Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-39084

Gradebook - Capability checks are incoherent for the "Course grade settings" section

    Details

    • Testing Instructions:
      Hide

      1. As an administrator, go to "Site administration > Users > Permissions > Define roles" and uncheck "Update course settings" capability (moodle/course:update) for teacher's role.
      2. As a teacher, go in a course and click on Grades link in Course administration.
      3. TEST : Make sure that you see "Course grade settings" link in the Grade administration and "Settings > Course" in the dropdown list of the page (top left).
      4. TEST : Make sure that you have access to the page when you click on "Course grade settings" link and "Settings > Course" in the dropdown list.

      Show
      1. As an administrator, go to "Site administration > Users > Permissions > Define roles" and uncheck "Update course settings" capability (moodle/course:update) for teacher's role. 2. As a teacher, go in a course and click on Grades link in Course administration. 3. TEST : Make sure that you see "Course grade settings" link in the Grade administration and "Settings > Course" in the dropdown list of the page (top left). 4. TEST : Make sure that you have access to the page when you click on "Course grade settings" link and "Settings > Course" in the dropdown list.
    • Affected Branches:
      MOODLE_23_STABLE, MOODLE_24_STABLE
    • Fixed Branches:
      MOODLE_23_STABLE, MOODLE_24_STABLE
    • Pull from Repository:
      git@github.com:StudiUM/moodle.git
    • Pull Master Branch:
      MDL-39084-master

      Description

      It seems there's a problem with capabilitiy checks between "Course grade settings" in the navigation (navigation bar and dropdown menu) and in the page.

      Navigation (grade/lib.php) :

          public static function get_info_manage_settings($courseid) {
              ...
              if (has_capability('moodle/course:update', $context)) {
              ...
      

      Page (grade/edit/settings/index.php) :

      ...
      require_capability('moodle/grade:manage', $context);
      ...
      

      Although I'm not sure which cabability is the right one, it should be set the same in both places.

      If the capability should be "moodle/course:update" then this bug should be classified as a "minor security issue".

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  13/May/13