mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-01-18 22:08:20 +01:00
Code Issues Projects Releases Wiki Activity

MDL-56565 navigation: fix user details disclosure in nav tree

Browse Source 
Fixes a bug in which a user's full name might be disclosed via the
nav tree. Nav generation now checks the current user's access to the
user before adding the node, else adds a dummy node.
This commit is contained in:
Jake Dallimore 2017-01-09 12:10:49 +08:00 committed by Mr. Jenkins (CiBoT)
parent 08692e9736
commit 02e5a9d766
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/navigationlib.php
View File

@ -2272,8 +2272,13 @@ class global_navigation extends navigation_node {
return false;
}
// Add a branch for the current user.
$canseefullname = has_capability('moodle/site:viewfullnames', $coursecontext);
$usernode = $usersnode->add(fullname($user, $canseefullname), $userviewurl, self::TYPE_USER, null, 'user' . $user->id);
// Only reveal user details if $user is the current user, or a user to which the current user has access.
if ($USER->id != $user->id && !has_capability('moodle/user:viewdetails', $coursecontext)) {
$usernode = $usersnode->add(get_string('user'));
} else {
$canseefullname = has_capability('moodle/site:viewfullnames', $coursecontext);
$usernode = $usersnode->add(fullname($user, $canseefullname), $userviewurl, self::TYPE_USER, null, 'user' . $user->id);
}
if ($this->page->context->contextlevel == CONTEXT_USER && $user->id == $this->page->context->instanceid) {
$usernode->make_active();
}