When displaying users at site level:

- teachers can see everyone
  - everyone can see teachers

but everyone else is prevented from seeing users.  This is regardless
of the forceloginforprofiles setting and is designed to stop mass collection
of user names by browsing through all user names.

lang/en/error.php

@@ -14,5 +14,6 @@ $string['restricteduser'] = 'Sorry, but your current account \"$a\" is restricte
 $string['unknowncourse'] = 'Unknown course named \"$a\"';
 $string['usernotaddederror'] = 'User \"$a\" not added - unknown error';
 $string['usernotaddedregistered'] = 'User \"$a\" not added - already registered';
+$string['usernotavailable'] = 'The details of this user are not available to you.';
 
 ?>

user/view.php

@@ -52,6 +52,18 @@
         }
     }
 
+    if (!$course->category) {  // To reduce possibility of "browsing" userbase at site level
+        if (!isteacher() and !isteacher(0, $user->id) ) {  // Teachers can browse and be browsed at site level
+            print_header("$personalprofile: ", "$personalprofile: ",
+                          "<a href=\"index.php?id=$course->id\">$participants</a>",
+                          "", "", true, "&nbsp;", navmenu($course));
+            print_heading(get_string('usernotavailable', 'error'));
+            print_footer($course);
+            die;
+        }
+    }
+
+
     if ($course->category) {
         print_header("$personalprofile: $fullname", "$personalprofile: $fullname",
                      "<a href=\"../course/view.php?id=$course->id\">$course->shortname</a> ->
@@ -63,7 +75,7 @@
     }
 
 
-    if ($course->category and ! isguest() ) {
+    if ($course->category and ! isguest() ) {   // Need to have access to a course to see that info
         if (!isstudent($course->id, $user->id) && !isteacher($course->id, $user->id)) {
             print_heading(get_string("notenrolled", "", $fullname));
             print_footer($course);