mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-04-27 03:14:20 +02:00
Code Issues Projects Releases Wiki Activity

MDL-58762 report: Check group permissions in course user reports

Browse Source 
Teachers were able to see any student report even with forced separated
groups and capability moodle/course:accessallgroups off.
This commit is contained in:
Juan Leyva 2017-05-02 10:04:55 +02:00 committed by David Monllao
parent 423eca98d3
commit 85b531e8be
10 changed files with 68 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
report/completion/lib.php
View File

@ -80,25 +80,30 @@ function report_completion_can_access_user_report($user, $course) {
}
if ($course->id != SITEID and !$course->enablecompletion) {
return;
return false;
}
$coursecontext = context_course::instance($course->id);
$personalcontext = context_user::instance($user->id);
if (has_capability('report/completion:view', $coursecontext)) {
return true;
}
if (has_capability('moodle/user:viewuseractivitiesreport', $personalcontext)) {
if ($user->id == $USER->id) {
if ($course->showreports and (is_viewing($coursecontext, $USER) or is_enrolled($coursecontext, $USER))) {
return true;
}
} else if (has_capability('moodle/user:viewuseractivitiesreport', $personalcontext)) {
if ($course->showreports and (is_viewing($coursecontext, $user) or is_enrolled($coursecontext, $user))) {
return true;
}
} else if ($user->id == $USER->id) {
if ($course->showreports and (is_viewing($coursecontext, $USER) or is_enrolled($coursecontext, $USER))) {
return true;
}
}
// Check if $USER shares group with $user (in case separated groups are enabled and 'moodle/site:accessallgroups' is disabled).
if (!groups_user_groups_visible($course, $user->id)) {
return false;
}
if (has_capability('report/completion:view', $coursecontext)) {
return true;
}
return false;

2
report/completion/user.php
View File

@ -45,7 +45,7 @@ if ($USER->id != $user->id and has_capability('moodle/user:viewuseractivitiesrep
require_login($course);
}
if (!report_completion_can_access_user_report($user, $course, true)) {
if (!report_completion_can_access_user_report($user, $course)) {
// this should never happen
print_error('nocapability', 'report_completion');
}

1
report/log/lang/en/report_log.php
View File

@ -37,6 +37,7 @@ $string['log:view'] = 'View course logs';
$string['log:viewtoday'] = 'View today\'s logs';
$string['page'] = 'Page {$a}';
$string['logsformat'] = 'Logs format';
$string['nocapability'] = 'Can not access user log report';
$string['nologreaderenabled'] = 'No log reader enabled';
$string['origin'] = 'Source';
$string['other'] = 'Other';

30
report/log/lib.php
View File

@ -89,6 +89,21 @@ function report_log_can_access_user_report($user, $course) {
$coursecontext = context_course::instance($course->id);
$personalcontext = context_user::instance($user->id);
if ($user->id == $USER->id) {
if ($course->showreports and (is_viewing($coursecontext, $USER) or is_enrolled($coursecontext, $USER))) {
return array(true, true);
}
} else if (has_capability('moodle/user:viewuseractivitiesreport', $personalcontext)) {
if ($course->showreports and (is_viewing($coursecontext, $user) or is_enrolled($coursecontext, $user))) {
return array(true, true);
}
}
// Check if $USER shares group with $user (in case separated groups are enabled and 'moodle/site:accessallgroups' is disabled).
if (!groups_user_groups_visible($course, $user->id)) {
return array(false, false);
}
$today = false;
$all = false;
@ -99,21 +114,6 @@ function report_log_can_access_user_report($user, $course) {
$all = true;
}
if ($today and $all) {
return array(true, true);
}
if (has_capability('moodle/user:viewuseractivitiesreport', $personalcontext)) {
if ($course->showreports and (is_viewing($coursecontext, $user) or is_enrolled($coursecontext, $user))) {
return array(true, true);
}
} else if ($user->id == $USER->id) {
if ($course->showreports and (is_viewing($coursecontext, $USER) or is_enrolled($coursecontext, $USER))) {
return array(true, true);
}
}
return array($all, $today);
}

4
report/log/user.php
View File

@ -58,6 +58,10 @@ if ($USER->id != $user->id and has_capability('moodle/user:viewuseractivitiesrep
list($all, $today) = report_log_can_access_user_report($user, $course);
if (!$today && !$all) {
print_error('nocapability', 'report_log');
}
if ($mode === 'today') {
if (!$today) {
require_capability('report/log:viewtoday', $coursecontext);

1
report/outline/lang/en/report_outline.php
View File

@ -26,6 +26,7 @@
$string['eventactivityreportviewed'] = 'Activity report viewed';
$string['eventoutlinereportviewed'] = 'Outline report viewed';
$string['neverseen'] = 'Never seen';
$string['nocapability'] = 'Can not access user outline report';
$string['nologreaderenabled'] = 'No log reader enabled';
$string['numviews'] = '{$a->numviews} by {$a->distinctusers} users';
$string['outline:view'] = 'View activity report';

23
report/outline/lib.php
View File

@ -70,19 +70,24 @@ function report_outline_can_access_user_report($user, $course) {
$coursecontext = context_course::instance($course->id);
$personalcontext = context_user::instance($user->id);
if (has_capability('report/outline:view', $coursecontext)) {
return true;
}
if (has_capability('moodle/user:viewuseractivitiesreport', $personalcontext)) {
if ($user->id == $USER->id) {
if ($course->showreports and (is_viewing($coursecontext, $USER) or is_enrolled($coursecontext, $USER))) {
return true;
}
} else if (has_capability('moodle/user:viewuseractivitiesreport', $personalcontext)) {
if ($course->showreports and (is_viewing($coursecontext, $user) or is_enrolled($coursecontext, $user))) {
return true;
}
} else if ($user->id == $USER->id) {
if ($course->showreports and (is_viewing($coursecontext, $USER) or is_enrolled($coursecontext, $USER))) {
return true;
}
}
// Check if $USER shares group with $user (in case separated groups are enabled and 'moodle/site:accessallgroups' is disabled).
if (!groups_user_groups_visible($course, $user->id)) {
return false;
}
if (has_capability('report/outline:view', $coursecontext)) {
return true;
}
return false;

4
report/outline/user.php
View File

@ -55,8 +55,8 @@ if ($USER->id != $user->id and has_capability('moodle/user:viewuseractivitiesrep
}
$PAGE->set_url('/report/outline/user.php', array('id'=>$userid, 'course'=>$courseid, 'mode'=>$mode));
if (!report_outline_can_access_user_report($user, $course, true)) {
require_capability('report/outline:view', $coursecontext);
if (!report_outline_can_access_user_report($user, $course)) {
print_error('nocapability', 'report_outline');
}
$stractivityreport = get_string('activityreport');

24
report/stats/lib.php
View File

@ -78,19 +78,23 @@ function report_stats_can_access_user_report($user, $course) {
$coursecontext = context_course::instance($course->id);
$personalcontext = context_user::instance($user->id);
if (has_capability('report/stats:view', $coursecontext)) {
return true;
}
if (has_capability('moodle/user:viewuseractivitiesreport', $personalcontext)) {
if ($course->showreports and (is_viewing($coursecontext, $user) or is_enrolled($coursecontext, $user))) {
return true;
}
} else if ($user->id == $USER->id) {
if ($user->id == $USER->id) {
if ($course->showreports and (is_viewing($coursecontext, $USER) or is_enrolled($coursecontext, $USER))) {
return true;
}
} else if (has_capability('moodle/user:viewuseractivitiesreport', $personalcontext)) {
if ($course->showreports and (is_viewing($coursecontext, $user) or is_enrolled($coursecontext, $user))) {
return true;
}
}
// Check if $USER shares group with $user (in case separated groups are enabled and 'moodle/site:accessallgroups' is disabled).
if (!groups_user_groups_visible($course, $user->id)) {
return false;
}
if (has_capability('report/stats:view', $coursecontext)) {
return true;
}
return false;

2
report/stats/user.php
View File

@ -51,7 +51,7 @@ if ($USER->id != $user->id and has_capability('moodle/user:viewuseractivitiesrep
require_login($course);
}
if (!report_stats_can_access_user_report($user, $course, true)) {
if (!report_stats_can_access_user_report($user, $course)) {
// this should never happen
print_error('nocapability', 'report_stats');
}