Moodle
  1. Moodle
  2. MDL-34406

Does messaging need to check a capbility before displaying user full name's?

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.4, 2.3, 2.4
    • Fix Version/s: 2.2.5, 2.3.2
    • Component/s: Messages
    • Labels:
    • Rank:
      42805

      Description

      There are a number of places within /message where we call fullname(). Do we need to be doing a capability check? If so, what do we display instead?

        Issue Links

          Activity

          Hide
          Michael de Raadt added a comment -

          The use of fullname() is good. If we are not using fullname(), that's a problem.

          The other possible problem is if the display format of the name is overridden by sending a second argument with true value to fullname(). If this is happening without checking for the capability moodle/site:viewfullnames, then this is a problem.

          I had a quick scan through /message and I found...

          edit.php, line 183
          $userfullname     = fullname($user, true);
          

          There are some capability checks earlier in the file, but they are not for moodle/site:viewfullnames, so I'm not sure if this is sufficient.

          All other calls to fullname() in that directory don't use a second argument.

          Show
          Michael de Raadt added a comment - The use of fullname() is good. If we are not using fullname(), that's a problem. The other possible problem is if the display format of the name is overridden by sending a second argument with true value to fullname(). If this is happening without checking for the capability moodle/site:viewfullnames, then this is a problem. I had a quick scan through /message and I found... edit.php, line 183 $userfullname = fullname($user, true ); There are some capability checks earlier in the file, but they are not for moodle/site:viewfullnames, so I'm not sure if this is sufficient. All other calls to fullname() in that directory don't use a second argument.
          Hide
          Michael de Raadt added a comment -

          Interestingly, that variable from edit.php is not used later in the file, so the statement could probably be removed.

          Show
          Michael de Raadt added a comment - Interestingly, that variable from edit.php is not used later in the file, so the statement could probably be removed.
          Hide
          Andrew Davis added a comment - - edited

          I've removed the unnecessary fullname() call. Other than that I think we're using fullname correctly and are not outputting user names without using fullname().

          Putting this up for peer review.

          Show
          Andrew Davis added a comment - - edited I've removed the unnecessary fullname() call. Other than that I think we're using fullname correctly and are not outputting user names without using fullname(). Putting this up for peer review.
          Hide
          Ankit Agarwal added a comment -

          Looks good Andrew.
          +1 for integration.
          Thanks

          Show
          Ankit Agarwal added a comment - Looks good Andrew. +1 for integration. Thanks
          Hide
          Andrew Davis added a comment -

          Adding branches and putting up for integration.

          Show
          Andrew Davis added a comment - Adding branches and putting up for integration.
          Hide
          Eloy Lafuente (stronk7) added a comment -

          The main moodle.git repository has just been updated with latest weekly modifications. You may wish to rebase your PULL branches to simplify history and avoid any possible merge conflicts. This would also make integrator's life easier next week.

          TIA and ciao

          Show
          Eloy Lafuente (stronk7) added a comment - The main moodle.git repository has just been updated with latest weekly modifications. You may wish to rebase your PULL branches to simplify history and avoid any possible merge conflicts. This would also make integrator's life easier next week. TIA and ciao
          Hide
          Eloy Lafuente (stronk7) added a comment -

          (taking rid of the security flag for this)

          Show
          Eloy Lafuente (stronk7) added a comment - (taking rid of the security flag for this)
          Hide
          Eloy Lafuente (stronk7) added a comment -

          Integrated (22, 23 & master), thanks!

          Show
          Eloy Lafuente (stronk7) added a comment - Integrated (22, 23 & master), thanks!
          Hide
          Jason Fowler added a comment -

          works without errors Andrew, thanks

          Show
          Jason Fowler added a comment - works without errors Andrew, thanks
          Hide
          Eloy Lafuente (stronk7) added a comment -

          I'm so proud...of you, many thanks!

          http://youtu.be/n64CdfDRnZY

          Closing as fixed, ciao

          Show
          Eloy Lafuente (stronk7) added a comment - I'm so proud...of you, many thanks! http://youtu.be/n64CdfDRnZY Closing as fixed, ciao

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: