Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-27177

Allow students to see each other's contact details in full profile without global permission if they are able to see each other's course profile

XMLWordPrintable

    • MySQL
    • MOODLE_20_STABLE, MOODLE_28_STABLE
    • MOODLE_30_STABLE
    • wip-MDL-27177-master
    • Hide

      prerequisites

      • Two courses.
      • Students enrolled in either one or the other of the courses.

      Testing

      1. Log in as a student.
      2. Go to messages in the user menu
      3. Select the course in the contacts select box.
      4. Pick a student and click on their profile picture.
      5. You should now be on their system profile page (user/profile.php).
      6. Now try to view a student who is not in any course that this user is in.
      7. You should have no access to that students profile page.
      8. Remove the capability (moodle/user:viewdetails) from the student role in one of the courses.
      9. The student should now have no access to the system profile page of students in that course.

      Course profile

      1. Log in as a student.
      2. Go to the course profile of a student.
      3. Click on a course profile that this student is not enrolled in.
      4. Make sure that you are taken to a screen that says either to enrol in the course or that you can not enrol yourself in this course.

      Separate group testing

      1. Create a course with Group mode set to "Separate groups" and Force group mode to "Yes".
      2. Enrol some students to the course.
      3. Create two groups.
      4. Create a situation where a student is trying to view the full profile of another student who is only in this course but in the other group.
      5. Ensure that no access is given to the full user profile.

      Unit tests

      1. Run user/tests/userlib_test.php and confirm that there are no failures.

      Behat tests

      1. Run user/tests/behat/view_full_profile.feature and confirm that there are no failures.
      Show
      prerequisites Two courses. Students enrolled in either one or the other of the courses. Testing Log in as a student. Go to messages in the user menu Select the course in the contacts select box. Pick a student and click on their profile picture. You should now be on their system profile page (user/profile.php). Now try to view a student who is not in any course that this user is in. You should have no access to that students profile page. Remove the capability (moodle/user:viewdetails) from the student role in one of the courses. The student should now have no access to the system profile page of students in that course. Course profile Log in as a student. Go to the course profile of a student. Click on a course profile that this student is not enrolled in. Make sure that you are taken to a screen that says either to enrol in the course or that you can not enrol yourself in this course. Separate group testing Create a course with Group mode set to "Separate groups" and Force group mode to "Yes". Enrol some students to the course. Create two groups. Create a situation where a student is trying to view the full profile of another student who is only in this course but in the other group. Ensure that no access is given to the full user profile. Unit tests Run user/tests/userlib_test.php and confirm that there are no failures. Behat tests Run user/tests/behat/view_full_profile.feature and confirm that there are no failures.
    • Team '; drop tables Sprint 7, Team '; drop tables Sprint 9, Team ';drop tables Sprint 10
    • Medium

      Students cannot see each other's full profile of other student profiles. They can see the basic profile, but not the full profile. Here is how things are currently set up:

      • I have a set of students all enrolled in a course. There are no groups set, so in principle, no student is hidden from another.
      • Student permissions are set to Allow for View user profiles > moodle/user:viewdetails
      • In the user's profile, the Allow only other course members to see my email address is set, and yet, no once can see them. I even tried setting it so that everyone could see their email address and still nothing.
      • I have created some custom user profile fields and they are all set to Visible to everyone, and yet, no one can see them.

      That said, all users can see the full profile of Teachers enrolled in the course. I marked their email as private and it stays private.

      I am using Moodle2.0.1 (Build: 20101225) and another user reported the same issue in the discussion topic about this: http://moodle.org/mod/forum/discuss.php?d=171444

            Votes:
            32 Vote for this issue
            Watchers:
            31 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.