Details
-
Type:
Bug
-
Status: Resolved
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 3.5.3, 3.6
-
Fix Version/s: None
-
Component/s: Module: Scheduler
-
Labels:None
-
Affected Branches:MOODLE_35_STABLE, MOODLE_36_STABLE
Description
For specific roles, such as non-editing teachers, marking attendance of students is inconsistent. Typically roles with reduced permissions do not have manageallappointments capability. However, it's handled differently among the views:
- the checkbox next to each student is unavailable on 'all appointments' view
- the checkbox is available on a single student view (view.php?what=viewstudent)
It's because it relies on different capabilities. In the first view, it's defined in teacherview.php#L481 (https://github.com/bostelm/moodle-mod_scheduler/blob/5af0d8cba0e429fabd196fdfa58d65d8a09b6323/teacherview.php#L481) and relies on manageallappointments capability.
However, in the second case, it primarily relies on 'manage' capability instead of validating $USER against $slot->teacherid: https://github.com/bostelm/moodle-mod_scheduler/blob/5af0d8cba0e429fabd196fdfa58d65d8a09b6323/viewstudent.php#L15 and the checkbox 'attended' is still visible to those who are missing manageallappointments.
It could be argued what is the desired workflow, but at least it should be consistent.
Screenshots attached. Logged in as non-editing teacher without manageallappointments permission, but with manage permission.
Attachments
Issue Links
- will be (partly) resolved by
-
CONTRIB-6877 Finer-grained access control on the teacher side
-
- Resolved
-