[MDL-39084] Gradebook - Capability checks are incoherent for the "Course grade settings" section - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.3.6, 2.4
Fix Version/s: 2.3.7, 2.4.4, STABLE backlog
Component/s: Gradebook
Labels:
- patch
- triaged

Affected Branches:
MOODLE_23_STABLE, MOODLE_24_STABLE
Fixed Branches:
MOODLE_23_STABLE, MOODLE_24_STABLE
Pull from Repository:
git@github.com:StudiUM/moodle.git
Pull Master Branch:
~~MDL-39084~~-master
Pull Master Diff URL:
https://github.com/StudiUM/moodle/compare/master...MDL-39084-master
Testing Instructions:

Hide

1. As an administrator, go to "Site administration > Users > Permissions > Define roles" and uncheck "Update course settings" capability (moodle/course:update) for teacher's role.
2. As a teacher, go in a course and click on Grades link in Course administration.
3. TEST : Make sure that you see "Course grade settings" link in the Grade administration and "Settings > Course" in the dropdown list of the page (top left).
4. TEST : Make sure that you have access to the page when you click on "Course grade settings" link and "Settings > Course" in the dropdown list.

Show
1. As an administrator, go to "Site administration > Users > Permissions > Define roles" and uncheck "Update course settings" capability (moodle/course:update) for teacher's role. 2. As a teacher, go in a course and click on Grades link in Course administration. 3. TEST : Make sure that you see "Course grade settings" link in the Grade administration and "Settings > Course" in the dropdown list of the page (top left). 4. TEST : Make sure that you have access to the page when you click on "Course grade settings" link and "Settings > Course" in the dropdown list.

Description

It seems there's a problem with capabilitiy checks between "Course grade settings" in the navigation (navigation bar and dropdown menu) and in the page.

Navigation (grade/lib.php) :

    public static function get_info_manage_settings($courseid) {

...

        if (has_capability('moodle/course:update', $context)) {

...

Page (grade/edit/settings/index.php) :

...

require_capability('moodle/grade:manage', $context);

...

Although I'm not sure which cabability is the right one, it should be set the same in both places.

If the capability should be "moodle/course:update" then this bug should be classified as a "minor security issue".

Attachments

Activity

People

Assignee:: Jean-Philippe Gaudreau

Reporter:: Jean-Philippe Gaudreau

Peer reviewer:: Andrew Davis

Integrator:: Damyon Wiese

Tester:: Rossiani Wijaya

Participants:: Andrew Davis, Damyon Wiese, Dan Poltawski, Eloy Lafuente (stronk7), Jean-Philippe Gaudreau, Michael de Raadt, Rossiani Wijaya

Component watchers:: Adrian Greeve, Ilya Tregubov, Kevin Percy, Mathew May, Mihail Geshoski, Shamim Rezaie

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 11/Apr/13 11:29 PM

Updated:: 25/Apr/13 8:08 AM

Resolved:: 25/Apr/13 8:08 AM

Fix Release Date:: 13/May/13