Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-47628

Availability: Grouping confusing for sites which used groupmembersonly [2.8]

    XMLWordPrintable

Details

    • MOODLE_28_STABLE
    • MOODLE_29_STABLE
    • MDL-47628-master
    • Hide

      Note: Also covered by Behat tests in core_availability.

      0. Ensure that conditional availability is enabled at system level.
      1. On a course, add e.g. a forum.
      2. Expand the 'common' section.
      EXPECTED: There's an 'Add group/grouping access restriction' button under the group settings, but it's greyed out.
      3. Select 'Separate groups' under group mode.
      EXPECTED: Button becomes enabled.
      4. Click button, and expand 'Restrict access'.
      EXPECTED: Button goes disabled again. A group restriction (any group) becomes visible in 'Restrict access'.
      5. Delete the group restriction.
      EXPECTED: Button available again.
      6. Select a grouping (if there aren't any groupings on the course, go back and create one).
      7. Click the button again.
      EXPECTED: This time it adds a grouping restriction set to the correct grouping.

      Show
      Note: Also covered by Behat tests in core_availability. 0. Ensure that conditional availability is enabled at system level. 1. On a course, add e.g. a forum. 2. Expand the 'common' section. EXPECTED: There's an 'Add group/grouping access restriction' button under the group settings, but it's greyed out. 3. Select 'Separate groups' under group mode. EXPECTED: Button becomes enabled. 4. Click button, and expand 'Restrict access'. EXPECTED: Button goes disabled again. A group restriction (any group) becomes visible in 'Restrict access'. 5. Delete the group restriction. EXPECTED: Button available again. 6. Select a grouping (if there aren't any groupings on the course, go back and create one). 7. Click the button again. EXPECTED: This time it adds a grouping restriction set to the correct grouping.

    Description

      If an activity such as a forum is setup for separate groups, and assigned to a grouping, people not in that grouping see the activity on their course page. This is different behavior than is seen in 2.7 or below.

        • if the user clicks on it, they are give an error message, but they shouldn't see the forum in the first place.

      I say it could be a security error, as this could provide some information to some people who aren't supposed to see it, so its really more of a data access issue.

      To re-create -
      1. create a course site with at least 2 people (sam and betty)
      2. create two groups with one person in each group (lets say group a and b)
      3. put sam in group a, and betty in group b
      4. create two groupings (a and b), putting just group a in grouping a, and b in b.
      5. create an activity (forum) "forum for just grouping a", set to seprate groups and select grouping A.
      6. Do a login as betty, she'll see "forum for just grouping a"
      Betty shouldn't see that forum at all.

          1. Also I notice that a configuration option on grouping has been removed from the experimental server setting area.

      Attachments

        Issue Links

          Activity

            People

              quen Sam Marshall
              smileyatic Steven Miley
              Dan Poltawski Dan Poltawski
              Sam Hemelryk Sam Hemelryk
              Jetha Chan Jetha Chan
              Sam Marshall, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Laurent David, Raquel Ortega, Sara Arjona (@sarjona), Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Stevani Andolo, Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Stevani Andolo
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                11/May/15