Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-47628

Availability: Grouping confusing for sites which used groupmembersonly [2.8]

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Note: Also covered by Behat tests in core_availability.

      0. Ensure that conditional availability is enabled at system level.
      1. On a course, add e.g. a forum.
      2. Expand the 'common' section.
      EXPECTED: There's an 'Add group/grouping access restriction' button under the group settings, but it's greyed out.
      3. Select 'Separate groups' under group mode.
      EXPECTED: Button becomes enabled.
      4. Click button, and expand 'Restrict access'.
      EXPECTED: Button goes disabled again. A group restriction (any group) becomes visible in 'Restrict access'.
      5. Delete the group restriction.
      EXPECTED: Button available again.
      6. Select a grouping (if there aren't any groupings on the course, go back and create one).
      7. Click the button again.
      EXPECTED: This time it adds a grouping restriction set to the correct grouping.

      Show
      Note: Also covered by Behat tests in core_availability. 0. Ensure that conditional availability is enabled at system level. 1. On a course, add e.g. a forum. 2. Expand the 'common' section. EXPECTED: There's an 'Add group/grouping access restriction' button under the group settings, but it's greyed out. 3. Select 'Separate groups' under group mode. EXPECTED: Button becomes enabled. 4. Click button, and expand 'Restrict access'. EXPECTED: Button goes disabled again. A group restriction (any group) becomes visible in 'Restrict access'. 5. Delete the group restriction. EXPECTED: Button available again. 6. Select a grouping (if there aren't any groupings on the course, go back and create one). 7. Click the button again. EXPECTED: This time it adds a grouping restriction set to the correct grouping.
    • Affected Branches:
      MOODLE_28_STABLE
    • Fixed Branches:
      MOODLE_29_STABLE
    • Pull Master Branch:
      MDL-47628-master

      Description

      If an activity such as a forum is setup for separate groups, and assigned to a grouping, people not in that grouping see the activity on their course page. This is different behavior than is seen in 2.7 or below.

        • if the user clicks on it, they are give an error message, but they shouldn't see the forum in the first place.

      I say it could be a security error, as this could provide some information to some people who aren't supposed to see it, so its really more of a data access issue.

      To re-create -
      1. create a course site with at least 2 people (sam and betty)
      2. create two groups with one person in each group (lets say group a and b)
      3. put sam in group a, and betty in group b
      4. create two groupings (a and b), putting just group a in grouping a, and b in b.
      5. create an activity (forum) "forum for just grouping a", set to seprate groups and select grouping A.
      6. Do a login as betty, she'll see "forum for just grouping a"
      Betty shouldn't see that forum at all.

          1. Also I notice that a configuration option on grouping has been removed from the experimental server setting area.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  11/May/15