Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-35144

course/index.php doesn't check capabilities properly when permitting editing

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.3.1, 2.4.3
    • Fix Version/s: 2.3.7, 2.4.4
    • Component/s: Administration
    • Labels:
    • Testing Instructions:
      Hide

      1. Create a new user
      2. Create a new role with only moodle/category:manage allowed and assignable only at Site
      3. Assign the user to that role at Site context
      4. Log in as that user. They should have the ability to see the edit courses page and they should see it in editing mode.
      5. Repeat for cap moodle/course:create

      Show
      1. Create a new user 2. Create a new role with only moodle/category:manage allowed and assignable only at Site 3. Assign the user to that role at Site context 4. Log in as that user. They should have the ability to see the edit courses page and they should see it in editing mode. 5. Repeat for cap moodle/course:create
    • Affected Branches:
      MOODLE_23_STABLE, MOODLE_24_STABLE
    • Fixed Branches:
      MOODLE_23_STABLE, MOODLE_24_STABLE

      Description

      The only capability that is checked to see if editing is permitted on this page (of anything) is moodle/site:manageblocks. This doesn't matter for much for an admin or Manager who will have that cap but this will make it impossible to switch on editing if a more restrictive role is being set up.

      There are other caps that may permit editing on this page - e.g. moodle/category:manage. This is not checked and will not work.

      The page should really call $PAGE->set_other_editing_capability('capability') to permit reasonably additional caps to allow editing.

        Attachments

          Activity

            People

            Assignee:
            howardsmiller Howard Miller
            Reporter:
            howardsmiller Howard Miller
            Peer reviewer:
            Rajesh Taneja
            Integrator:
            Dan Poltawski
            Tester:
            Damyon Wiese
            Participants:
            Component watchers:
            Andrew Nicols, Dongsheng Cai, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              13/May/13