MDL-68652 core_grades: Only return allowed fields.

Grade iterator should check user permissions.
2025-04-16 14:02:32 +02:00 · 2023-12-05 10:50:20 +08:00 · 2023-12-05 10:50:20 +08:00 · 4cb1509e35
commit 4cb1509e35
parent 13c201fbc7
1 changed files with 7 additions and 3 deletions
--- a/grade/lib.php
+++ b/grade/lib.php
@ -183,7 +183,12 @@ class graded_users_iterator {
            }
        }

-        $userfields = 'u.*';
+        $userfieldsapi = \core_user\fields::for_identity($coursecontext, false)->with_userpic();
+        $userfields = $userfieldsapi->get_sql('u', false, '', '', false)->selects;
+
+        // This need to be fixed - webservices in grade/report/user/classes/external/user.php don't check permission properly.
+        $userfields .= ', u.idnumber, u.institution, u.department';
+
        $customfieldssql = '';
        if ($this->allowusercustomfields && !empty($CFG->grade_export_customprofilefields)) {
            $customfieldscount = 0;
@ -217,8 +222,7 @@ class graded_users_iterator {
        $this->users_rs = $DB->get_recordset_sql($users_sql, $params);

        if (!$this->onlyactive) {
-            $context = context_course::instance($this->course->id);
-            $this->suspendedusers = get_suspended_userids($context);
+            $this->suspendedusers = get_suspended_userids($coursecontext);
        } else {
            $this->suspendedusers = array();
        }