[MDL-38474] Teachers cannot access Server files (No permission to access) - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 2.2.8, 2.3.5, 2.4.2
Fix Version/s: 2.2.9, 2.3.6, 2.4.3
Component/s: Files API, Repositories
Labels:
- partner
- triaged

Testing Instructions:
Hide

Test pre-requisites

Create a 1.9 and add some course files

Use the 1.9 instance and upgrade it to 2.2, then to 2.3, 2.4 and master to test each version against it.

Enable Server files repository

Test steps

Login as a teacher

Add a folder to a course and add files:

Make sure you can browse the Server files repository

Make sure you can browse the Course files repository (legacy from 1.9)

Make sure any other repository does not throw the error 'No permission to access'

Test 2

Repeat MDL-36426 testing instructions (I'm sorry!)

Test 3

Repeat MDL-37852 testing instructions (I'm very sorry!)
Show
Test pre-requisites Create a 1.9 and add some course files Use the 1.9 instance and upgrade it to 2.2, then to 2.3, 2.4 and master to test each version against it. Enable Server files repository Test steps Login as a teacher Add a folder to a course and add files: Make sure you can browse the Server files repository Make sure you can browse the Course files repository (legacy from 1.9) Make sure any other repository does not throw the error 'No permission to access' Test 2 Repeat MDL-36426 testing instructions (I'm sorry!) Test 3 Repeat MDL-37852 testing instructions (I'm very sorry!)
Workaround:
Hide

Navigate to Home ► Site administration ► Users ► Permissions ► Define roles

Create a new role

Call it Server files

Allow the capability repository/local:view

Navigate to Home ► Site administration ► Users ► Permissions ► Assign system roles

Select Server files

Add the users who are teachers in some courses in this list
Show
Navigate to Home ► Site administration ► Users ► Permissions ► Define roles Create a new role Call it Server files Allow the capability repository/local:view Navigate to Home ► Site administration ► Users ► Permissions ► Assign system roles Select Server files Add the users who are teachers in some courses in this list
Affected Branches:
MOODLE_22_STABLE, MOODLE_23_STABLE, MOODLE_24_STABLE
Fixed Branches:
MOODLE_22_STABLE, MOODLE_23_STABLE, MOODLE_24_STABLE
Pull from Repository:
git://github.com/FMCorz/moodle.git
Pull Master Branch:
~~MDL-38474~~-master
Pull Master Diff URL:
https://github.com/FMCorz/moodle/compare/8673a98d1db81b86606ccf67ba9476a12284b780...MDL-38474-master

Description

Teachers (or any other role on a course context), are not able to browse the Server files repository. Error message: "No permission to access this repository"

This is a regression created by MDL-36426 when the security of the repositories have been enhanced.

The problem here being that the Server files repository (repository/local) is defined on a system context, but browse course files. So the logic checks that the user has the capability on a system context, who doesn't (cannot be a teacher on a system level).

A workaround is to create a new role, with the only capability repository/local:view set to allowed, and give that role to teachers but on a system level.

This could apply to coursefiles too

Attachments

Issue Links

Discovered while testing

MDL-38500 Repository names have to be unique (not sure why) but no check on create, only edit.

Closed

has a non-specific relationship to

MDL-38452 Teachers cannot upload files on behalf of the students any more

Closed

MDL-38498 Add units tests for repository check_capability

Closed

Activity

People

Assignee:

Frédéric Massart

Reporter:

Frédéric Massart

Peer reviewer:

Marina Glancy

Integrator:

Damyon Wiese

Participants:

Adrian Greeve, Ankit Agarwal, Damyon Wiese, David Monllaó, Eloy Lafuente (stronk7), Frédéric Massart, Gordon Bridge, Heiko Schach, Jorge Ramos, Marina Glancy, Michael de Raadt

Component watchers:

Matteo Scaramuccia, Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias

Votes:

6 Vote for this issue

Watchers:

14 Start watching this issue

Dates

Created:

14/Mar/13 10:16 AM

Updated:

28/Jul/18 1:16 AM

Resolved:

15/Mar/13 5:45 PM

Fix Release Date:

18/Mar/13