Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-31520

get_users_by_id never returns email, not even to admin user



    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.1.5, 2.2.1, 2.3
    • Fix Version/s: 2.1.7, 2.2.4
    • Component/s: Web Services
    • Labels:


      Hello again, another bug unfortunately

      This function should return the email of the user on some conditions, namely:

      1) if the invoking user was a site admin, or
      2) if the invoking user could check hidden user details (moodle/user:viewhiddendetails , although I'm not 100% certain on this one)

      Neither of the conditions are met, because the underlying function to get user details, namely user_get_user_details() only returns email if those conditions are met:

      1) if the capability 'moodle/course:useremail' is true, which will never be upon this webservice call
      2) if the user has the email visible to everyone
      3) or if the invoking user is in the same course of the requested user and the requested user is allowing email sharing only for members of his courses

      So , the underlying function does not check if the calling user is admin, which I think it's wrong, because the admin should have access to the e-mail of all users, and also the users that have the capability moodle/user:viewhiddendetails should as well, but on this one I am not sure.

      I was developing the implementation for get_users() when I stumbled upon this bug. This might be critical for some integrations I think (at least on mine is), because normally an email is an important key.

      Edit: I forgot to mention that there is only one condition on which the e-mail is returned: when the invoking user is the same as the requested user.


          Issue Links



              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created:
                  Fix Release Date: