Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-40712

Issued badge information page should state user name on the page

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.5.1
    • Fix Version/s: 2.5.2
    • Component/s: Badges
    • Labels:
    • Testing Instructions:
      Hide

      To test, you need to have some Moodle badges issued as well as backpack with some badges connected to your account.

      1. When you click on issued Moodle badge page (badge.php), you should see "Recipient information" as the first set set of badge info. It shows user full name and their email.

      If the user has backpack connected, this email should be backpack email. Otherwise, it is Moodle account email.

      2. When you click on any of external badges from the backpack (external.php), you should also see "Recipient information" with full name of the user which matches recipient email.

      In some cases, it might be not possible to validate the recipient (this is also not supposed to happen). For example, this might happen if badges salt for hashing emails changed after the badge was issued. In this case you should see the message "Current user cannot be verified as a recipient of this badge". This doesn't mean that the badge is not valid, it just means that we cannot be 100% sure that user is showing us a valid badge.

      Show
      To test, you need to have some Moodle badges issued as well as backpack with some badges connected to your account. 1. When you click on issued Moodle badge page (badge.php), you should see "Recipient information" as the first set set of badge info. It shows user full name and their email. If the user has backpack connected, this email should be backpack email. Otherwise, it is Moodle account email. 2. When you click on any of external badges from the backpack (external.php), you should also see "Recipient information" with full name of the user which matches recipient email. In some cases, it might be not possible to validate the recipient (this is also not supposed to happen). For example, this might happen if badges salt for hashing emails changed after the badge was issued. In this case you should see the message "Current user cannot be verified as a recipient of this badge". This doesn't mean that the badge is not valid, it just means that we cannot be 100% sure that user is showing us a valid badge.
    • Affected Branches:
      MOODLE_25_STABLE
    • Fixed Branches:
      MOODLE_25_STABLE

      Description

      Apologies if I'm missing something here, but there doesn't seem a way of proving that you were awarded a badge. You get an issued badge information page with a hash in the URL e.g. https://moodle.org/badges/badge.php?hash=889e023f7e9b8e5e209b63bf9f9337d5513e81de (from tweet https://twitter.com/_andrewrn_/status/355676209989951492 ) but it doesn't state on the page who the badge was issued to.

        Gliffy Diagrams

          Activity

          Hide
          ybozhko Yuliya Bozhko added a comment -

          Hi Helen,

          That's a good point! I never actually thought about that as I always assumed that some user is getting to a badge page from another user profile, or recipient page. Will make sure To add that

          Yuliya

          Show
          ybozhko Yuliya Bozhko added a comment - Hi Helen, That's a good point! I never actually thought about that as I always assumed that some user is getting to a badge page from another user profile, or recipient page. Will make sure To add that Yuliya
          Hide
          fred Frédéric Massart added a comment -

          +1

          Show
          fred Frédéric Massart added a comment - +1
          Hide
          poltawski Dan Poltawski added a comment -

          Hi Yuliya,

          I'm sending this for integration along with MDL-40924 so that we can split the testing of this issue into two issues.

          Please could you provide some testing instructions for this change (based on the patch you've given me).

          thanks
          Dan

          Show
          poltawski Dan Poltawski added a comment - Hi Yuliya, I'm sending this for integration along with MDL-40924 so that we can split the testing of this issue into two issues. Please could you provide some testing instructions for this change (based on the patch you've given me). thanks Dan
          Hide
          poltawski Dan Poltawski added a comment -

          Integrated to master and 25 - thanks.

          Show
          poltawski Dan Poltawski added a comment - Integrated to master and 25 - thanks.
          Hide
          markn Mark Nelson added a comment -

          Hi Yuliya,

          I am going to fail this to be on the safe side.

          I have an account which has a badge given by the site (localhost), and also have badges shown from my Mozilla backpack. Now, when I click on one of the external badges I am shown the email address associated with that backpack (unrelated note - is this a security issue?), which is what is expected, but am also shown this email when I view an internal badge, rather the internal Moodle email address for that user. Is this correct? You state "If the user has backpack connected, this email should be backpack email. Otherwise, it is Moodle account email." but was not sure if this was just the case for external badges or all badges.

          Thanks.

          Show
          markn Mark Nelson added a comment - Hi Yuliya, I am going to fail this to be on the safe side. I have an account which has a badge given by the site (localhost), and also have badges shown from my Mozilla backpack. Now, when I click on one of the external badges I am shown the email address associated with that backpack (unrelated note - is this a security issue?), which is what is expected, but am also shown this email when I view an internal badge, rather the internal Moodle email address for that user. Is this correct? You state "If the user has backpack connected, this email should be backpack email. Otherwise, it is Moodle account email." but was not sure if this was just the case for external badges or all badges. Thanks.
          Hide
          ybozhko Yuliya Bozhko added a comment -

          Hi Mark,

          Sorry for being not very clear in tests.

          Once the backpack is connected, all badges email is always user backpack email. When you disconnect backpack, it should be your Moodle email and it is shown only in internal badges (because you can't show your external badges without backpack).

          Show
          ybozhko Yuliya Bozhko added a comment - Hi Mark, Sorry for being not very clear in tests. Once the backpack is connected, all badges email is always user backpack email. When you disconnect backpack, it should be your Moodle email and it is shown only in internal badges (because you can't show your external badges without backpack).
          Hide
          markn Mark Nelson added a comment -

          There was also an issue with being able to view the badge even when the user was deleted.

          Steps to replicate -

          1. Assign an internal badge to a user.
          2. Visit their profile.
          3. Copy the link to the badge.
          4. Delete them from Moodle.
          5. Visit the URL you copied earlier.
          Show
          markn Mark Nelson added a comment - There was also an issue with being able to view the badge even when the user was deleted. Steps to replicate - Assign an internal badge to a user. Visit their profile. Copy the link to the badge. Delete them from Moodle. Visit the URL you copied earlier.
          Hide
          markn Mark Nelson added a comment -

          Wow, Yuliya, quick response! I was just in the middle of writing my last reply. Thanks for the clarification.

          Show
          markn Mark Nelson added a comment - Wow, Yuliya, quick response! I was just in the middle of writing my last reply. Thanks for the clarification.
          Hide
          markn Mark Nelson added a comment - - edited

          I've just confirmed that when I disconnect from the backpack the Moodle email is shown.

          Show
          markn Mark Nelson added a comment - - edited I've just confirmed that when I disconnect from the backpack the Moodle email is shown.
          Hide
          ybozhko Yuliya Bozhko added a comment -

          What was the problem with deleted user? Badge will still exist. User name (i.e. recipient name) should not be available.

          Show
          ybozhko Yuliya Bozhko added a comment - What was the problem with deleted user? Badge will still exist. User name (i.e. recipient name) should not be available.
          Hide
          ybozhko Yuliya Bozhko added a comment - - edited

          Now, that I think about that, users are actually not deleted from the system at all. I expected it to show that message when a user cannot be found, but in this case no other information will be found either. So, that part of test is probably wrong...

          I updated testing instructions. Sorry, for the hassle...

          Show
          ybozhko Yuliya Bozhko added a comment - - edited Now, that I think about that, users are actually not deleted from the system at all. I expected it to show that message when a user cannot be found, but in this case no other information will be found either. So, that part of test is probably wrong... I updated testing instructions. Sorry, for the hassle...
          Hide
          markn Mark Nelson added a comment -

          I can still see the name of the deleted user when viewing their badge. The information is still available in the user table, but the deleted flag is set to 1 to indicate that have been deleted. Should you be checking on this page for this value?

          Show
          markn Mark Nelson added a comment - I can still see the name of the deleted user when viewing their badge. The information is still available in the user table, but the deleted flag is set to 1 to indicate that have been deleted. Should you be checking on this page for this value?
          Hide
          ybozhko Yuliya Bozhko added a comment - - edited

          I guess it is a separate issue, because we don't really delete neither users nor badges. User that doesn't exist in the system should still be able to access badges issued in the system.

          I will create a separate tracker issue to decide how to handle deleted users. It is correct how it works right now. We don't want students who graduated and are no longer a part of institution (and therefore, Moodle web site) to lose access to their badges information.

          P.S. Also, the biggest problem (which is currently true without this fix), if we don't show user information on the badge page (even if the user was deleted), then anyone can access this page, share it with someone else, and say that it is their badge even if it is not true.

          Show
          ybozhko Yuliya Bozhko added a comment - - edited I guess it is a separate issue, because we don't really delete neither users nor badges. User that doesn't exist in the system should still be able to access badges issued in the system. I will create a separate tracker issue to decide how to handle deleted users. It is correct how it works right now. We don't want students who graduated and are no longer a part of institution (and therefore, Moodle web site) to lose access to their badges information. P.S. Also, the biggest problem (which is currently true without this fix), if we don't show user information on the badge page (even if the user was deleted), then anyone can access this page, share it with someone else, and say that it is their badge even if it is not true.
          Hide
          markn Mark Nelson added a comment -

          Ok, thanks Yuliya for clarifying everything. Just wanted to make sure before I passed it.

          Show
          markn Mark Nelson added a comment - Ok, thanks Yuliya for clarifying everything. Just wanted to make sure before I passed it.
          Hide
          ybozhko Yuliya Bozhko added a comment -

          Thanks, Mark!

          I created MDL-41585 to address the issue you mentioned. Will need to think of a proper way of handling these kind of cases.

          Show
          ybozhko Yuliya Bozhko added a comment - Thanks, Mark! I created MDL-41585 to address the issue you mentioned. Will need to think of a proper way of handling these kind of cases.
          Hide
          poltawski Dan Poltawski added a comment -

          Congratulations! This change has been integrated upstream and is now available from our git and download mirrors. To celebrate, here is a joke:

          A SQL query goes into a bar, walks up to two tables and asks, "Can I join you?"

          Show
          poltawski Dan Poltawski added a comment - Congratulations! This change has been integrated upstream and is now available from our git and download mirrors. To celebrate, here is a joke: A SQL query goes into a bar, walks up to two tables and asks, "Can I join you?"

            People

            • Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                9/Sep/13