Moodle
  1. Moodle
  2. MDL-20198

Group not in a Grouping can access Wiki available for Grouping only

    Details

    • Database:
      MySQL
    • Testing Instructions:
      Hide
      1. Login as admin
      2. site admin setting > misc > experimental > enable grouping
      3. create 3 new users: aa, bb, ab.
      4. select a course and enrolled the above new users
      5. create GroupA and GroupB.
      6. add the following users in groupA: aa and ab
      7. add the following users in groupB: bb and ab
      8. select grouping tab, create 'wikigrouping' and add groupB
      9. create wiki group type activity and set grouping to 'wikigrouping'
      1. login as ab
      2. make some changes to the wiki
      3. select other wiki (top right) to groupB — the wiki should display the updated content.
      4. access the the other group through browser url (eg: http://mymoodle.com/mod/wiki/view.php?id=4&groupid=1, assumming that groupid 1 is assigned for groupA). — cannot access error should display.
      Show
      Login as admin site admin setting > misc > experimental > enable grouping create 3 new users: aa, bb, ab. select a course and enrolled the above new users create GroupA and GroupB. add the following users in groupA: aa and ab add the following users in groupB: bb and ab select grouping tab, create 'wikigrouping' and add groupB create wiki group type activity and set grouping to 'wikigrouping' login as ab make some changes to the wiki select other wiki (top right) to groupB — the wiki should display the updated content. access the the other group through browser url (eg: http://mymoodle.com/mod/wiki/view.php?id=4&groupid=1 , assumming that groupid 1 is assigned for groupA). — cannot access error should display.
    • Affected Branches:
      MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_19_STABLE
    • Pull from Repository:
    • Rank:
      5519

      Description

      The bug is related to using the "Groupings" feature with "Separate groups" settings for a Wiki.

      If a student is in more than one group - for example 'A-group' and 'B-group' - and a 'Wiki-grouping' is created that includes 'B-group' in the 'Wiki-grouping', (but not 'A-group'), the Wiki opens in 'A-group' view for the student. The student then edits and saves information in the Wiki, but the Wiki is not listed in the available "Other Wikis" list, and cannot be viewed by the Teacher. This error only occurs if the student is in another group where the group-name of this other group is alphabetically lower than the group that has been included in the 'Wiki-grouping' (e.g. A-group is lower than B-group). Also when the Teacher initially accesses the Wiki, it opens for a group of the lowest alphabetically named group in the Course, even if that group is not included in the 'Wiki-grouping'.

        Activity

        Hide
        Dong Kim added a comment -

        Here is a patch we are using in our instance of Moodle. Instead of using the first groupid returned by mygroupid($course->id), we use the first element returned by groups_get_all_groups($course->id, $USER->id, $wiki->groupingid).

        Show
        Dong Kim added a comment - Here is a patch we are using in our instance of Moodle. Instead of using the first groupid returned by mygroupid($course->id), we use the first element returned by groups_get_all_groups($course->id, $USER->id, $wiki->groupingid).
        Hide
        Michael Blake added a comment -

        Can someone please test the attached patch and comment? A MP's client is reporting this problem and would like to have confirmation of the fix. Thanks!

        Show
        Michael Blake added a comment - Can someone please test the attached patch and comment? A MP's client is reporting this problem and would like to have confirmation of the fix. Thanks!
        Hide
        moodle.com added a comment -

        Bringing this in for a look. Although this is in an unsupported version of the Wiki, it may be a security issue.

        There has been a similar issue resolved recently for the Wiki 2.x.

        Show
        moodle.com added a comment - Bringing this in for a look. Although this is in an unsupported version of the Wiki, it may be a security issue. There has been a similar issue resolved recently for the Wiki 2.x.
        Hide
        Rossiani Wijaya added a comment -

        I'm having difficulty to reproduce this error.

        Margot, could you provide some steps to reproduce the bug?

        Thanks
        Rosie

        Show
        Rossiani Wijaya added a comment - I'm having difficulty to reproduce this error. Margot, could you provide some steps to reproduce the bug? Thanks Rosie
        Hide
        Margot Schuhmacher added a comment -

        Hi Rosie

        Create GroupA and GroupB. Add students to GroupA and GroupB. Make sure at least one of the students in GroupA is also included in GroupB. Create a Grouping e.g. WikiGrouping. Add GroupB to the WikiGrouping. Create a Wiki and make it only available for Group Members in WikiGrouping. Login as the student that is in GroupA and GroupB. This student adds an entry to the Wiki, and the entry seems be associated with Wiki for GroupA even though GroupA is not included in the Grouping. The student indicates to their teacher they have updated the Wiki, Teacher initially sees what student entered, then selects GroupB wiki but nothing is there, and they cannot go back to see what the student did. The same behaviour occurs for student if they select their group (GroupB)from 'Other Wikis' - their entry is not there.

        Margot

        Show
        Margot Schuhmacher added a comment - Hi Rosie Create GroupA and GroupB. Add students to GroupA and GroupB. Make sure at least one of the students in GroupA is also included in GroupB. Create a Grouping e.g. WikiGrouping. Add GroupB to the WikiGrouping. Create a Wiki and make it only available for Group Members in WikiGrouping. Login as the student that is in GroupA and GroupB. This student adds an entry to the Wiki, and the entry seems be associated with Wiki for GroupA even though GroupA is not included in the Grouping. The student indicates to their teacher they have updated the Wiki, Teacher initially sees what student entered, then selects GroupB wiki but nothing is there, and they cannot go back to see what the student did. The same behaviour occurs for student if they select their group (GroupB)from 'Other Wikis' - their entry is not there. Margot
        Hide
        Rossiani Wijaya added a comment -

        Hi Margot,

        Thanks for providing steps to reproduce the issue.

        Dong's patch works for student. However as for teacher, accessing the wiki page from main course page will load the first available group within the course (groupA in this case).

        I Extended Dong's patch to do the following:

        1. Accessing the wiki page from main course will load the first available group in grouping (for student and teacher).
        2. Limit viewing wiki page only to users (student) that is member of the grouping group. eg: based on margot's scenario above, if user ab (belong to group a and b) tried to access groupA wiki throug browser address (http://m19/mod/wiki/view.php?id=7&groupid=1) it will display an error that the page is not accessable.

        submitting this for peer review.

        Show
        Rossiani Wijaya added a comment - Hi Margot, Thanks for providing steps to reproduce the issue. Dong's patch works for student. However as for teacher, accessing the wiki page from main course page will load the first available group within the course (groupA in this case). I Extended Dong's patch to do the following: Accessing the wiki page from main course will load the first available group in grouping (for student and teacher). Limit viewing wiki page only to users (student) that is member of the grouping group. eg: based on margot's scenario above, if user ab (belong to group a and b) tried to access groupA wiki throug browser address ( http://m19/mod/wiki/view.php?id=7&groupid=1 ) it will display an error that the page is not accessable. submitting this for peer review.
        Hide
        Rajesh Taneja added a comment -

        Changes looks good to me Rossie
        There are few things you might want to consider:

        1. correct space in if statement
           if($groups && count($groups)>0) 
        2. Extend thanks to Dan, in commit for his patch
        3. Analyze if this is a security issue, if yes then update Security Level, else I am not sure if this will get integrated (only security patches are going in 1.9 and 2.0)
        4. Also, if this is a security issue, then remove public branch and attach fix, as patch.
        Show
        Rajesh Taneja added a comment - Changes looks good to me Rossie There are few things you might want to consider: correct space in if statement if ($groups && count($groups)>0) Extend thanks to Dan, in commit for his patch Analyze if this is a security issue, if yes then update Security Level , else I am not sure if this will get integrated (only security patches are going in 1.9 and 2.0) Also, if this is a security issue, then remove public branch and attach fix, as patch.
        Hide
        Michael de Raadt added a comment -

        I've discussed this with Rosie and I have replicated the problem. I think the proposed fix is appropriate.

        I can't think of any way that there could be information leakage related to this, the data just seems to be going in the wrong place. I could be wrong, but I'm not willing to call this a security issue at this stage.

        Currently we are not fixing 1.9 bugs that are not security issues, but as effort has been invested in this, I think we should incorporate the solution.

        Sam had some concerns about the resulting functionality. I'd like to see that clarified.

        Show
        Michael de Raadt added a comment - I've discussed this with Rosie and I have replicated the problem. I think the proposed fix is appropriate. I can't think of any way that there could be information leakage related to this, the data just seems to be going in the wrong place. I could be wrong, but I'm not willing to call this a security issue at this stage. Currently we are not fixing 1.9 bugs that are not security issues, but as effort has been invested in this, I think we should incorporate the solution. Sam had some concerns about the resulting functionality. I'd like to see that clarified.
        Hide
        Sam Hemelryk added a comment -

        Hi guys,

        I've been having a look at this now and things appear to be fixed.
        By no means an I an expert on groupings and I profess that I havn't read into this enough to have learnt the in's and out's of them...
        What I do know is that groupings is an experimental feature, wiki has been written in 2.0 because of the numerous problems it had, and 19 is in an extremely stable state.
        Normally I'd say just to leave it. However the work has been done and appears things have only improved and no noticeable changes in functionality so my +1 for these changes.

        Just noting I won't be the integrator for this issue, Eloy is likely the best person to look at this as he's most likely to have an understanding of groupings/wiki.

        Cheers
        Sam

        Show
        Sam Hemelryk added a comment - Hi guys, I've been having a look at this now and things appear to be fixed. By no means an I an expert on groupings and I profess that I havn't read into this enough to have learnt the in's and out's of them... What I do know is that groupings is an experimental feature, wiki has been written in 2.0 because of the numerous problems it had, and 19 is in an extremely stable state. Normally I'd say just to leave it. However the work has been done and appears things have only improved and no noticeable changes in functionality so my +1 for these changes. Just noting I won't be the integrator for this issue, Eloy is likely the best person to look at this as he's most likely to have an understanding of groupings/wiki. Cheers Sam
        Hide
        Rossiani Wijaya added a comment -

        Thanks Sam for reviewing.

        Updating patch to extend credit for Dong.

        Submitting this for integration review.

        Show
        Rossiani Wijaya added a comment - Thanks Sam for reviewing. Updating patch to extend credit for Dong. Submitting this for integration review.
        Hide
        Rossiani Wijaya added a comment -

        As suggested by Sam, I added Eloy's name as integrator.

        Show
        Rossiani Wijaya added a comment - As suggested by Sam, I added Eloy's name as integrator.
        Hide
        Eloy Lafuente (stronk7) added a comment -

        Integrated, thanks! I think we can make an exception with this, really.

        Show
        Eloy Lafuente (stronk7) added a comment - Integrated, thanks! I think we can make an exception with this, really.
        Hide
        Adrian Greeve added a comment -

        Tested in 1.9. You can't access group A. Works as expected.
        Test passed.

        Show
        Adrian Greeve added a comment - Tested in 1.9. You can't access group A. Works as expected. Test passed.
        Hide
        Eloy Lafuente (stronk7) added a comment -

        Whoever decided one week was worth 14 days had really one bad idea. Anyway, the nightmare is over, so thanks for your, once again, amazing contributions. Many, many thanks!

        Now... disconnect, relax and enjoy the next days, yay!

        Closing...ciao

        Show
        Eloy Lafuente (stronk7) added a comment - Whoever decided one week was worth 14 days had really one bad idea. Anyway, the nightmare is over, so thanks for your, once again, amazing contributions. Many, many thanks! Now... disconnect, relax and enjoy the next days, yay! Closing...ciao

          People

          • Votes:
            22 Vote for this issue
            Watchers:
            10 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: