MDL-70320 permission overrides: role names were double-escaped

2025-04-14 04:52:36 +02:00 · 2020-11-24 17:20:12 +00:00 · 2020-11-24 17:20:12 +00:00 · 374d3e7700
commit 374d3e7700
parent c8d33eb9ce
6 changed files with 42 additions and 14 deletions
--- a/admin/tool/behat/tests/behat/edit_permissions.feature
+++ b/admin/tool/behat/tests/behat/edit_permissions.feature
@ -6,14 +6,18 @@ Feature: Edit capabilities

  Background:
    Given the following "users" exist:
-      | username | firstname | lastname | email |
-      | teacher1 | Teacher | 1 | teacher1@example.com |
+      | username | firstname | lastname  |
+      | teacher1 | Teacher   | 1         |
+      | tutor    | Teaching  | Assistant |
+      | student  | Student   | One       |
    And the following "courses" exist:
-      | fullname | shortname | category |
-      | Course 1 | C1 | 0 |
+      | fullname | shortname |
+      | Course 1 | C1        |
    And the following "course enrolments" exist:
-      | user | course | role |
-      | teacher1 | C1 | editingteacher |
+      | user     | course | role           |
+      | teacher1 | C1     | editingteacher |
+      | tutor    | C1     | teacher        |
+      | student  | C1     | student        |

  Scenario: Default system capabilities modification
    Given I log in as "admin"
@ -60,3 +64,25 @@ Feature: Edit capabilities
    Then "mod/forum:deleteanypost" capability has "Prohibit" permission
    And "mod/forum:editanypost" capability has "Prevent" permission
    And "mod/forum:addquestion" capability has "Allow" permission
+
+  @javascript
+  Scenario: Edit permissions escapes role names correctly
+    When I am on the "C1" "Course" page logged in as "admin"
+    And I navigate to "Edit settings" in current page administration
+    And I set the following fields to these values:
+      | Your word for 'Teacher'             | Teacher >= editing  |
+      | Your word for 'Non-editing teacher' | Teacher < "editing" |
+      | Your word for 'Student'             | Studier & 'learner' |
+    And I press "Save and display"
+    And I navigate to course participants
+    Then I should see "Teacher >= editing (Teacher)" in the "Teacher 1" "table_row"
+    And I should see "Teacher < \"editing\" (Non-editing teacher)" in the "Teaching Assistant" "table_row"
+    And I should see "Studier & 'learner' (Student)" in the "Student One" "table_row"
+    And I navigate to "Permissions" in current page administration
+    And I should see "Teacher >= editing" in the "mod/forum:replypost" "table_row"
+    And I should see "Teacher < \"editing\"" in the "mod/forum:replypost" "table_row"
+    And I should see "Studier & 'learner'" in the "mod/forum:replypost" "table_row"
+    And I follow "Prohibit"
+    And "Teacher >= editing" "button" in the "Prohibit role" "dialogue" should be visible
+    And "Teacher < \"editing\"" "button" in the "Prohibit role" "dialogue" should be visible
+    And "Studier & 'learner'" "button" in the "Prohibit role" "dialogue" should be visible
--- a/lib/amd/build/permissionmanager.min.js
+++ b/lib/amd/build/permissionmanager.min.js
@ -1,2 +1,2 @@
-define ("core/permissionmanager",["jquery","core/config","core/notification","core/templates","core/yui"],function(a,b,c,d,e){var f={ADDROLE:"a.allowlink, a.prohibitlink",REMOVEROLE:"a.preventlink, a.unprohibitlink",UNPROHIBIT:"a.unprohibitlink"},g=a.Event("rolesloaded"),h,j,k,l,m=null,n=function loadOverideableRoles(){var d={contextid:h,getroles:1,sesskey:b.sesskey};a.post(k+"roles/ajax.php",d,null,"json").done(function(b){try{l=b;n=function loadOverideableRoles(){a("body").trigger(g)};n()}catch(a){c.exception(a)}}).fail(function(a,b,d){c.exception(d)})},o=function(b,e,f){var g={contextid:h,roleid:e,sesskey:M.cfg.sesskey,action:f,capability:b.data("name")};a.post(k+"roles/ajax.php",g,null,"json").done(function(f){var g=f;try{var h={rolename:l[e],roleid:e,adminurl:k,imageurl:M.util.image_url("t/delete","moodle")};switch(g){case"allow":h.spanclass="allowed";h.linkclass="preventlink";h.action="prevent";h.icon="t/delete";h.iconalt=M.util.get_string("deletexrole","core_role",l[e]);break;case"prohibit":h.spanclass="forbidden";h.linkclass="unprohibitlink";h.action="unprohibit";h.icon="t/delete";h.iconalt=M.util.get_string("deletexrole","core_role",l[e]);break;case"prevent":b.find("a[data-role-id=\""+e+"\"]").first().closest(".allowed").remove();return;case"unprohibit":b.find("a[data-role-id=\""+e+"\"]").first().closest(".forbidden").remove();return;default:return;}d.render("core/permissionmanager_role",h).done(function(c){if("allow"==g){a(c).insertBefore(b.find(".allowmore:first"))}else if("prohibit"==g){a(c).insertBefore(b.find(".prohibitmore:first"));var d=b.find(".allowedroles").first().find("a[data-role-id=\""+e+"\"]");if(d){d.first().closest(".allowed").remove()}}m.hide()}).fail(c.exception)}catch(a){c.exception(a)}}).fail(function(a,b,d){c.exception(d)})},p=function(b){b.preventDefault();var g=a(b.currentTarget);a("body").one("rolesloaded",function(){e.use("moodle-core-notification-dialogue",function(){var b=g.data("action"),h=g.closest("tr.rolecap"),k={cap:h.data("humanname"),context:j},n=M.util.get_string("role"+b+"info","core_role",k);if(null===m){m=new M.core.dialogue({draggable:!0,modal:!0,closeButton:!0,width:"450px"})}m.set("headerContent",M.util.get_string("role"+b+"header","core_role"));var p,e,q=[];switch(b){case"allow":e=h.find(f.REMOVEROLE);break;case"prohibit":e=h.find(f.UNPROHIBIT);break;}for(p in l){var r="",s=e.filter("[data-role-id='"+p+"']").length;if(s){r="disabled"}var t={roleid:p,rolename:l[p],disabled:r};q.push(t)}d.render("core/permissionmanager_panelcontent",{message:n,roles:q}).done(function(c){m.set("bodyContent",c);m.show();a("div.role_buttons").on("click","input",function(c){var d=a(c.currentTarget).data("role-id");o(h,d,b)})}).fail(c.exception)})});n()},q=function(b){b.preventDefault();var d=a(b.currentTarget);a("body").one("rolesloaded",function(){var a=d.data("action"),b=d.data("role-id"),e=d.closest("tr.rolecap"),f={role:l[b],cap:e.data("humanname"),context:j};c.confirm(M.util.get_string("confirmunassigntitle","core_role"),M.util.get_string("confirmrole"+a,"core_role",f),M.util.get_string("confirmunassignyes","core_role"),M.util.get_string("confirmunassignno","core_role"),function(){o(e,b,a)})});n()};return{initialize:function initialize(b){h=b.contextid;j=b.contextname;k=b.adminurl;var c=a("body");c.on("click",f.ADDROLE,p);c.on("click",f.REMOVEROLE,q)}}});
+define ("core/permissionmanager",["jquery","core/config","core/notification","core/templates","core/yui"],function(a,b,c,d,e){var f={ADDROLE:"a.allowlink, a.prohibitlink",REMOVEROLE:"a.preventlink, a.unprohibitlink",UNPROHIBIT:"a.unprohibitlink"},g=a.Event("rolesloaded"),h,j,k,l,m=null,n=function loadOverideableRoles(){var d={contextid:h,getroles:1,sesskey:b.sesskey};a.post(k+"roles/ajax.php",d,null,"json").done(function(b){try{l=b;n=function loadOverideableRoles(){a("body").trigger(g)};n()}catch(a){c.exception(a)}}).fail(function(a,b,d){c.exception(d)})},o=function(b,e,f){var g={contextid:h,roleid:e,sesskey:M.cfg.sesskey,action:f,capability:b.data("name")};a.post(k+"roles/ajax.php",g,null,"json").done(function(f){var g=f;try{var h={rolename:l[e],roleid:e,adminurl:k,imageurl:M.util.image_url("t/delete","moodle")};switch(g){case"allow":h.spanclass="allowed";h.linkclass="preventlink";h.action="prevent";h.icon="t/delete";h.iconalt=M.util.get_string("deletexrole","core_role",l[e]);break;case"prohibit":h.spanclass="forbidden";h.linkclass="unprohibitlink";h.action="unprohibit";h.icon="t/delete";h.iconalt=M.util.get_string("deletexrole","core_role",l[e]);break;case"prevent":b.find("a[data-role-id=\""+e+"\"]").first().closest(".allowed").remove();return;case"unprohibit":b.find("a[data-role-id=\""+e+"\"]").first().closest(".forbidden").remove();return;default:return;}d.render("core/permissionmanager_role",h).done(function(c){if("allow"==g){a(c).insertBefore(b.find(".allowmore:first"))}else if("prohibit"==g){a(c).insertBefore(b.find(".prohibitmore:first"));var d=b.find(".allowedroles").first().find("a[data-role-id=\""+e+"\"]");if(d){d.first().closest(".allowed").remove()}}m.hide()}).fail(c.exception)}catch(a){c.exception(a)}}).fail(function(a,b,d){c.exception(d)})},p=function(b){b.preventDefault();var g=a(b.currentTarget);a("body").one("rolesloaded",function(){e.use("moodle-core-notification-dialogue",function(){var b=g.data("action"),h=g.closest("tr.rolecap"),k={cap:h.data("humanname"),context:j},n=M.util.get_string("role"+b+"info","core_role",k);if(null===m){m=new M.core.dialogue({draggable:!0,modal:!0,closeButton:!0,width:"450px"})}m.set("headerContent",M.util.get_string("role"+b+"header","core_role"));var p,e,q=[];switch(b){case"allow":e=h.find(f.REMOVEROLE);break;case"prohibit":e=h.find(f.UNPROHIBIT);break;}for(p in l){var r="",s=e.filter("[data-role-id='"+p+"']").length;if(s){r="disabled"}var t={roleid:p,rolename:l[p],disabled:r};q.push(t)}d.render("core/permissionmanager_panelcontent",{message:n,roles:q}).done(function(c){m.set("bodyContent",c);m.show();a("div.role_buttons").on("click","button",function(c){var d=a(c.currentTarget).data("role-id");o(h,d,b)})}).fail(c.exception)})});n()},q=function(b){b.preventDefault();var d=a(b.currentTarget);a("body").one("rolesloaded",function(){var a=d.data("action"),b=d.data("role-id"),e=d.closest("tr.rolecap"),f={role:l[b],cap:e.data("humanname"),context:j};c.confirm(M.util.get_string("confirmunassigntitle","core_role"),M.util.get_string("confirmrole"+a,"core_role",f),M.util.get_string("confirmunassignyes","core_role"),M.util.get_string("confirmunassignno","core_role"),function(){o(e,b,a)})});n()};return{initialize:function initialize(b){h=b.contextid;j=b.contextname;k=b.adminurl;var c=a("body");c.on("click",f.ADDROLE,p);c.on("click",f.REMOVEROLE,q)}}});
 //# sourceMappingURL=permissionmanager.min.js.map
--- a/lib/amd/build/permissionmanager.min.js.map
+++ b/lib/amd/build/permissionmanager.min.js.map
--- a/lib/amd/src/permissionmanager.js
+++ b/lib/amd/src/permissionmanager.js
@ -204,7 +204,7 @@ define(['jquery', 'core/config', 'core/notification', 'core/templates', 'core/yu
                .done(function(content) {
                    panel.set('bodyContent', content);
                    panel.show();
-                    $('div.role_buttons').on('click', 'input', function(e) {
+                    $('div.role_buttons').on('click', 'button', function(e) {
                        var roleid = $(e.currentTarget).data('role-id');
                        changePermissions(row, roleid, action);
                    });
--- a/lib/templates/permissionmanager_panelcontent.mustache
+++ b/lib/templates/permissionmanager_panelcontent.mustache
@ -27,17 +27,18 @@

    Context variables required for this template:
    * confirmation Confirmation text
-    * roles array of role details
+    * roles array of role details. Note: in this array, rolename must have been
+          prepared for output with format_string, or more likely one of the role API functions like role_fix_names.

    Example context (json):
    { "message": "Do you really want to remove Non-editing teacher from the list of allowed roles for capability View added and updated modules in recent activity block?",
-      "roles": [{"roleid": 1, "rolename": "manager", "disabled":"disabled"}]}
+      "roles": [{"roleid": 1, "rolename": "Manager", "disabled": "disabled"}]}
 }}
 <div class="popup_content" style="text-align:center;">
    {{message}} <hr/>
    <div class="role_buttons">
        {{#roles}}
-            <input type="button" value="{{rolename}}" class="btn btn-secondary mb-1" data-role-id="{{roleid}}" {{disabled}}/>
+            <button type="button" class="btn btn-secondary mb-1" data-role-id="{{roleid}}" {{disabled}}>{{{rolename}}}</button>
        {{/roles}}
    </div>
 </div>
--- a/lib/templates/permissionmanager_role.mustache
+++ b/lib/templates/permissionmanager_role.mustache
@ -27,7 +27,8 @@
    * action

    Context variables required for this template:
-    * rolename Name of the role rendered
+    * rolename Name of the role rendered - must have been prepared for output with format_string,
+                                           or more likely one of the role API functions like role_fix_names.
    * roleid Id of the role
    * action WEhich action is done on click
    * spanclass class attribute of span
@ -43,7 +44,7 @@
     "linkclass": "preventlink",
     "adminurl" : "http://localhost/moodle/admin/"}
 }}
-<span style="display:inline-block;" class="{{spanclass}}">&nbsp;{{rolename}}&nbsp;
+<span style="display:inline-block;" class="{{spanclass}}">&nbsp;{{{rolename}}}&nbsp;
    <a href="{{adminurl}}roles/permissions.php" class="{{linkclass}}" data-role-id="{{roleid}}" data-action="{{action}}">
        {{#icon}}
            {{#pix}}{{icon}}, core, {{iconalt}}{{/pix}}