MDL-79541 core_grades: Hidden user fields check for search.

If some user profile fields are hidden on some grade reports
users without permission were able to see those.

grade/classes/external/get_enrolled_users_for_search_widget.php

@@ -101,6 +101,9 @@ class get_enrolled_users_for_search_widget extends external_api {
 
         $users = [];
 
+        $userfieldsapi = \core_user\fields::for_identity($coursecontext, false)->with_userpic();
+        $extrauserfields = $userfieldsapi->get_required_fields([\core_user\fields::PURPOSE_IDENTITY]);
+
         while ($userdata = $gui->next_user()) {
             $guiuser = $userdata->user;
             $user = new \stdClass();
@@ -110,7 +113,9 @@ class get_enrolled_users_for_search_widget extends external_api {
             $userpicture = new \user_picture($guiuser);
             $userpicture->size = 1;
             $user->profileimage = $userpicture->get_url($PAGE)->out(false);
-            $user->email = $guiuser->email;
+            foreach ($extrauserfields as $field) {
+                $user->$field = $userdata->user->$field ?? null;
+            }
             $user->active = false;
 
             $users[] = $user;

grade/classes/external/get_enrolled_users_for_selector.php

@@ -95,16 +95,23 @@ class get_enrolled_users_for_selector extends external_api {
 
         $users = [];
 
-        while ($userdata = $gui->next_user()) {
-            $user = $userdata->user;
-            $user->fullname = fullname($user);
-            $userpicture = new user_picture($user);
-            $userpicture->size = 1;
-            $user->profileimageurl = $userpicture->get_url($PAGE)->out(false);
-            $userpicture->size = 0; // Size f2.
-            $user->profileimageurlsmall = $userpicture->get_url($PAGE)->out(false);
+        $userfieldsapi = \core_user\fields::for_identity($coursecontext, false)->with_userpic();
+        $extrauserfields = $userfieldsapi->get_required_fields([\core_user\fields::PURPOSE_IDENTITY]);
 
-            $users[] = $user;
+        while ($userdata = $gui->next_user()) {
+            $userforselector = new \stdClass();
+            $userforselector->id = $userdata->user->id;
+            $userforselector->fullname = fullname($userdata->user);
+            $userpicture = new user_picture($userdata->user);
+            $userpicture->size = 1;
+            $userforselector->profileimageurl = $userpicture->get_url($PAGE)->out(false);
+            $userpicture->size = 0; // Size f2.
+            $userforselector->profileimageurlsmall = $userpicture->get_url($PAGE)->out(false);
+            foreach ($extrauserfields as $field) {
+                $userforselector->$field = $userdata->user->$field ?? null;
+            }
+
+            $users[] = $userforselector;
         }
         $gui->close();
 

grade/report/grader/classes/external/get_users_in_report.php

@@ -87,15 +87,23 @@ class get_users_in_report extends external_api {
         );
         $report = new grade_report_grader($courseid, $gpr, $context);
 
+        $userfieldsapi = \core_user\fields::for_identity($context, false)->with_userpic();
+        $extrauserfields = $userfieldsapi->get_required_fields([\core_user\fields::PURPOSE_IDENTITY]);
+
         // For the returned users, Add a couple of extra fields that we need for the search module.
-        $users = array_map(function ($user) use ($PAGE) {
-            $user->fullname = fullname($user);
+        $users = array_map(function ($user) use ($PAGE, $extrauserfields) {
+            $userforselector = new \stdClass();
+            $userforselector->id = $user->id;
+            $userforselector->fullname = fullname($user);
             $userpicture = new user_picture($user);
             $userpicture->size = 1;
-            $user->profileimageurl = $userpicture->get_url($PAGE)->out(false);
+            $userforselector->profileimageurl = $userpicture->get_url($PAGE)->out(false);
             $userpicture->size = 0; // Size f2.
-            $user->profileimageurlsmall = $userpicture->get_url($PAGE)->out(false);
-            return $user;
+            $userforselector->profileimageurlsmall = $userpicture->get_url($PAGE)->out(false);
+            foreach ($extrauserfields as $field) {
+                $userforselector->$field = $user->$field ?? null;
+            }
+            return $userforselector;
         }, $report->load_users(true));
         sort($users);
 

grade/report/user/tests/behat/usersearch.feature

@@ -196,6 +196,26 @@ Feature: Within the User report, a teacher can search for users.
     And "Turtle Manatee" "heading" should exist
     And "Teacher 1" "heading" should not exist
 
+    Scenario: A teacher can only search for fields that he allowed to see
+      Given the following "permission overrides" exist:
+        | capability                         | permission | role             | contextlevel | reference |
+        | moodle/course:viewhiddenuserfields | Prohibit   | editingteacher   | System       |           |
+      And the following config values are set as admin:
+        | hiddenuserfields | email |
+      And I am on the "Course 1" "grades > User report > View" page logged in as "teacher1"
+      When I set the field "Search users" to "User"
+      And "View all results (5)" "option_role" should exist
+      And I confirm "Dummy User" in "user" search within the gradebook widget exists
+      And I confirm "User Example" in "user" search within the gradebook widget exists
+      And I confirm "User Test" in "user" search within the gradebook widget exists
+      # Email is not shown in results.
+      And I confirm "User" in "user" search within the gradebook widget exists
+      And I confirm "example.com" in "user" search within the gradebook widget does not exist
+      # Email is not searchable.
+      And I set the field "Search users" to "student5@example.com"
+      And "View all results (5)" "option_role" should not exist
+      And I confirm "No results for \"student5@example.com\"" in "user" search within the gradebook widget exists
+
   @accessibility
   Scenario: A teacher can set focus and search using the input are with a keyboard
     Given I set the field "Search users" to "ABC"

user/amd/src/comboboxsearch/user.js

@@ -172,7 +172,11 @@ export default class UserSearch extends search_combobox {
                             `<span class="font-weight-bold">${searchTerm.replace(/</g, '&lt;')}</span>`
                         );
 
-                        user.matchingField = `${escapedMatchingField} (${user.email})`;
+                        if (user.email) {
+                            user.matchingField = `${escapedMatchingField} (${user.email})`;
+                        } else {
+                            user.matchingField = escapedMatchingField;
+                        }
                         break;
                     }
                 }