[MDL-40854] mod/xxxx:view capabilities do not prevent links appearing on the course page - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.4.5, 2.5.1
Fix Version/s: 2.4.6, 2.5.2
Component/s: Course
Labels:
- policy
- triaged
- ui_change

Affected Branches:
MOODLE_24_STABLE, MOODLE_25_STABLE
Fixed Branches:
MOODLE_24_STABLE, MOODLE_25_STABLE
Pull from Repository:
git://github.com/timhunt/moodle.git
Pull Master Branch:
~~MDL-40854~~
Pull Master Diff URL:
https://github.com/timhunt/moodle/compare/master...MDL-40854
Workaround:

Hide

You can use the "Restrict to group memebers only" experimental setting to work around this in some cases.

Show
You can use the "Restrict to group memebers only" experimental setting to work around this in some cases.
Testing Instructions:

Hide

We are interested in activities and resources that define the mod/...:view capability (which is most, but not quite all of them. Search the code for regex: mod/\w+:view.

1. Create a course and add some of those activites.

2. Enrol a user in the course, and arrange for them to have some, but not all, the relevant capabilities.

3. Verify that they can only see links to the activities they are allowed to view (in the main course page, in the navigation, etc.)

Show
We are interested in activities and resources that define the mod/...:view capability (which is most, but not quite all of them. Search the code for regex: mod/\w+:view. 1. Create a course and add some of those activites. 2. Enrol a user in the course, and arrange for them to have some, but not all, the relevant capabilities. 3. Verify that they can only see links to the activities they are allowed to view (in the main course page, in the navigation, etc.)

Description

At the moment, mod/...:view capabilities mostly work by having a require_once in the activities view.php file. Therefore, if you do not have that capability, but follow a link to the activity, then you will see an ugly error message.

However, currently, mod/...:view capabilities do not control the visibility of the link to the activity on the course page.

It is standard practice that we never show users links to things they are allowed to access, therefore, I think that if you don't have the mod/...:view capability, you should not see the link to that activity on the course page.

POLICY question: Is the interpreation in the last paragraph correct?

~~MDL-31519~~ has more background on this question.

Attachments

Issue Links

caused a regression

MDL-43197 Parent role only sees course total and no longer individual grades

Closed

MDL-41179 Function cm_info::is_user_access_restricted_by_capability() assumes current user

Closed

has a non-specific relationship to

MDL-41638 Function coursemodule_visible_for_user() does not check mod/xxx:view capability

Closed

is duplicated by

MDL-31519 quiz should define the _cm_info_dynamic function in lib.php

Closed

Activity

People

Assignee:: Tim Hunt

Reporter:: Tim Hunt

Peer reviewer:: Dan Poltawski

Integrator:: Sam Hemelryk

Tester:: Rossiani Wijaya

Participants:: CiBoT, Dan Poltawski, Helen Foster, Martin Dougiamas, Petr Skoda, Rossiani Wijaya, Sam Hemelryk, Tim Hunt

Component watchers:: Amaia Anabitarte, Carlos Escobedo, Laurent David, Mikel Martín Corrales, Sabina Abellan, Sara Arjona (@sarjona)

Votes:: 1 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 24/Jul/13 4:21 PM

Updated:: 30/Jul/14 10:43 PM

Resolved:: 02/Aug/13 6:28 AM

Fix Release Date:: 9/Sep/13