Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-33823

The "My Courses" listing is inconsistent (Authenticated user see all courses as his courses), as there is no capability to control course listing for users, and all courses are always public if available to students.

    Details

    • Database:
      Any
    • Testing Instructions:
      Hide

      How to reproduce this error:
      Create one or more Moodle courses.
      Try to make some courses visible to everyone (public) and others not (non-public) from the courses lists.
      Try to enrol someone as a student (normal capabilities) to one non-public course. Then access Moodle as that student to see if he can now see that non-public course. Then enter that course as that student.
      Try to create a role based on Autheticateh users that would see those non-public courses, but with extra courses listing visibility.

      Show
      How to reproduce this error: Create one or more Moodle courses. Try to make some courses visible to everyone (public) and others not (non-public) from the courses lists. Try to enrol someone as a student (normal capabilities) to one non-public course. Then access Moodle as that student to see if he can now see that non-public course. Then enter that course as that student. Try to create a role based on Autheticateh users that would see those non-public courses, but with extra courses listing visibility.
    • Workaround:
      Hide

      Patch included.

      Show
      Patch included.
    • Affected Branches:
      MOODLE_20_STABLE, MOODLE_21_STABLE, MOODLE_22_STABLE

      Description

      I could reproduce this problem under every Moodle 2.x until now.

      PROBLEM:
      There is no way to hide courses from users' courses listing that would not remove their possibility to enter them if they are enrolled there.
      It would be great to enable setting the courses as public/non-public from the course listing perspective. Also, creating a system-wide capability to provide or not the users to view only public courses, or all of them would be a great advance on access control. This could change the courses list and the courses search, returning only 'listable' courses for users, regarding the course setting and the user capability.

      There is also the problem that a user should not be able to search courses in the platform, if he is not strictly able to do so. The print_course_search() method @ '<MOODLE_URL>/course/lib.php' should only return the course search field is the user has the capability to see them.

      I set this as a possible security issue, as there are several Moodle sites where the users must see only the courses which he is enrolled to, or only the courses that as public for listing.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Votes:
                  3 Vote for this issue
                  Watchers:
                  10 Start watching this issue

                  Dates

                  • Created:
                    Updated: