Moodle
  1. Moodle
  2. MDL-25651

My private files link in navigation block needs capability check

    Details

    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE
    • Rank:
      15137

      Description

      There's a TODO in the code for navigationlib.php immediately before the outputting of the "my private files" link which confirms that a capability check is required.

      In a site where the private files repository is disabled, the link is still displayed.

      I think we need a check that the repository is enabled, and a capability check before the link is output in the nav block.

        Issue Links

          Activity

          Hide
          Jenny Gray added a comment -

          I have checked the entire code base, and there's no-where else that a link to the user's private files is created.

          I was going to make a patch for this, but I think in my novice understanding of GIT, I've actually committed it. I'm REALLY sorry about that.

          NOW:
          $privatefiles = $DB->get_record('repository',array('type' => 'user','visible'=>'1'));
          $context = get_context_instance(CONTEXT_USER, $USER->id);
          if ($iscurrentuser && $privatefiles && has_capability('moodle/user:manageownfiles', $context)) {

          WAS:
          if ($iscurrentuser) {

          I hope you approve??

          Show
          Jenny Gray added a comment - I have checked the entire code base, and there's no-where else that a link to the user's private files is created. I was going to make a patch for this, but I think in my novice understanding of GIT, I've actually committed it. I'm REALLY sorry about that. NOW: $privatefiles = $DB->get_record('repository',array('type' => 'user','visible'=>'1')); $context = get_context_instance(CONTEXT_USER, $USER->id); if ($iscurrentuser && $privatefiles && has_capability('moodle/user:manageownfiles', $context)) { WAS: if ($iscurrentuser) { I hope you approve??
          Hide
          Eloy Lafuente (stronk7) added a comment - - edited

          Hi Jenny,

          first of all, don't worry as far as I think it's impossible for you (and for everybody else, right now) to commit anything into the main moodle git repository.

          So, for sure you've committed it, yes, but in your own clone of the main repository. So I'd suggest you to do something like:

          git log (to detect the commit you did, and copy its hash)
          git diff xxxxxxxxxxxxx (to get the changes performed by that commit)

          If your clone of the main repository is public (github...) then you can reference to it here (commit URL), else you'll need to attach here the results of the "git diff" command above.

          Also, be noted above trying to keep the "official" branches of your repository (cvshead, MOODLE_19_STABLE...) clean for any change and, always, work in other branches. Else, if your change finally gets applied to moodle main repo, you can run under problems when you update your clone with changes already present there.

          It's a bit different from what we have been using until now, but after playing with it a bit, you'll find it far better (and more powerful than CVS), as far as you can have any number of local branches for you, without interfering in the official ones and so on.

          Hope this helps... I'm adding Sam here to look for your suggested change, in the mean time, just experiment with git and, don't worry, it's impossible to break anything in the main repo.

          Ciao

          PS: Also, I think David Mudrak is working into one multi-level (from noob to ninja) course about git and Moodle. Perhaps you can be interested into play with it as tester / reviewer. Could be a good experiment. Feel free to ask him.

          Show
          Eloy Lafuente (stronk7) added a comment - - edited Hi Jenny, first of all, don't worry as far as I think it's impossible for you (and for everybody else, right now) to commit anything into the main moodle git repository. So, for sure you've committed it, yes, but in your own clone of the main repository. So I'd suggest you to do something like: git log (to detect the commit you did, and copy its hash) git diff xxxxxxxxxxxxx (to get the changes performed by that commit) If your clone of the main repository is public (github...) then you can reference to it here (commit URL), else you'll need to attach here the results of the "git diff" command above. Also, be noted above trying to keep the "official" branches of your repository (cvshead, MOODLE_19_STABLE...) clean for any change and, always, work in other branches. Else, if your change finally gets applied to moodle main repo, you can run under problems when you update your clone with changes already present there. It's a bit different from what we have been using until now, but after playing with it a bit, you'll find it far better (and more powerful than CVS), as far as you can have any number of local branches for you, without interfering in the official ones and so on. Hope this helps... I'm adding Sam here to look for your suggested change, in the mean time, just experiment with git and, don't worry, it's impossible to break anything in the main repo. Ciao PS: Also, I think David Mudrak is working into one multi-level (from noob to ninja) course about git and Moodle. Perhaps you can be interested into play with it as tester / reviewer. Could be a good experiment. Feel free to ask him.
          Hide
          Jenny Gray added a comment -

          Eloy, thanks so much for this.

          I think my basic problem was that I forgot step 1 - create branch to develop fix in. After that I couldn't work out how to create a patch for you.

          Sam Marshall has also written some guidelines for OU developers with the OU repository, which is also moving to git right now. I'm sure I'll get the hang of it soon.

          Show
          Jenny Gray added a comment - Eloy, thanks so much for this. I think my basic problem was that I forgot step 1 - create branch to develop fix in. After that I couldn't work out how to create a patch for you. Sam Marshall has also written some guidelines for OU developers with the OU repository, which is also moving to git right now. I'm sure I'll get the hang of it soon.
          Hide
          James Mitchell added a comment -

          This bug is still not fixed in the most recent version.

          Show
          James Mitchell added a comment - This bug is still not fixed in the most recent version.
          Hide
          Eloy Lafuente (stronk7) added a comment -

          Sending to stable backlog, assigning to Sam and raising to Major. Hopefully this will be selected for fixing in next HQ sprint.

          Thanks for report and pinging (I had lost it)! Ciao

          Show
          Eloy Lafuente (stronk7) added a comment - Sending to stable backlog, assigning to Sam and raising to Major. Hopefully this will be selected for fixing in next HQ sprint. Thanks for report and pinging (I had lost it)! Ciao
          Hide
          Jenny Gray added a comment -

          Test steps:

          1. Set up default Moodle install
          2. View admin user profile ( /user/profile.php?id=2) and note that the navigation block "My profile" section includes a "My private files" link.
          3. Disable privat files repository
          4. View admin user profile again - note that the "My private files" link is no longer displayed.

          Show
          Jenny Gray added a comment - Test steps: 1. Set up default Moodle install 2. View admin user profile ( /user/profile.php?id=2) and note that the navigation block "My profile" section includes a "My private files" link. 3. Disable privat files repository 4. View admin user profile again - note that the "My private files" link is no longer displayed.
          Hide
          Helen Foster added a comment -

          This issue is fixed in the latest 2.0.2+. Thanks everyone

          Show
          Helen Foster added a comment - This issue is fixed in the latest 2.0.2+. Thanks everyone

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: