  However,
+    // for some kinds of access (e.g. objectionable content, submitted
+    // views), we have to override the override and let the logged in
+    // user see it anyway.  So we can't return false now, we have to wait
+    // till we find out what kind of view_access record is being used.
+    $overridestart = $view->get('startdate');
+    $overridestop = $view->get('stopdate');
+    $allowedbyoverride = (empty($overridestart) || $overridestart < $dbnow) && (empty($overridestop) || $overridestop > $dbnow);
+
     if ($SESSION->get('mnetuser')) {
         $mnettoken = get_cookie('mviewaccess:'.$view_id);
     }
 
     foreach ($access as &$a) {
-        if ($a->accesstype == 'public') {
+        if ($a->accesstype == 'public' && $allowedbyoverride) {
             if ($publicviews) {
                 return true;
             }
@@ -1611,7 +1621,7 @@ function can_view_view($view_id, $user_id=null) {
                 return true;
             }
         }
-        else if ($a->token) {
+        else if ($a->token && ($allowedbyoverride || !$a->visible)) {
             $usertoken = get_cookie('viewaccess:'.$view_id);
             if ($a->token == $usertoken && $publicviews) {
                 return true;
@@ -1655,6 +1665,9 @@ function can_view_view($view_id, $user_id=null) {
                 }
                 continue;
             }
+            if (!$allowedbyoverride && $a->visible) {
+                continue;
+            }
             // The view must have loggedin access, user access for the user
             // or group/role access for one of the user's groups
             return true;
-- 
1.7.1