mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-01-17 13:38:32 +01:00
Code Issues Projects Releases Wiki Activity

MDL-68676 mod_assign: check accessallgroups in can_edit_submission()

Browse Source 
In can_edit_submission() when the assign group mode is SEPARATEGROUPS
check if the user has the moodle/site:accessallgroups capability before
checking if they are a shared groupmember. Due to the teamsubmission
setting students might not be in a group but can still submit, which
means they are not returned in get_shared_group_members().
This commit is contained in:
Rossco Hellmans 2024-06-18 10:44:40 +10:00
parent fbed8034eb
commit 375c921a69
3 changed files with 39 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
mod/assign/locallib.php
View File

@ -6307,7 +6307,8 @@ class assign {
}
$cm = $this->get_course_module();
if (groups_get_activity_groupmode($cm) == SEPARATEGROUPS) {
if (groups_get_activity_groupmode($cm) == SEPARATEGROUPS &&
!has_capability('moodle/site:accessallgroups', $this->context, $graderid)) {
$sharedgroupmembers = $this->get_shared_group_members($cm, $graderid);
return in_array($userid, $sharedgroupmembers);
}

28
mod/assign/tests/behat/bulk_remove_submissions.feature
View File

@ -13,11 +13,13 @@ Feature: Bulk remove submissions
| teacher1 | Teacher | 1 | teacher1@example.com |
| student1 | Student | 1 | student1@example.com |
| student2 | Student | 2 | student2@example.com |
| student3 | Student | 3 | student3@example.com |
And the following "course enrolments" exist:
| user | course | role |
| teacher1 | C1 | editingteacher |
| student1 | C1 | student |
| student2 | C1 | student |
| student3 | C1 | student |
And the following "groups" exist:
| name | course | idnumber |
| Group 1 | C1 | G1 |
@ -79,8 +81,13 @@ Feature: Bulk remove submissions
Then I should not see "Remove submission" in the "Choose operation" "select"
@javascript @skip_chrome_zerosize
Scenario: Notification should be displayed when non-group users are selected for submission bulk removal
in separate group mode
Scenario: Bulk remove submission when shared group users are added to the bulk
removing submissions process in separate group mode without access all groups capability
Given the following "group members" exist:
| user | group |
| teacher1 | G1 |
| student1 | G1 |
| student2 | G1 |
Given the following "activity" exists:
| activity | assign |
| course | C1 |
@ -93,25 +100,26 @@ Feature: Bulk remove submissions
| assign | user | onlinetext |
| Test assignment name | student1 | I'm the student1 submission |
| Test assignment name | student2 | I'm the student2 submission |
| Test assignment name | student3 | I'm the student3 submission |
And the following "role capability" exists:
| role | editingteacher |
| mod/assign:editothersubmission | allow |
| moodle/site:accessallgroups | prevent |
And I am on the "Test assignment name" Activity page logged in as teacher1
And I follow "View all submissions"
And I should see "I'm the student1 submission"
And I should see "I'm the student2 submission"
And I should not see "I'm the student3 submission"
And I set the field "selectall" to "1"
When I set the field "operation" to "Remove submission"
And I click on "Go" "button" confirming the dialogue
Then I should see "I'm the student1 submission"
And I should see "I'm the student2 submission"
And I should see "The submission of Student 1 cannot be removed"
And I should see "The submission of Student 2 cannot be removed"
Then I should not see "I'm the student1 submission"
Then I should not see "I'm the student2 submission"
@javascript @skip_chrome_zerosize
Scenario: Bulk remove submission when group users are added to the bulk
removing submissions process in separate group mode
Scenario: Bulk remove submission when group users and non-group users are added to the bulk
removing submissions process in separate group mode with access all groups capability
Given the following "group members" exist:
| user | group |
| student1 | G1 |
@ -128,15 +136,19 @@ Feature: Bulk remove submissions
| assign | user | onlinetext |
| Test assignment name | student1 | I'm the student1 submission |
| Test assignment name | student2 | I'm the student2 submission |
| Test assignment name | student3 | I'm the student3 submission |
And the following "role capability" exists:
| role | editingteacher |
| mod/assign:editothersubmission | allow |
| moodle/site:accessallgroups | allow |
And I am on the "Test assignment name" Activity page logged in as teacher1
And I follow "View all submissions"
And I should see "I'm the student1 submission"
And I should see "I'm the student2 submission"
And I should see "I'm the student3 submission"
And I set the field "selectall" to "1"
When I set the field "operation" to "Remove submission"
And I click on "Go" "button" confirming the dialogue
Then I should not see "I'm the student1 submission"
And I should not see "I'm the student2 submission"
And I should not see "I'm the student3 submission"

17
mod/assign/tests/locallib_test.php
View File

@ -3377,6 +3377,7 @@ Anchor link 2:<a title=\"bananas\" href=\"../logo-240x60.gif\">Link text</a>
$student2 = $this->getDataGenerator()->create_and_enrol($course, 'student');
$student3 = $this->getDataGenerator()->create_and_enrol($course, 'student');
$student4 = $this->getDataGenerator()->create_and_enrol($course, 'student');
$student5 = $this->getDataGenerator()->create_and_enrol($course, 'student');
$grouping = $this->getDataGenerator()->create_grouping(array('courseid' => $course->id));
$group1 = $this->getDataGenerator()->create_group(['courseid' => $course->id]);
@ -3394,6 +3395,7 @@ Anchor link 2:<a title=\"bananas\" href=\"../logo-240x60.gif\">Link text</a>
'submissiondrafts' => 1,
'groupingid' => $grouping->id,
'groupmode' => SEPARATEGROUPS,
'preventsubmissionnotingroup' => 0,
]);
// Add the capability to the new \assignment for student 1.
@ -3407,12 +3409,27 @@ Anchor link 2:<a title=\"bananas\" href=\"../logo-240x60.gif\">Link text</a>
$this->assertTrue($assign->can_edit_submission($student2->id, $student1->id));
$this->assertFalse($assign->can_edit_submission($student3->id, $student1->id));
$this->assertFalse($assign->can_edit_submission($student4->id, $student1->id));
$this->assertFalse($assign->can_edit_submission($student5->id, $student1->id));
// Verify other students do not have the ability to edit submissions for other users.
$this->assertTrue($assign->can_edit_submission($student2->id, $student2->id));
$this->assertFalse($assign->can_edit_submission($student1->id, $student2->id));
$this->assertFalse($assign->can_edit_submission($student3->id, $student2->id));
$this->assertFalse($assign->can_edit_submission($student4->id, $student2->id));
$this->assertFalse($assign->can_edit_submission($student5->id, $student2->id));
// Add the required capability to edit other submissions and to view all groups to the teacher.
$roleid = create_role('Dummy role 2', 'dummyrole2', 'dummy role description');
assign_capability('mod/assign:editothersubmission', CAP_ALLOW, $roleid, $assign->get_context()->id);
assign_capability('moodle/site:accessallgroups', CAP_ALLOW, $roleid, $assign->get_context()->id);
role_assign($roleid, $teacher->id, $assign->get_context()->id);
// Verify the teacher has the ability to edit submissions for other users including users not in a group.
$this->assertTrue($assign->can_edit_submission($student1->id, $teacher->id));
$this->assertTrue($assign->can_edit_submission($student2->id, $teacher->id));
$this->assertTrue($assign->can_edit_submission($student3->id, $teacher->id));
$this->assertTrue($assign->can_edit_submission($student4->id, $teacher->id));
$this->assertTrue($assign->can_edit_submission($student5->id, $teacher->id));
}
/**