mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-03-21 08:00:37 +01:00
Code Issues Projects Releases Wiki Activity

Merge branch 'MDL-62915' of https://github.com/paulholden/moodle

Browse Source
This commit is contained in:
Eloy Lafuente (stronk7) 2019-09-17 16:21:41 +02:00
commit facf2f80b0
4 changed files with 75 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
admin/tool/dataprivacy/classes/api.php
View File

@ -774,7 +774,8 @@ class api {
public static function can_create_data_deletion_request_for_self(int $userid = null): bool {
global $USER;
$userid = $userid ?: $USER->id;
return has_capability('tool/dataprivacy:requestdelete', \context_user::instance($userid), $userid);
return has_capability('tool/dataprivacy:requestdelete', \context_user::instance($userid), $userid)
&& !is_primary_admin($userid);
}
/**
@ -803,7 +804,7 @@ class api {
global $USER;
$requesterid = $requesterid ?: $USER->id;
return has_capability('tool/dataprivacy:makedatadeletionrequestsforchildren', \context_user::instance($userid),
$requesterid);
$requesterid) && !is_primary_admin($userid);
}
/**

16
admin/tool/dataprivacy/classes/task/process_data_request_task.php
View File

@ -127,13 +127,17 @@ class process_data_request_task extends adhoc_task {
$thing = $fs->create_file_from_pathname($filerecord, $exportedcontent);
$completestatus = api::DATAREQUEST_STATUS_DOWNLOAD_READY;
} else if ($request->type == api::DATAREQUEST_TYPE_DELETE) {
// Delete the data.
$manager = new \core_privacy\manager();
$manager->set_observer(new \tool_dataprivacy\manager_observer());
// Delete the data for users other than the primary admin, which is rejected.
if (is_primary_admin($foruser->id)) {
$completestatus = api::DATAREQUEST_STATUS_REJECTED;
} else {
$manager = new \core_privacy\manager();
$manager->set_observer(new \tool_dataprivacy\manager_observer());
$manager->delete_data_for_user($approvedclcollection);
$completestatus = api::DATAREQUEST_STATUS_DELETED;
$deleteuser = !$foruser->deleted;
$manager->delete_data_for_user($approvedclcollection);
$completestatus = api::DATAREQUEST_STATUS_DELETED;
$deleteuser = !$foruser->deleted;
}
}
// When the preparation of the metadata finishes, update the request status to awaiting approval.

57
admin/tool/dataprivacy/tests/api_test.php
View File

@ -303,6 +303,29 @@ class tool_dataprivacy_api_testcase extends advanced_testcase {
$requestid = $datarequest->get('id');
}
/**
* Test that deletion requests for the primary admin are rejected
*/
public function test_reject_data_deletion_request_primary_admin() {
$this->resetAfterTest();
$this->setAdminUser();
$datarequest = api::create_data_request(get_admin()->id, api::DATAREQUEST_TYPE_DELETE);
// Approve the request and execute the ad-hoc process task.
ob_start();
api::approve_data_request($datarequest->get('id'));
$this->runAdhocTasks('\tool_dataprivacy\task\process_data_request_task');
ob_end_clean();
$request = api::get_request($datarequest->get('id'));
$this->assertEquals(api::DATAREQUEST_STATUS_REJECTED, $request->get('status'));
// Confirm they weren't deleted.
$user = core_user::get_user($request->get('userid'));
core_user::require_active_user($user);
}
/**
* Test for api::can_contact_dpo()
*/
@ -2126,6 +2149,33 @@ class tool_dataprivacy_api_testcase extends advanced_testcase {
$this->assertFalse(api::can_create_data_deletion_request_for_self());
}
/**
* Test primary admin cannot create data deletion request for themselves
*/
public function test_can_create_data_deletion_request_for_self_primary_admin() {
$this->resetAfterTest();
$this->setAdminUser();
$this->assertFalse(api::can_create_data_deletion_request_for_self());
}
/**
* Test secondary admin can create data deletion request for themselves
*/
public function test_can_create_data_deletion_request_for_self_secondary_admin() {
$this->resetAfterTest();
$admin1 = $this->getDataGenerator()->create_user();
$admin2 = $this->getDataGenerator()->create_user();
// The primary admin is the one listed first in the 'siteadmins' config.
set_config('siteadmins', implode(',', [$admin1->id, $admin2->id]));
// Set the current user as the second admin (non-primary).
$this->setUser($admin2);
$this->assertTrue(api::can_create_data_deletion_request_for_self());
}
/**
* Test user can create data deletion request for themselves if they have
* "tool/dataprivacy:requestdelete" capability.
@ -2171,7 +2221,8 @@ class tool_dataprivacy_api_testcase extends advanced_testcase {
}
/**
* Check parents can create data deletion request for their children but not others.
* Check parents can create data deletion request for their children (unless the child is the primary admin),
* but not other users.
*
* @throws coding_exception
* @throws dml_exception
@ -2194,5 +2245,9 @@ class tool_dataprivacy_api_testcase extends advanced_testcase {
$this->setUser($parent);
$this->assertTrue(api::can_create_data_deletion_request_for_children($child->id));
$this->assertFalse(api::can_create_data_deletion_request_for_children($otheruser->id));
// Now make child the primary admin, confirm parent can't make deletion request.
set_config('siteadmins', $child->id);
$this->assertFalse(api::can_create_data_deletion_request_for_children($child->id));
}
}

6
admin/tool/dataprivacy/tests/behat/datadelete.feature
View File

@ -189,6 +189,12 @@ Feature: Data delete from the privacy API
And I follow "Profile" in the user menu
Then I should not see "Delete my account"
@javascript
Scenario: As a primary admin, the link to create a data deletion request should not be shown.
Given I log in as "admin"
When I follow "Profile" in the user menu
Then I should not see "Delete my account"
@javascript
Scenario: As a Privacy Officer, I cannot Approve to Deny deletion data request without permission.
Given the following "permission overrides" exist: