Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-34530

Students with "managegroupentries" permission are able to create a event for any group, but cannot view it

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.3.1
    • Fix Version/s: 2.3.4
    • Component/s: Calendar
    • Labels:
    • Testing Instructions:
      Hide

      Requirements:

      To test this you will need admin permission and a test user login with a test role (e.g. teacher) you can edit freely (there are a number of capability checks in this test so best to change role definition rather than having multiple users with different capabilities).

      A course with your test user enrolled and assigned test role
      Ensure 'Force group mode' in course settings is not set
      A number of groups on the course e.g. "Group A" and "Group B"
      Test user should be a member of some (but not all) of those groups e.g. Member of "Group A"

      Common tasks:
      1. Login to system as test user (useful to do this in separate browser to admin user)
      2. Access course.
      3. Access calendar by either selecting "Go to calendar" on the Calendar block or by direct url e.g. /calendar/view.php and then selecting course from Upcoming events dropdown.
      4. Select New event button
      5 Set Type of event to Group

      Testing steps:
      1. Set the test role to have "moodle/calendar:manageentries" and "moodle/site:accessallgroups" capabilities.
      2. Undertake the tasks.
      3. The user should see all groups for the course in the Group event dropdown.
      4. Remove "moodle/site:accessallgroups" capability from the test user's role.
      5. Undertake the tasks again.
      6. The user should see only the groups they are a member of (e.g. "Group A") in the Group event dropdown
      7. Remove "moodle/calendar:manageentries" capability from the test user's role.
      8. Add "moodle/calendar:managegroupentries" capability to the test user's role.
      9. Undertake the tasks again.
      10. The user should see only the groups they are a member of (e.g. "Group A") in the Group event dropdown
      11. Add "moodle/site:accessallgroups" capability to the test user's role.
      12. Undertake the tasks again.
      13. The user should see all groups for the course in the Group event dropdown.
      14. Remove "moodle/calendar:managegroupentries" capability from the test user's role.
      15. Undertake the tasks again.
      16. Group event option should not be available.

      Show
      Requirements: To test this you will need admin permission and a test user login with a test role (e.g. teacher) you can edit freely (there are a number of capability checks in this test so best to change role definition rather than having multiple users with different capabilities). A course with your test user enrolled and assigned test role Ensure 'Force group mode' in course settings is not set A number of groups on the course e.g. "Group A" and "Group B" Test user should be a member of some (but not all) of those groups e.g. Member of "Group A" Common tasks: 1. Login to system as test user (useful to do this in separate browser to admin user) 2. Access course. 3. Access calendar by either selecting "Go to calendar" on the Calendar block or by direct url e.g. /calendar/view.php and then selecting course from Upcoming events dropdown. 4. Select New event button 5 Set Type of event to Group Testing steps: 1. Set the test role to have "moodle/calendar:manageentries" and "moodle/site:accessallgroups" capabilities. 2. Undertake the tasks. 3. The user should see all groups for the course in the Group event dropdown. 4. Remove "moodle/site:accessallgroups" capability from the test user's role. 5. Undertake the tasks again. 6. The user should see only the groups they are a member of (e.g. "Group A") in the Group event dropdown 7. Remove "moodle/calendar:manageentries" capability from the test user's role. 8. Add "moodle/calendar:managegroupentries" capability to the test user's role. 9. Undertake the tasks again. 10. The user should see only the groups they are a member of (e.g. "Group A") in the Group event dropdown 11. Add "moodle/site:accessallgroups" capability to the test user's role. 12. Undertake the tasks again. 13. The user should see all groups for the course in the Group event dropdown. 14. Remove "moodle/calendar:managegroupentries" capability from the test user's role. 15. Undertake the tasks again. 16. Group event option should not be available.
    • Affected Branches:
      MOODLE_23_STABLE
    • Fixed Branches:
      MOODLE_23_STABLE
    • Pull Master Branch:
      wip-MDL-34530_MASTER

      Description

      If a student with the above mentioned permission tries to create an event in a course calendar context, he is allowed to create an event for any group. But the event shows up for him in the calendar only if it belongs to his group. So either we shouldn't allow such students to create events for other groups (what about existing ones?) or we should allow such students to view and edit group events. Either way, this needs to be fixed.

      Replication:-

      1. Allow a student permission calendar:managegroupentries
      2. As the same student create a calendar event for a group which the student doesn't belong to.
      3. Try to find that entry in the calendar monthly view.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Votes:
                  1 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Fix Release Date:
                    14/Jan/13