From 375c921a6951cf77617a09a243923b08b29e6917 Mon Sep 17 00:00:00 2001 From: Rossco Hellmans Date: Tue, 18 Jun 2024 10:44:40 +1000 Subject: [PATCH] MDL-68676 mod_assign: check accessallgroups in can_edit_submission() In can_edit_submission() when the assign group mode is SEPARATEGROUPS check if the user has the moodle/site:accessallgroups capability before checking if they are a shared groupmember. Due to the teamsubmission setting students might not be in a group but can still submit, which means they are not returned in get_shared_group_members(). --- mod/assign/locallib.php | 3 +- .../behat/bulk_remove_submissions.feature | 28 +++++++++++++------ mod/assign/tests/locallib_test.php | 17 +++++++++++ 3 files changed, 39 insertions(+), 9 deletions(-) diff --git a/mod/assign/locallib.php b/mod/assign/locallib.php index c5814eb9732..66f22edfe06 100644 --- a/mod/assign/locallib.php +++ b/mod/assign/locallib.php @@ -6307,7 +6307,8 @@ class assign { } $cm = $this->get_course_module(); - if (groups_get_activity_groupmode($cm) == SEPARATEGROUPS) { + if (groups_get_activity_groupmode($cm) == SEPARATEGROUPS && + !has_capability('moodle/site:accessallgroups', $this->context, $graderid)) { $sharedgroupmembers = $this->get_shared_group_members($cm, $graderid); return in_array($userid, $sharedgroupmembers); } diff --git a/mod/assign/tests/behat/bulk_remove_submissions.feature b/mod/assign/tests/behat/bulk_remove_submissions.feature index 9db6cec3c31..e6d9cfd4f53 100644 --- a/mod/assign/tests/behat/bulk_remove_submissions.feature +++ b/mod/assign/tests/behat/bulk_remove_submissions.feature @@ -13,11 +13,13 @@ Feature: Bulk remove submissions | teacher1 | Teacher | 1 | teacher1@example.com | | student1 | Student | 1 | student1@example.com | | student2 | Student | 2 | student2@example.com | + | student3 | Student | 3 | student3@example.com | And the following "course enrolments" exist: | user | course | role | | teacher1 | C1 | editingteacher | | student1 | C1 | student | | student2 | C1 | student | + | student3 | C1 | student | And the following "groups" exist: | name | course | idnumber | | Group 1 | C1 | G1 | @@ -79,8 +81,13 @@ Feature: Bulk remove submissions Then I should not see "Remove submission" in the "Choose operation" "select" @javascript @skip_chrome_zerosize - Scenario: Notification should be displayed when non-group users are selected for submission bulk removal - in separate group mode + Scenario: Bulk remove submission when shared group users are added to the bulk + removing submissions process in separate group mode without access all groups capability + Given the following "group members" exist: + | user | group | + | teacher1 | G1 | + | student1 | G1 | + | student2 | G1 | Given the following "activity" exists: | activity | assign | | course | C1 | @@ -93,25 +100,26 @@ Feature: Bulk remove submissions | assign | user | onlinetext | | Test assignment name | student1 | I'm the student1 submission | | Test assignment name | student2 | I'm the student2 submission | + | Test assignment name | student3 | I'm the student3 submission | And the following "role capability" exists: | role | editingteacher | | mod/assign:editothersubmission | allow | + | moodle/site:accessallgroups | prevent | And I am on the "Test assignment name" Activity page logged in as teacher1 And I follow "View all submissions" And I should see "I'm the student1 submission" And I should see "I'm the student2 submission" + And I should not see "I'm the student3 submission" And I set the field "selectall" to "1" When I set the field "operation" to "Remove submission" And I click on "Go" "button" confirming the dialogue - Then I should see "I'm the student1 submission" - And I should see "I'm the student2 submission" - And I should see "The submission of Student 1 cannot be removed" - And I should see "The submission of Student 2 cannot be removed" + Then I should not see "I'm the student1 submission" + Then I should not see "I'm the student2 submission" @javascript @skip_chrome_zerosize - Scenario: Bulk remove submission when group users are added to the bulk - removing submissions process in separate group mode + Scenario: Bulk remove submission when group users and non-group users are added to the bulk + removing submissions process in separate group mode with access all groups capability Given the following "group members" exist: | user | group | | student1 | G1 | @@ -128,15 +136,19 @@ Feature: Bulk remove submissions | assign | user | onlinetext | | Test assignment name | student1 | I'm the student1 submission | | Test assignment name | student2 | I'm the student2 submission | + | Test assignment name | student3 | I'm the student3 submission | And the following "role capability" exists: | role | editingteacher | | mod/assign:editothersubmission | allow | + | moodle/site:accessallgroups | allow | And I am on the "Test assignment name" Activity page logged in as teacher1 And I follow "View all submissions" And I should see "I'm the student1 submission" And I should see "I'm the student2 submission" + And I should see "I'm the student3 submission" And I set the field "selectall" to "1" When I set the field "operation" to "Remove submission" And I click on "Go" "button" confirming the dialogue Then I should not see "I'm the student1 submission" And I should not see "I'm the student2 submission" + And I should not see "I'm the student3 submission" diff --git a/mod/assign/tests/locallib_test.php b/mod/assign/tests/locallib_test.php index 85f60b2d189..8a493431323 100644 --- a/mod/assign/tests/locallib_test.php +++ b/mod/assign/tests/locallib_test.php @@ -3377,6 +3377,7 @@ Anchor link 2:Link text $student2 = $this->getDataGenerator()->create_and_enrol($course, 'student'); $student3 = $this->getDataGenerator()->create_and_enrol($course, 'student'); $student4 = $this->getDataGenerator()->create_and_enrol($course, 'student'); + $student5 = $this->getDataGenerator()->create_and_enrol($course, 'student'); $grouping = $this->getDataGenerator()->create_grouping(array('courseid' => $course->id)); $group1 = $this->getDataGenerator()->create_group(['courseid' => $course->id]); @@ -3394,6 +3395,7 @@ Anchor link 2:Link text 'submissiondrafts' => 1, 'groupingid' => $grouping->id, 'groupmode' => SEPARATEGROUPS, + 'preventsubmissionnotingroup' => 0, ]); // Add the capability to the new \assignment for student 1. @@ -3407,12 +3409,27 @@ Anchor link 2:Link text $this->assertTrue($assign->can_edit_submission($student2->id, $student1->id)); $this->assertFalse($assign->can_edit_submission($student3->id, $student1->id)); $this->assertFalse($assign->can_edit_submission($student4->id, $student1->id)); + $this->assertFalse($assign->can_edit_submission($student5->id, $student1->id)); // Verify other students do not have the ability to edit submissions for other users. $this->assertTrue($assign->can_edit_submission($student2->id, $student2->id)); $this->assertFalse($assign->can_edit_submission($student1->id, $student2->id)); $this->assertFalse($assign->can_edit_submission($student3->id, $student2->id)); $this->assertFalse($assign->can_edit_submission($student4->id, $student2->id)); + $this->assertFalse($assign->can_edit_submission($student5->id, $student2->id)); + + // Add the required capability to edit other submissions and to view all groups to the teacher. + $roleid = create_role('Dummy role 2', 'dummyrole2', 'dummy role description'); + assign_capability('mod/assign:editothersubmission', CAP_ALLOW, $roleid, $assign->get_context()->id); + assign_capability('moodle/site:accessallgroups', CAP_ALLOW, $roleid, $assign->get_context()->id); + role_assign($roleid, $teacher->id, $assign->get_context()->id); + + // Verify the teacher has the ability to edit submissions for other users including users not in a group. + $this->assertTrue($assign->can_edit_submission($student1->id, $teacher->id)); + $this->assertTrue($assign->can_edit_submission($student2->id, $teacher->id)); + $this->assertTrue($assign->can_edit_submission($student3->id, $teacher->id)); + $this->assertTrue($assign->can_edit_submission($student4->id, $teacher->id)); + $this->assertTrue($assign->can_edit_submission($student5->id, $teacher->id)); } /**