Uploaded image for project: 'Plugins'
  1. Plugins
  2. CONTRIB-5750

Finer-grained access control for "Overview" screen

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.9
    • Fix Version/s: 2.9
    • Component/s: Module: Scheduler
    • Labels:
      None
    • Affected Branches:
      MOODLE_29_STABLE
    • Fixed Branches:
      MOODLE_29_STABLE

      Description

      At the moment, teachers can use the "Overview" tab in Scheduler to see the bookings of other teachers, including those in other schedulers anywhere on the system. More precisely, a user needs the "mod/scheduler:canseeotherteachersbooking" capability in order to see use this feature. However, having the capability in one scheduler effectively allows them to see bookings (and grades) .in all schedulers, including outside the current course. Depending on the use case, this might be seen as a security problem.

      The proposed resolution is: Add a drop-down box to the Overview screen to select the scope of the overview report (with options "This scheduler", "This course", "Anywhere"). Users could always see their own bookings in any scope. However, for seeing other teachers' bookings they would need the following capabilities:

      • "This scheduler": mod/scheduler:canseeotherteachersbooking at the level of the present scheduler
      • "This course": mod/scheduler:canseeotherteachersbooking at the level of the present course
      • "Anywhere": mod/scheduler:canseeotherteachersbooking at site level

      In typical setups, this would mean that a teacher can see all bookings in the current course, whereas a site admin would see all bookings at site level.

      This setup still doesn't cater for all possibilities that Moodle's role and capability model allows. For example, a capability could be granted at course level but revoked at activity level, or a resource might be hidden. This is far too complex to implement for the present case. However, for sites where this is a concern, maybe there should be a global configuration option to disable the Overview screen.

      (See discussion)

        Attachments

          Activity

            People

            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                11/May/15