MDL-62299 tool_dataprivacy: Show requests correctly in mydatarequests

For DPOs viewing their personal data requests page (mydatarequests.php),
show only the requests they made for themselves and for their children.

admin/tool/dataprivacy/classes/api.php

@@ -37,6 +37,7 @@ use moodle_url;
 use required_capability_exception;
 use stdClass;
 use tool_dataprivacy\external\data_request_exporter;
+use tool_dataprivacy\local\helper;
 use tool_dataprivacy\task\initiate_data_request_task;
 use tool_dataprivacy\task\process_data_request_task;
 
@@ -218,16 +219,29 @@ class api {
      * @throws dml_exception
      */
     public static function get_data_requests($userid = 0) {
-        global $USER;
+        global $DB, $USER;
         $results = [];
         $sort = 'status ASC, timemodified ASC';
         if ($userid) {
             // Get the data requests for the user or data requests made by the user.
-            $select = "userid = :userid OR requestedby = :requestedby";
+            $select = "(userid = :userid OR requestedby = :requestedby)";
             $params = [
                 'userid' => $userid,
                 'requestedby' => $userid
             ];
+
+            // Build a list of user IDs that the user is allowed to make data requests for.
+            // Of course, the user should be included in this list.
+            $alloweduserids = [$userid];
+            // Get any users that the user can make data requests for.
+            if ($children = helper::get_children_of_user($userid)) {
+                // Get the list of user IDs of the children and merge to the allowed user IDs.
+                $alloweduserids = array_merge($alloweduserids, array_keys($children));
+            }
+            list($insql, $inparams) = $DB->get_in_or_equal($alloweduserids, SQL_PARAMS_NAMED);
+            $select .= " AND userid $insql";
+            $params = array_merge($params, $inparams);
+
             $results = data_request::get_records_select($select, $params, $sort);
         } else {
             // If the current user is one of the site's Data Protection Officers, then fetch all data requests.

admin/tool/dataprivacy/classes/local/helper.php

@@ -108,4 +108,42 @@ class helper {
                 throw new moodle_exception('errorinvalidrequeststatus', 'tool_dataprivacy');
         }
     }
+
+    /**
+     * Get the users that a user can make data request for.
+     *
+     * E.g. User having a parent role and has the 'tool/dataprivacy:makedatarequestsforchildren' capability.
+     * @param int $userid The user's ID.
+     * @return array
+     */
+    public static function get_children_of_user($userid) {
+        global $DB;
+
+        // Get users that the user has role assignments to.
+        $allusernames = get_all_user_name_fields(true, 'u');
+        $sql = "SELECT u.id, $allusernames
+                  FROM {role_assignments} ra, {context} c, {user} u
+                 WHERE ra.userid = :userid
+                       AND ra.contextid = c.id
+                       AND c.instanceid = u.id
+                       AND c.contextlevel = :contextlevel";
+        $params = [
+            'userid' => $userid,
+            'contextlevel' => CONTEXT_USER
+        ];
+
+        // The final list of users that we will return;
+        $finalresults = [];
+
+        // Our prospective list of users.
+        if ($candidates = $DB->get_records_sql($sql, $params)) {
+            foreach ($candidates as $key => $child) {
+                $childcontext = \context_user::instance($child->id);
+                if (has_capability('tool/dataprivacy:makedatarequestsforchildren', $childcontext, $userid)) {
+                    $finalresults[$key] = $child;
+                }
+            }
+        }
+        return $finalresults;
+    }
 }

admin/tool/dataprivacy/createdatarequest_form.php

@@ -23,6 +23,7 @@
  */
 
 use tool_dataprivacy\api;
+use tool_dataprivacy\local\helper;
 
 defined('MOODLE_INTERNAL') || die();
 
@@ -58,27 +59,12 @@ class tool_dataprivacy_data_request_form extends moodleform {
 
         } else {
             // Get users whom you are being a guardian to if your role has the capability to make data requests for children.
-            $allusernames = get_all_user_name_fields(true, 'u');
-            $sql = "SELECT u.id, $allusernames
-                      FROM {role_assignments} ra, {context} c, {user} u
-                     WHERE ra.userid = :userid
-                           AND ra.contextid = c.id
-                           AND c.instanceid = u.id
-                           AND c.contextlevel = :contextlevel";
-            $params = [
-                'userid' => $USER->id,
-                'contextlevel' => CONTEXT_USER
-            ];
-            $children = $DB->get_records_sql($sql, $params);
-
-            if ($children) {
-                $useroptions = [];
-                $useroptions[$USER->id] = fullname($USER);
-                foreach ($children as $child) {
-                    $childcontext = context_user::instance($child->id);
-                    if (has_capability('tool/dataprivacy:makedatarequestsforchildren', $childcontext)) {
-                        $useroptions[$child->id] = fullname($child);
-                    }
+            if ($children = helper::get_children_of_user($USER->id)) {
+                $useroptions = [
+                    $USER->id => fullname($USER)
+                ];
+                foreach ($children as $key => $child) {
+                    $useroptions[$key] = fullname($child);
                 }
                 $mform->addElement('autocomplete', 'userid', get_string('requestfor', 'tool_dataprivacy'), $useroptions);
                 $mform->addRule('userid', null, 'required', null, 'client');