Does messaging need to check a capbility before displaying user full name's?

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.2.4, 2.3, 2.4
Fix Version/s: 2.2.5, 2.3.2
Component/s: Messages
Labels:
- triaged

Database:

Any
Testing Instructions:

Hide

Just check that the messaging preferences screen loads without error.

Show
Just check that the messaging preferences screen loads without error.
Affected Branches:
MOODLE_22_STABLE, MOODLE_23_STABLE, MOODLE_24_STABLE
Fixed Branches:
MOODLE_22_STABLE, MOODLE_23_STABLE
Pull from Repository:
git://github.com/andyjdavis/moodle.git
Pull Master Branch:
~~MDL-34406~~_fullname
Pull Master Diff URL:
https://github.com/andyjdavis/moodle/compare/master...MDL-34406_fullname

Description

There are a number of places within /message where we call fullname(). Do we need to be doing a capability check? If so, what do we display instead?

Issue Links

discovered while testing

MDL-28568 warning needed when sending message to non-contact but have 'do not receive messages from non-contacts' setting on.

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Michael de Raadt added a comment - 20/Jul/12 1:32 PM

The use of fullname() is good. If we are not using fullname(), that's a problem.

The other possible problem is if the display format of the name is overridden by sending a second argument with true value to fullname(). If this is happening without checking for the capability moodle/site:viewfullnames, then this is a problem.

I had a quick scan through /message and I found...

edit.php, line 183

$userfullname     = fullname($user, true);

There are some capability checks earlier in the file, but they are not for moodle/site:viewfullnames, so I'm not sure if this is sufficient.

All other calls to fullname() in that directory don't use a second argument.

Show

Michael de Raadt added a comment - 20/Jul/12 1:32 PM The use of fullname() is good. If we are not using fullname(), that's a problem. The other possible problem is if the display format of the name is overridden by sending a second argument with true value to fullname(). If this is happening without checking for the capability moodle/site:viewfullnames, then this is a problem. I had a quick scan through /message and I found... edit.php, line 183 $userfullname = fullname($user, true ); There are some capability checks earlier in the file, but they are not for moodle/site:viewfullnames, so I'm not sure if this is sufficient. All other calls to fullname() in that directory don't use a second argument.

Hide

Permalink

Michael de Raadt added a comment - 20/Jul/12 1:36 PM

Interestingly, that variable from edit.php is not used later in the file, so the statement could probably be removed.

Show

Michael de Raadt added a comment - 20/Jul/12 1:36 PM Interestingly, that variable from edit.php is not used later in the file, so the statement could probably be removed.

Hide

Permalink

Andrew Davis added a comment - 17/Aug/12 11:31 AM - edited

I've removed the unnecessary fullname() call. Other than that I think we're using fullname correctly and are not outputting user names without using fullname().

Putting this up for peer review.

Show

Andrew Davis added a comment - 17/Aug/12 11:31 AM - edited I've removed the unnecessary fullname() call. Other than that I think we're using fullname correctly and are not outputting user names without using fullname(). Putting this up for peer review.

Hide

Permalink

Ankit Agarwal added a comment - 17/Aug/12 2:37 PM

Looks good Andrew.
+1 for integration.
Thanks

Show

Ankit Agarwal added a comment - 17/Aug/12 2:37 PM Looks good Andrew. +1 for integration. Thanks

Hide

Permalink

Andrew Davis added a comment - 20/Aug/12 10:19 AM

Adding branches and putting up for integration.

Show

Andrew Davis added a comment - 20/Aug/12 10:19 AM Adding branches and putting up for integration.

Hide

Permalink

Eloy Lafuente (stronk7) added a comment - 24/Aug/12 2:12 AM

The main moodle.git repository has just been updated with latest weekly modifications. You may wish to rebase your PULL branches to simplify history and avoid any possible merge conflicts. This would also make integrator's life easier next week.

TIA and ciao

Show

Eloy Lafuente (stronk7) added a comment - 24/Aug/12 2:12 AM The main moodle.git repository has just been updated with latest weekly modifications. You may wish to rebase your PULL branches to simplify history and avoid any possible merge conflicts. This would also make integrator's life easier next week. TIA and ciao

Hide

Permalink

Eloy Lafuente (stronk7) added a comment - 28/Aug/12 2:02 AM

(taking rid of the security flag for this)

Show

Eloy Lafuente (stronk7) added a comment - 28/Aug/12 2:02 AM (taking rid of the security flag for this)

Hide

Permalink

Eloy Lafuente (stronk7) added a comment - 28/Aug/12 2:04 AM

Integrated (22, 23 & master), thanks!

Show

Eloy Lafuente (stronk7) added a comment - 28/Aug/12 2:04 AM Integrated (22, 23 & master), thanks!

Hide

Permalink

Jason Fowler added a comment - 29/Aug/12 10:29 AM

works without errors Andrew, thanks

Show

Jason Fowler added a comment - 29/Aug/12 10:29 AM works without errors Andrew, thanks

Hide

Permalink

Eloy Lafuente (stronk7) added a comment - 31/Aug/12 6:54 PM

I'm so proud...of you, many thanks!

http://youtu.be/n64CdfDRnZY

Closing as fixed, ciao

Show

Eloy Lafuente (stronk7) added a comment - 31/Aug/12 6:54 PM I'm so proud...of you, many thanks! http://youtu.be/n64CdfDRnZY Closing as fixed, ciao

People

Assignee:

Andrew Davis

Reporter:

Andrew Davis

Peer reviewer:

Ankit Agarwal

Integrator:

Eloy Lafuente (stronk7)

Tester:

Jason Fowler

Participants:

Andrew Davis, Ankit Agarwal, Eloy Lafuente (stronk7), Jason Fowler, Michael de Raadt

Vote (0)

Watch (0)

Dates

Created:

19/Jul/12 4:57 PM

Updated:

30/Sep/13 1:02 PM

Resolved:

31/Aug/12 6:54 PM

Agile

View on Board