Moodle
  1. Moodle
  2. MDL-34406

Does messaging need to check a capbility before displaying user full name's?

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.4, 2.3, 2.4
    • Fix Version/s: 2.2.5, 2.3.2
    • Component/s: Messages
    • Labels:

      Description

      There are a number of places within /message where we call fullname(). Do we need to be doing a capability check? If so, what do we display instead?

        Gliffy Diagrams

          Issue Links

            Activity

            Hide
            Michael de Raadt added a comment -

            The use of fullname() is good. If we are not using fullname(), that's a problem.

            The other possible problem is if the display format of the name is overridden by sending a second argument with true value to fullname(). If this is happening without checking for the capability moodle/site:viewfullnames, then this is a problem.

            I had a quick scan through /message and I found...

            edit.php, line 183

            $userfullname     = fullname($user, true);
            

            There are some capability checks earlier in the file, but they are not for moodle/site:viewfullnames, so I'm not sure if this is sufficient.

            All other calls to fullname() in that directory don't use a second argument.

            Show
            Michael de Raadt added a comment - The use of fullname() is good. If we are not using fullname(), that's a problem. The other possible problem is if the display format of the name is overridden by sending a second argument with true value to fullname(). If this is happening without checking for the capability moodle/site:viewfullnames, then this is a problem. I had a quick scan through /message and I found... edit.php, line 183 $userfullname = fullname($user, true); There are some capability checks earlier in the file, but they are not for moodle/site:viewfullnames, so I'm not sure if this is sufficient. All other calls to fullname() in that directory don't use a second argument.
            Hide
            Michael de Raadt added a comment -

            Interestingly, that variable from edit.php is not used later in the file, so the statement could probably be removed.

            Show
            Michael de Raadt added a comment - Interestingly, that variable from edit.php is not used later in the file, so the statement could probably be removed.
            Hide
            Andrew Davis added a comment - - edited

            I've removed the unnecessary fullname() call. Other than that I think we're using fullname correctly and are not outputting user names without using fullname().

            Putting this up for peer review.

            Show
            Andrew Davis added a comment - - edited I've removed the unnecessary fullname() call. Other than that I think we're using fullname correctly and are not outputting user names without using fullname(). Putting this up for peer review.
            Hide
            Ankit Agarwal added a comment -

            Looks good Andrew.
            +1 for integration.
            Thanks

            Show
            Ankit Agarwal added a comment - Looks good Andrew. +1 for integration. Thanks
            Hide
            Andrew Davis added a comment -

            Adding branches and putting up for integration.

            Show
            Andrew Davis added a comment - Adding branches and putting up for integration.
            Hide
            Eloy Lafuente (stronk7) added a comment -

            The main moodle.git repository has just been updated with latest weekly modifications. You may wish to rebase your PULL branches to simplify history and avoid any possible merge conflicts. This would also make integrator's life easier next week.

            TIA and ciao

            Show
            Eloy Lafuente (stronk7) added a comment - The main moodle.git repository has just been updated with latest weekly modifications. You may wish to rebase your PULL branches to simplify history and avoid any possible merge conflicts. This would also make integrator's life easier next week. TIA and ciao
            Hide
            Eloy Lafuente (stronk7) added a comment -

            (taking rid of the security flag for this)

            Show
            Eloy Lafuente (stronk7) added a comment - (taking rid of the security flag for this)
            Hide
            Eloy Lafuente (stronk7) added a comment -

            Integrated (22, 23 & master), thanks!

            Show
            Eloy Lafuente (stronk7) added a comment - Integrated (22, 23 & master), thanks!
            Hide
            Jason Fowler added a comment -

            works without errors Andrew, thanks

            Show
            Jason Fowler added a comment - works without errors Andrew, thanks
            Hide
            Eloy Lafuente (stronk7) added a comment -

            I'm so proud...of you, many thanks!

            http://youtu.be/n64CdfDRnZY

            Closing as fixed, ciao

            Show
            Eloy Lafuente (stronk7) added a comment - I'm so proud...of you, many thanks! http://youtu.be/n64CdfDRnZY Closing as fixed, ciao

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: