Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-39084

Gradebook - Capability checks are incoherent for the "Course grade settings" section

XMLWordPrintable

    • MOODLE_23_STABLE, MOODLE_24_STABLE
    • MOODLE_23_STABLE, MOODLE_24_STABLE
    • git@github.com:StudiUM/moodle.git
    • MDL-39084-master
    • Hide

      1. As an administrator, go to "Site administration > Users > Permissions > Define roles" and uncheck "Update course settings" capability (moodle/course:update) for teacher's role.
      2. As a teacher, go in a course and click on Grades link in Course administration.
      3. TEST : Make sure that you see "Course grade settings" link in the Grade administration and "Settings > Course" in the dropdown list of the page (top left).
      4. TEST : Make sure that you have access to the page when you click on "Course grade settings" link and "Settings > Course" in the dropdown list.

      Show
      1. As an administrator, go to "Site administration > Users > Permissions > Define roles" and uncheck "Update course settings" capability (moodle/course:update) for teacher's role. 2. As a teacher, go in a course and click on Grades link in Course administration. 3. TEST : Make sure that you see "Course grade settings" link in the Grade administration and "Settings > Course" in the dropdown list of the page (top left). 4. TEST : Make sure that you have access to the page when you click on "Course grade settings" link and "Settings > Course" in the dropdown list.

      It seems there's a problem with capabilitiy checks between "Course grade settings" in the navigation (navigation bar and dropdown menu) and in the page.

      Navigation (grade/lib.php) :

          public static function get_info_manage_settings($courseid) {
      		 
              ...
      		 
              if (has_capability('moodle/course:update', $context)) {
      		 
              ...

      Page (grade/edit/settings/index.php) :

      ...
      		 
      require_capability('moodle/grade:manage', $context);
      		 
      ...

      Although I'm not sure which cabability is the right one, it should be set the same in both places.

      If the capability should be "moodle/course:update" then this bug should be classified as a "minor security issue".

            gaudreaj Jean-Philippe Gaudreau
            gaudreaj Jean-Philippe Gaudreau
            Andrew Davis Andrew Davis
            Damyon Wiese Damyon Wiese
            Rossiani Wijaya Rossiani Wijaya
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.