From 02e5a9d766da77b8b12b4f7940a5de9128fef2e3 Mon Sep 17 00:00:00 2001 From: Jake Dallimore Date: Mon, 9 Jan 2017 12:10:49 +0800 Subject: [PATCH] MDL-56565 navigation: fix user details disclosure in nav tree Fixes a bug in which a user's full name might be disclosed via the nav tree. Nav generation now checks the current user's access to the user before adding the node, else adds a dummy node. --- lib/navigationlib.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/navigationlib.php b/lib/navigationlib.php index 935c5380af5..99c6a30e731 100644 --- a/lib/navigationlib.php +++ b/lib/navigationlib.php @@ -2272,8 +2272,13 @@ class global_navigation extends navigation_node { return false; } // Add a branch for the current user. - $canseefullname = has_capability('moodle/site:viewfullnames', $coursecontext); - $usernode = $usersnode->add(fullname($user, $canseefullname), $userviewurl, self::TYPE_USER, null, 'user' . $user->id); + // Only reveal user details if $user is the current user, or a user to which the current user has access. + if ($USER->id != $user->id && !has_capability('moodle/user:viewdetails', $coursecontext)) { + $usernode = $usersnode->add(get_string('user')); + } else { + $canseefullname = has_capability('moodle/site:viewfullnames', $coursecontext); + $usernode = $usersnode->add(fullname($user, $canseefullname), $userviewurl, self::TYPE_USER, null, 'user' . $user->id); + } if ($this->page->context->contextlevel == CONTEXT_USER && $user->id == $this->page->context->instanceid) { $usernode->make_active(); }