mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-04-12 20:12:15 +02:00
Code Issues Projects Releases Wiki Activity

MDL-70822 enrol: respect capability to view other users profile.

Browse Source 
When retrieving courses of another user via web services, we should
respect the capability to view that users profile in a given course.
This commit is contained in:
Paul Holden 2021-02-08 08:23:12 +00:00 committed by Jenkins
parent c9855a8b20
commit a251c260c4
2 changed files with 78 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
enrol/externallib.php
View File

@ -307,6 +307,7 @@ class core_enrol_external extends external_api {
global $CFG, $USER, $DB;
require_once($CFG->dirroot . '/course/lib.php');
require_once($CFG->dirroot . '/user/lib.php');
require_once($CFG->libdir . '/completionlib.php');
// Do basic automatic PARAM checks on incoming data, using params description
@ -346,8 +347,8 @@ class core_enrol_external extends external_api {
continue;
}
if (!$sameuser and !course_can_view_participants($context)) {
// we need capability to view participants
// If viewing details of another user, then we must be able to view participants as well as profile of that user.
if (!$sameuser && (!course_can_view_participants($context) || !user_can_view_profile($user, $course))) {
continue;
}

75
enrol/tests/externallib_test.php
View File

@ -610,6 +610,81 @@ class core_enrol_externallib_testcase extends externallib_advanced_testcase {
$this->assertEquals(0, $enrolledincourses[0]['lastaccess']); // I can't see this, hidden by global setting.
}
/**
* Test that get_users_courses respects the capability to view participants when viewing courses of other user
*/
public function test_get_users_courses_can_view_participants(): void {
global $DB;
$this->resetAfterTest();
$course = $this->getDataGenerator()->create_course();
$context = context_course::instance($course->id);
$user1 = $this->getDataGenerator()->create_and_enrol($course, 'student');
$user2 = $this->getDataGenerator()->create_and_enrol($course, 'student');
$this->setUser($user1);
$courses = core_enrol_external::clean_returnvalue(
core_enrol_external::get_users_courses_returns(),
core_enrol_external::get_users_courses($user2->id, false)
);
$this->assertCount(1, $courses);
$this->assertEquals($course->id, reset($courses)['id']);
// Prohibit the capability for viewing course participants.
$studentrole = $DB->get_field('role', 'id', ['shortname' => 'student']);
assign_capability('moodle/course:viewparticipants', CAP_PROHIBIT, $studentrole, $context->id);
$courses = core_enrol_external::clean_returnvalue(
core_enrol_external::get_users_courses_returns(),
core_enrol_external::get_users_courses($user2->id, false)
);
$this->assertEmpty($courses);
}
/*
* Test that get_users_courses respects the capability to view a users profile when viewing courses of other user
*/
public function test_get_users_courses_can_view_profile(): void {
$this->resetAfterTest();
$course = $this->getDataGenerator()->create_course([
'groupmode' => VISIBLEGROUPS,
]);
$user1 = $this->getDataGenerator()->create_and_enrol($course, 'student');
$user2 = $this->getDataGenerator()->create_and_enrol($course, 'student');
// Create separate groups for each of our students.
$group1 = $this->getDataGenerator()->create_group(['courseid' => $course->id]);
groups_add_member($group1, $user1);
$group2 = $this->getDataGenerator()->create_group(['courseid' => $course->id]);
groups_add_member($group2, $user2);
$this->setUser($user1);
$courses = core_enrol_external::clean_returnvalue(
core_enrol_external::get_users_courses_returns(),
core_enrol_external::get_users_courses($user2->id, false)
);
$this->assertCount(1, $courses);
$this->assertEquals($course->id, reset($courses)['id']);
// Change to separate groups mode, so students can't view information about each other in different groups.
$course->groupmode = SEPARATEGROUPS;
update_course($course);
$courses = core_enrol_external::clean_returnvalue(
core_enrol_external::get_users_courses_returns(),
core_enrol_external::get_users_courses($user2->id, false)
);
$this->assertEmpty($courses);
}
/**
* Test get_users_courses with mathjax in the name.
*/