Moodle

Payments Button Appears in Profile When It Should Not?

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Won't Fix
  • Affects Version/s: 1.9.1
  • Fix Version/s: None
  • Component/s: Administration
  • Labels:
    None

Description

I've tried to apply a patch for MDL-13835 to hide the courses someone is enrolled in from other students who have no need to access that information. In testing this, it seems there's not any type of check for when the payment button appears. The payment button appears when you click on another student's profile and while their payments don't appear it would seem there's no need for the payment button to appear at all when clicking on another students profile. I'm also including a link to the forum discussion on this topic.
http://moodle.org/mod/forum/discuss.php?d=97747#p441442

Here's an update from my original post. I obviously didn't understand the default behavior, but I still think this might need to be addressed.

After testing some more in the default install, when clicking on another students profile the payments button seems to reflect the payments of the student who is logged in, not the student whose profile is being clicked on. I didn't catch it before because I typically use the same test amounts when I run payments through under my own name using different user accounts and the one account I hadn't run a payment through yet. I just looked at my 1.6 install and it works exactly the same way. I've never noticed it before because I've never had the ability to change/add user profile fields.

I think if someone uses the original patch from Mike it will do exactly what was intended and that's hide the courses enrolled in from other students. I still don't think the payments button is necessary when looking at someone else's profile and there's no reason for it to appear because it's somewhat of a mixed message. The messages button applies to the student profile your looking at and the payments button right next to it applies to the student logged in, but it appears that's the default behavior.

Todd

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Matt Campbell added a comment -

My answer in the forums was to add a capability check for enrol/authorize:managepayments, which resolves the issue but maybe not in the best way.

According to what Todd is reporting, the Payments button shows up on all profiles in the course, if Authorize.net is used as a payment type for the course. If a user clicks on the button, no matter who's profile it is, they get their own payment history, not the payment history of the user they are clicking on. It looks like /enrol/authorize/locallib.php does a check if the user has the enrol/authorize:managepayments capability, they see the payments for the user they clicked on. If not, they see their own.

I think proper behavior would be to:

If you are looking at your own profile, you will see the Payments button and will be able to see your payments.
If you have the enrol/authorize:managepayments capability, you will see it on all profiles will see that user's payments.
If you do not have the enrol/authorize:managepayments capability and you are looking at another user's profile, you do not see the Payments button.

Show
Matt Campbell added a comment - My answer in the forums was to add a capability check for enrol/authorize:managepayments, which resolves the issue but maybe not in the best way. According to what Todd is reporting, the Payments button shows up on all profiles in the course, if Authorize.net is used as a payment type for the course. If a user clicks on the button, no matter who's profile it is, they get their own payment history, not the payment history of the user they are clicking on. It looks like /enrol/authorize/locallib.php does a check if the user has the enrol/authorize:managepayments capability, they see the payments for the user they clicked on. If not, they see their own. I think proper behavior would be to: If you are looking at your own profile, you will see the Payments button and will be able to see your payments. If you have the enrol/authorize:managepayments capability, you will see it on all profiles will see that user's payments. If you do not have the enrol/authorize:managepayments capability and you are looking at another user's profile, you do not see the Payments button.
Hide
Permalink
Ethem Evlice added a comment -

user/view.php line: 495

Adding isguest()==false to the line, solves this problem...

The new line is:

if (isguest() == false && ($course->enrol == 'authorize' || (empty($course->enrol) && $CFG->enrol == 'authorize'))) {

Your last 3 behaviors as it.

Show
Ethem Evlice added a comment - user/view.php line: 495 Adding isguest()==false to the line, solves this problem... The new line is: if (isguest() == false && ($course->enrol == 'authorize' || (empty($course->enrol) && $CFG->enrol == 'authorize'))) { Your last 3 behaviors as it.
Hide
Permalink
Ethem Evlice added a comment -

/enrol/authorize/locallib.php checks enrol/authorize:managepayments capability correctly.

if an normal user sees, he sees their payment history without payment management.
if an admin user (with enrol/authorize:managepayments capability) sees, he sees user's payment history and can manage payments.
if normal user sees another user's payment it requires enrol/authorize:managepayments capability. So no one can see other payment.

The problem is just appearing 'Payment' button and adding isguest() solves this problem.

Show
Ethem Evlice added a comment - /enrol/authorize/locallib.php checks enrol/authorize:managepayments capability correctly. if an normal user sees, he sees their payment history without payment management. if an admin user (with enrol/authorize:managepayments capability) sees, he sees user's payment history and can manage payments. if normal user sees another user's payment it requires enrol/authorize:managepayments capability. So no one can see other payment. The problem is just appearing 'Payment' button and adding isguest() solves this problem.
Hide
Permalink
Michael de Raadt added a comment -

Thanks for reporting this issue.

We have detected that this issue has been inactive for over a year has been recorded as affecting versions that are no longer supported.

If you believe that this issue is still relevant to current versions (2.1 and beyond), please comment on the issue. Issues left inactive for a further month will be closed.

Michael d;

lqjjLKA0p6

Show
Michael de Raadt added a comment - Thanks for reporting this issue. We have detected that this issue has been inactive for over a year has been recorded as affecting versions that are no longer supported. If you believe that this issue is still relevant to current versions (2.1 and beyond), please comment on the issue. Issues left inactive for a further month will be closed. Michael d; lqjjLKA0p6
Hide
Permalink
Michael de Raadt added a comment -

I'm closing this issue as it appears to have become inactive and is probably not relevant to a current supported version. If you are encountering this problem or one similar, please launch a new issue.

Show
Michael de Raadt added a comment - I'm closing this issue as it appears to have become inactive and is probably not relevant to a current supported version. If you are encountering this problem or one similar, please launch a new issue.

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.