Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-35780

Participants page disclosure of email addresses is inconsistent

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Prerequisite

      1. Three students (S1 & S2 & S3) enroled in same course
      2. set moodle/site:viewuseridentity capability for student role.
      3. enable email in showuseridentity user config (Home ► Site administration ► Users ► Permissions ► User policies)

      Set appropriate email display settings for above students

      1. Log in as S1, and edit profile (Home ► My profile settings ► Edit profile)
      2. Change Email display to Hide My email address from everyone
      3. Log in as S2, and edit profile (Home ► My profile settings ► Edit profile)
      4. Change Email display to Allow everyone to see my email address
      5. Log in as S3, and edit profile (Home ► My profile settings ► Edit profile)
      6. Change Email display to Allow only other course members to see my email address.

      Test 1

      1. Log in as S1 and go to course -> participants page and make sure you can see all emails including S1's.
      2. Click on S1 and you should see S1's email.
      3. Log in as S2 and go to course -> participants page and make sure you can see all emails.
      4. Click on S1 and you should see S1's email.
      5. Log in as S3 and go to course -> participants page and make sure you can see all emails.
      6. As admin/teacher unenrol S3 from course and log in as S2.
      7. Go to course -> participants page and make sure you cannot see S3 student and all other emails.

      Test 2

      1. Remove moodle/site:viewuseridentity capability and
      2. Log in as S1 and go to course -> participants page (Select user details on right) and make sure you can see all emails including S1's.
      3. Click on S1 and you should see S1's email.
      4. Log in as S2 and go to course -> participants page (Select user details on right) and make sure you can see all emails except S1's
      5. Click on S1 and you should not see S1's email.
      6. Log in as S3 and go to course -> participants page and make sure you can see all emails except S1's.
      7. As admin/teacher unenrol S3 from course and log in as S2.
      8. Go to course -> participants page and make sure you cannot see S3 student and all other emails except S1's.

      Test 3

      Repeat test 2 by removing moodle/site:viewuseridentity and adding moodle/course:viewhiddenuserfields

      Show
      Prerequisite Three students (S1 & S2 & S3) enroled in same course set moodle/site:viewuseridentity capability for student role. enable email in showuseridentity user config (Home ► Site administration ► Users ► Permissions ► User policies) Set appropriate email display settings for above students Log in as S1, and edit profile (Home ► My profile settings ► Edit profile) Change Email display to Hide My email address from everyone Log in as S2, and edit profile (Home ► My profile settings ► Edit profile) Change Email display to Allow everyone to see my email address Log in as S3, and edit profile (Home ► My profile settings ► Edit profile) Change Email display to Allow only other course members to see my email address. Test 1 Log in as S1 and go to course -> participants page and make sure you can see all emails including S1's. Click on S1 and you should see S1's email. Log in as S2 and go to course -> participants page and make sure you can see all emails. Click on S1 and you should see S1's email. Log in as S3 and go to course -> participants page and make sure you can see all emails. As admin/teacher unenrol S3 from course and log in as S2. Go to course -> participants page and make sure you cannot see S3 student and all other emails. Test 2 Remove moodle/site:viewuseridentity capability and Log in as S1 and go to course -> participants page (Select user details on right) and make sure you can see all emails including S1's. Click on S1 and you should see S1's email. Log in as S2 and go to course -> participants page (Select user details on right) and make sure you can see all emails except S1's Click on S1 and you should not see S1's email. Log in as S3 and go to course -> participants page and make sure you can see all emails except S1's. As admin/teacher unenrol S3 from course and log in as S2. Go to course -> participants page and make sure you cannot see S3 student and all other emails except S1's. Test 3 Repeat test 2 by removing moodle/site:viewuseridentity and adding moodle/course:viewhiddenuserfields
    • Affected Branches:
      MOODLE_22_STABLE
    • Fixed Branches:
      MOODLE_23_STABLE, MOODLE_24_STABLE
    • Pull Master Branch:
      wip-mdl-35780

      Description

      The course participants page (user/index.php) can optionally display a column of student email addresses. Those email addresses show regardless of whether any user has specified, in their profile, that they want to "hide my email address from everyone."

      Site admins can add the extra column by changing $CFG->showuseridentity, which can be found the User Policies section of site configuration.

      Additionally, it is necessary to grant moodle/site:viewuseridentity to Authenticated Users.

      With the site configured as such, imagine two students in the same course:

      Joe configures his profile to "hide my email address from everyone."
      Mary configures her profile to "allow everyone to see my address" or "allow only other course members to see my address."

      When Joe looks at the course participants page, he sees a table of all course members names, email addresses, cities, and countries. That table includes Mary's email address, as it should. If Joe clicks on Mary's course profile, he will see her bio description, and her email address.

      When Mary looks at the course participants page, she sees the same table, which includes Joe's email address. It should not. Interestingly, when Mary clicks on Joe's name to see his course profile, Joe's email address is hidden on that page.

      I believe this inconsistency should be fixed. It's not a major security issue, but it is a disclosure issue. Joe was given the option of hiding his email address from everyone, and Moodle is failing to honor that request.

      I was able to hack up a quick fix to the user/index.php page. My fix blanks out the email address for any user who has elected to "hide from everyone", unless the user viewing the page has the moodle/course:useremail capability (which is granted to instructors by default). Perhaps that is the wrong capability to check.

      My rationale here is that instructors need to have student email addresses, and probably have them anyway using other school databases/systems. I believe students will expect that "hide from everyone" does not mean instructors in their own classes will not be able to see their email addresses.

      Here is my patch, working against Moodle 2.2.5.

      156d155
      < 
      743c742,750
      <                         $data[] = $user->{$field};
      ---
      > 
      >                       // show a null value if the field is the email address and the user wants to hide email from everyone
      >                       // make an exception for instructors (who have a special capability at the course level that lets them email people)
      >                       if (!has_capability('moodle/course:useremail', $coursecontext) && $field==='email' && $user->maildisplay==0) {
      >                           $data[] = '';
      >                       }
      >                       else {
      >                           $data[] = $user->{$field};
      >                       }
      755c762
      < 
      ---
      > 

      I suspect that the issue may surface in other places in Moodle. The internal routine, get_external_fields(), is called a dozen times in various places.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  11/Mar/13