mirror of
https://github.com/moodle/moodle.git
synced 2025-01-18 05:58:34 +01:00
MDL-56526 userlib: Do not allow not loggedin users if forceloginforprofile is set
This commit is contained in:
Ankit Agarwal
Dan Poltawski
parent
6f5a433c95
commit
58d85af209
12
user/lib.php
12
user/lib.php
@ -1113,14 +1113,20 @@ function user_can_view_profile($user, $course = null, $usercontext = null) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// If any of these four things, return true.
|
||||
// Perform some quick checks and eventually return early.
|
||||
|
||||
// Number 1.
|
||||
if ($USER->id == $user->id) {
|
||||
if (empty($CFG->forceloginforprofiles)) {
|
||||
return true;
|
||||
} else {
|
||||
if (!isloggedin() || isguestuser()) {
|
||||
// User is not logged in and forceloginforprofile is set, we need to return now.
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
// Number 2.
|
||||
if (empty($CFG->forceloginforprofiles)) {
|
||||
if ($USER->id == $user->id) {
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
@ -119,6 +119,7 @@ class user_search_testcase extends advanced_testcase {
|
||||
* @return void
|
||||
*/
|
||||
public function test_users_access() {
|
||||
global $CFG;
|
||||
|
||||
// Returns the instance as long as the area is supported.
|
||||
$searcharea = \core_search\manager::get_search_area($this->userareaid);
|
||||
@ -127,6 +128,8 @@ class user_search_testcase extends advanced_testcase {
|
||||
$user2 = self::getDataGenerator()->create_user();
|
||||
$user3 = self::getDataGenerator()->create_user();
|
||||
$user4 = self::getDataGenerator()->create_user();
|
||||
$user5 = self::getDataGenerator()->create_user();
|
||||
$user5->id = 0; // Visitor (not guest).
|
||||
|
||||
$deleteduser = self::getDataGenerator()->create_user(array('deleted' => 1));
|
||||
$unconfirmeduser = self::getDataGenerator()->create_user(array('confirmed' => 0));
|
||||
@ -182,6 +185,22 @@ class user_search_testcase extends advanced_testcase {
|
||||
$this->assertEquals(\core_search\manager::ACCESS_DENIED, $searcharea->check_access($suspendeduser->id));
|
||||
|
||||
$this->setGuestUser();
|
||||
$this->assertEquals(\core_search\manager::ACCESS_DENIED, $searcharea->check_access($user1->id));
|
||||
$this->assertEquals(\core_search\manager::ACCESS_DENIED, $searcharea->check_access($user2->id));
|
||||
$this->assertEquals(\core_search\manager::ACCESS_DENIED, $searcharea->check_access($user3->id));
|
||||
|
||||
$CFG->forceloginforprofiles = 0;
|
||||
$this->assertEquals(\core_search\manager::ACCESS_GRANTED, $searcharea->check_access($user1->id));
|
||||
$this->assertEquals(\core_search\manager::ACCESS_GRANTED, $searcharea->check_access($user2->id));
|
||||
$this->assertEquals(\core_search\manager::ACCESS_GRANTED, $searcharea->check_access($user3->id));
|
||||
|
||||
$this->setUser($user5);
|
||||
$CFG->forceloginforprofiles = 1;
|
||||
$this->assertEquals(\core_search\manager::ACCESS_DENIED, $searcharea->check_access($user1->id));
|
||||
$this->assertEquals(\core_search\manager::ACCESS_DENIED, $searcharea->check_access($user2->id));
|
||||
$this->assertEquals(\core_search\manager::ACCESS_DENIED, $searcharea->check_access($user3->id));
|
||||
|
||||
$CFG->forceloginforprofiles = 0;
|
||||
$this->assertEquals(\core_search\manager::ACCESS_GRANTED, $searcharea->check_access($user1->id));
|
||||
$this->assertEquals(\core_search\manager::ACCESS_GRANTED, $searcharea->check_access($user2->id));
|
||||
$this->assertEquals(\core_search\manager::ACCESS_GRANTED, $searcharea->check_access($user3->id));
|
||||
|
||||
@ -582,19 +582,37 @@ class core_userliblib_testcase extends advanced_testcase {
|
||||
$CFG->forceloginforprofiles = 1;
|
||||
$this->setUser($user8);
|
||||
|
||||
// By default guest has 'moodle/user:viewdetails' cap.
|
||||
$this->assertTrue(user_can_view_profile($user1));
|
||||
$CFG->forceloginforprofiles = 0;
|
||||
$this->assertTrue(user_can_view_profile($user1));
|
||||
|
||||
// Let us remove this cap.
|
||||
$allroles = $DB->get_records_menu('role', array(), 'id', 'archetype, id');
|
||||
assign_capability('moodle/user:viewdetails', CAP_PROHIBIT, $allroles['guest'], context_system::instance()->id, true);
|
||||
reload_all_capabilities();
|
||||
// Let us test with guest user.
|
||||
$this->setGuestUser();
|
||||
$CFG->forceloginforprofiles = 1;
|
||||
$this->assertFalse(user_can_view_profile($user1));
|
||||
foreach ($users as $user) {
|
||||
$this->assertFalse(user_can_view_profile($user));
|
||||
}
|
||||
|
||||
// Even with cap, still guests should not be allowed in.
|
||||
assign_capability('moodle/user:viewdetails', CAP_ALLOW, $allroles['guest'], context_system::instance()->id, true);
|
||||
reload_all_capabilities();
|
||||
foreach ($users as $user) {
|
||||
$this->assertFalse(user_can_view_profile($user));
|
||||
}
|
||||
|
||||
$CFG->forceloginforprofiles = 0;
|
||||
$this->assertTrue(user_can_view_profile($user1));
|
||||
foreach ($users as $user) {
|
||||
$this->assertTrue(user_can_view_profile($user));
|
||||
}
|
||||
|
||||
// Let us test with Visitor user.
|
||||
$this->setUser($user8);
|
||||
$CFG->forceloginforprofiles = 1;
|
||||
foreach ($users as $user) {
|
||||
$this->assertFalse(user_can_view_profile($user));
|
||||
}
|
||||
|
||||
$CFG->forceloginforprofiles = 0;
|
||||
foreach ($users as $user) {
|
||||
$this->assertTrue(user_can_view_profile($user));
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user