Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48525

Messages external function doesn't return the profile user image due to incorrect permissions check

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. Enable messaging in the site
      2. Create a couple of users accounts, user1 and user2 with the same firstname. Upload a profile image for those accounts.
      3. Enable "Mobile services": Plugins ► Web Services ► External services
      4. Create a Token for the Mobile app service (for user1):
        • Click on Site administration ► Plugins ► Web services ► Manage tokens
      5. Next, you can do a CURL REST call simulating a WS client:
        • Replace searchtext with the first name of user2
        • You also need to replace the wstoken and the URL of your moodle instance

          curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' -H 'Pragma: no-cache' -H 'Origin: file://' -H 'Accept-Encoding: gzip,deflate,sdch' -H 'Accept-Language: es,en;q=0.8,de-DE;q=0.6,de;q=0.4,nb;q=0.2' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1798.0 Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' --data 'searchtext=test&onlymycourses=0&wsfunction=core_message_search_contacts?wstoken=1b9b8bd8d01acbf452c2bd77ca0d2925' --compressed
          

      6. Confirm that:
        • The command returns a list of users matching the name you used for searching (except the current user), for checking if the returned profile image URL works you must copy the url in a new browser tab appending:
          &token=YOUR_TOKEN
          Note that is you are testing just with a couple of users, the search will return only one user because the user doing the search is excluded from the results
      Show
      Enable messaging in the site Create a couple of users accounts, user1 and user2 with the same firstname. Upload a profile image for those accounts. Enable "Mobile services": Plugins ► Web Services ► External services Create a Token for the Mobile app service (for user1): Click on Site administration ► Plugins ► Web services ► Manage tokens Next, you can do a CURL REST call simulating a WS client: Replace searchtext with the first name of user2 You also need to replace the wstoken and the URL of your moodle instance curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' -H 'Pragma: no-cache' -H 'Origin: file://' -H 'Accept-Encoding: gzip,deflate,sdch' -H 'Accept-Language: es,en;q=0.8,de-DE;q=0.6,de;q=0.4,nb;q=0.2' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1798.0 Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' --data 'searchtext=test&onlymycourses=0&wsfunction=core_message_search_contacts?wstoken=1b9b8bd8d01acbf452c2bd77ca0d2925' --compressed Confirm that: The command returns a list of users matching the name you used for searching (except the current user), for checking if the returned profile image URL works you must copy the url in a new browser tab appending: &token=YOUR_TOKEN Note that is you are testing just with a couple of users, the search will return only one user because the user doing the search is excluded from the results
    • Affected Branches:
      MOODLE_28_STABLE, MOODLE_29_STABLE
    • Fixed Branches:
      MOODLE_28_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-48525-master

      Description

      The messaging external functions get_contacts and search_contacts doesn't return the profile user image in some cases.

      This is because these functions uses internally the user_get_user_details() function that only returns the profile user images URLs if the requesting user has the moodle/user:viewdetails permitted.

      In the web interface iff messaging is enabled, the global search doesn't check that capabilities so the profile user image must be returned always.
      See https://tracker.moodle.org/browse/MDL-48329?focusedCommentId=326374&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-326374 for more info:

        Attachments

          Activity

            People

            Assignee:
            jleyva Juan Leyva
            Reporter:
            jleyva Juan Leyva
            Peer reviewer:
            Ankit Agarwal
            Integrator:
            Eloy Lafuente (stronk7)
            Tester:
            Simey Lameze
            Participants:
            Component watchers:
            Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Juan Leyva, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              9/Mar/15