Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-37427

Capability 'moodle/user:editmessageprofile' is not effective anymore.

    XMLWordPrintable

    Details

    • Affected Branches:
      MOODLE_23_STABLE

      Description

      As definitions available from <http://docs.moodle.org/24/en/Capabilities/moodle/user:editmessageprofile>, users having the 'moodle/user:editmessageprofile' capability are able to set the destination for incoming messages for other users in Moodle.

      This capability is set to allow for the Manager role for default behavior under Moodle.

      There is also the 'moodle/user:editownmessageprofile' capability, which enables every Moodle user to set the destination for their incoming messages in Moodle.


      Updating any of the normal message provider's capability to 'moodle/user:editmessageprofile', should enable the admin user (been a Manager) to set this message destination to every user under Moodle platform, if it is set as 'MESSAGE_PERMITTED', forbidding the own user to change that (unless he is also a Manager).

      For now, Moodle is not assuming the logged in user's capabilities when loading the 'available configurable message providers'.

      Creating a new message provider requiring the same capability would cause the same error.

      @/message/edit.php
      $userid = optional_param('id', $USER->id, PARAM_INT);    // user id
      ...
      if (!$user = $DB->get_record('user', array('id' => $userid))) {
          print_error('invaliduserid');
      }
      ...
      $providers = message_get_providers_for_user($user->id);
      

      This causes Moodle to load the capabilities for setting the message destinations for the edited user 'always as the edited user', overrulling the capability for any Manager user (if the edited user is not also a Manager).

      @/lib/messagelib.php
      function message_get_providers_for_user($userid) {
      ...
              if (!empty($provider->capability)) {
                  if (!has_capability($provider->capability, $systemcontext, $userid)) {
                      unset($providers[$providerid]);   // Not allowed to see this
                      continue;
                  }
              }
      

      Changing the line:

      @/message/edit.php
      $providers = message_get_providers_for_user($user->id);
      

      ... to:

      $providers = message_get_providers_for_user($USER->id);
      

      ... would solve this issue.

      Replication steps:

      Under a fresh Moodle 2.3.2 installation:

      1. Create a new user (a normal authenticated user would be enough). (Let's say the new user id is '3')
      2. Update the database table 'message_providers' setting capability='moodle/user:editmessageprofile' WHERE name LIKE 'instantmessage';
        (This would deny users to set their own intant messages destinations, but would keep this capability for Manager).
      3. Log in as Manager;
      4. Edit that new user messaging destination accessing the link '<MODDLE_USER>/message/edit.php?id=3';
        The instantmessage destination 'will not be configurable, but it should be'.
      5. Edit Manager's own messaging destination accessing the link '<MODDLE_USER>/message/edit.php?id=2'; (please change admin userid, if required)
        The instantmessage destination will be configurable.
      6. Log out from Moodle;
      7. Log in as that new user;
      8. Edit that new user messaging destination accessing the link '<MODDLE_USER>/message/edit.php?id=3';
        The instantmessage destination will not be configurable, as it should be. (sorry, I missed the 'not' while typing, before)

      As I searched Moodle Tracker, this could affect Moodle since 2.2.

      Thanks.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              luis.alcantara Luis Gustavo Mueller de Alcantara
              Participants:
              Component watchers:
              Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: