Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-45636

duplicate module with ajax enabled gives nopermission error when course:manageactivities has been disabled in activity context

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7, 2.7.1, 2.7.2, 2.8
    • Fix Version/s: 2.6.6, 2.7.3
    • Component/s: Course
    • Labels:
    • Testing Instructions:
      Hide

      1. Add an activity to your course.
      2. Edit permissions for that activity, remove the teacher role from "moodle/course:manageactivities"
      3. Make sure AJAX is enabled under /admin/settings.php?section=ajax
      4. Log into an account having a teacher role in the course context where the activity lives.
      5. Use the drop down menu and click "Duplicate"
      6. Behold the loading icon and see a duplicate emerge.

      Show
      1. Add an activity to your course. 2. Edit permissions for that activity, remove the teacher role from "moodle/course:manageactivities" 3. Make sure AJAX is enabled under /admin/settings.php?section=ajax 4. Log into an account having a teacher role in the course context where the activity lives. 5. Use the drop down menu and click "Duplicate" 6. Behold the loading icon and see a duplicate emerge.
    • Affected Branches:
      MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
    • Fixed Branches:
      MOODLE_26_STABLE, MOODLE_27_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-45636-course_master

      Description

      In this specific configuration a teacher is forbidden to "moodle/course:manageactivities" in the context of a single activity. When duplicating the activity using the drop down menu a YUI loading icon appears. Whereafter an error message pops up stating "You don't have permission to do this (Manage activities)". This only occurs when AJAX is enabled.

      When AJAX is disabled the user is properly redirected to /course/modduplicate.php to confirm the duplication.

      How to reproduce this error:
      1. Add an activity to your course.
      2. Edit permissions for that course, remove the teacher role from "moodle/course:manageactivities"
      3. Make sure AJAX is enabled under /admin/settings.php?section=ajax
      4. Log into an account having a teacher role in the course context where the activity lives.
      5. Use the drop down menu and click "Duplicate"
      6. Behold the error that is thrown on your screen.

      What should happen:
      1. Add an activity to your course.
      2. Edit permissions for that course, remove the teacher role from "moodle/course:manageactivities"
      3. Make sure AJAX is enabled under /admin/settings.php?section=ajax
      4. Log into an account having a teacher role in the course context where the activity lives.
      5. Use the drop down menu and click "Duplicate"
      6. Behold the loading icon and see a duplicate emerge.

      How to fix this error:
      I was poking around to see where this error is thrown. When ajax is enabled the duplicate request is sent to /course/rest.php. On line 111 a require_capability is done for the activity context rather than the course context.

      In /course/modduplicate.php the duplicate action checks the course context.

      I changed line 111 from:

      require_capability('moodle/course:manageactivities', $modcontext);
      

      to:

      require_capability('moodle/course:manageactivities', $coursecontext);
      

      Now it is working as intended.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            v.ashruf Virgil Ashruf
            Peer reviewer:
            Frédéric Massart
            Integrator:
            Damyon Wiese
            Tester:
            Damyon Wiese
            Participants:
            Component watchers:
            Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona)
            Votes:
            3 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              10/Nov/14