-
Bug
-
Resolution: Fixed
-
Critical
-
2.2.5
-
MOODLE_22_STABLE
-
MOODLE_23_STABLE, MOODLE_24_STABLE
-
wip-mdl-35780
-
The course participants page (user/index.php) can optionally display a column of student email addresses. Those email addresses show regardless of whether any user has specified, in their profile, that they want to "hide my email address from everyone."
Site admins can add the extra column by changing $CFG->showuseridentity, which can be found the User Policies section of site configuration.
Additionally, it is necessary to grant moodle/site:viewuseridentity to Authenticated Users.
With the site configured as such, imagine two students in the same course:
Joe configures his profile to "hide my email address from everyone."
Mary configures her profile to "allow everyone to see my address" or "allow only other course members to see my address."
When Joe looks at the course participants page, he sees a table of all course members names, email addresses, cities, and countries. That table includes Mary's email address, as it should. If Joe clicks on Mary's course profile, he will see her bio description, and her email address.
When Mary looks at the course participants page, she sees the same table, which includes Joe's email address. It should not. Interestingly, when Mary clicks on Joe's name to see his course profile, Joe's email address is hidden on that page.
I believe this inconsistency should be fixed. It's not a major security issue, but it is a disclosure issue. Joe was given the option of hiding his email address from everyone, and Moodle is failing to honor that request.
I was able to hack up a quick fix to the user/index.php page. My fix blanks out the email address for any user who has elected to "hide from everyone", unless the user viewing the page has the moodle/course:useremail capability (which is granted to instructors by default). Perhaps that is the wrong capability to check.
My rationale here is that instructors need to have student email addresses, and probably have them anyway using other school databases/systems. I believe students will expect that "hide from everyone" does not mean instructors in their own classes will not be able to see their email addresses.
Here is my patch, working against Moodle 2.2.5.
156d155
|
<
|
743c742,750
|
< $data[] = $user->{$field};
|
---
|
>
|
> // show a null value if the field is the email address and the user wants to hide email from everyone
|
> // make an exception for instructors (who have a special capability at the course level that lets them email people)
|
> if (!has_capability('moodle/course:useremail', $coursecontext) && $field==='email' && $user->maildisplay==0) {
|
> $data[] = '';
|
> }
|
> else {
|
> $data[] = $user->{$field};
|
> }
|
755c762
|
<
|
---
|
>
|
I suspect that the issue may surface in other places in Moodle. The internal routine, get_external_fields(), is called a dozen times in various places.
- has been marked as being related by
-
MDL-37479 Deprecate capability course:useremail, as it's not used.
- Closed