[MDL-48525] Messages external function doesn't return the profile user image due to incorrect permissions check - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.8.1, 2.9
Fix Version/s: 2.8.4
Component/s: Messages, Web Services
Labels:
- ci
- triaged

Testing Instructions:

Hide

Enable messaging in the site
Create a couple of users accounts, user1 and user2 with the same firstname. Upload a profile image for those accounts.
Enable "Mobile services": Plugins ► Web Services ► External services
Create a Token for the Mobile app service (for user1):
- Click on Site administration ► Plugins ► Web services ► Manage tokens

Next, you can do a CURL REST call simulating a WS client:

Replace searchtext with the first name of user2

You also need to replace the wstoken and the URL of your moodle instance

curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' -H 'Pragma: no-cache' -H 'Origin: file://' -H 'Accept-Encoding: gzip,deflate,sdch' -H 'Accept-Language: es,en;q=0.8,de-DE;q=0.6,de;q=0.4,nb;q=0.2' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1798.0 Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' --data 'searchtext=test&onlymycourses=0&wsfunction=core_message_search_contacts?wstoken=1b9b8bd8d01acbf452c2bd77ca0d2925' --compressed

Confirm that:
- The command returns a list of users matching the name you used for searching (except the current user), for checking if the returned profile image URL works you must copy the url in a new browser tab appending:
  &token=YOUR_TOKEN
  Note that is you are testing just with a couple of users, the search will return only one user because the user doing the search is excluded from the results

Show

Enable messaging in the site Create a couple of users accounts, user1 and user2 with the same firstname. Upload a profile image for those accounts. Enable "Mobile services": Plugins ► Web Services ► External services Create a Token for the Mobile app service (for user1): Click on Site administration ► Plugins ► Web services ► Manage tokens Next, you can do a CURL REST call simulating a WS client: Replace searchtext with the first name of user2 You also need to replace the wstoken and the URL of your moodle instance curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' -H 'Pragma: no-cache' -H 'Origin: file://' -H 'Accept-Encoding: gzip,deflate,sdch' -H 'Accept-Language: es,en;q=0.8,de-DE;q=0.6,de;q=0.4,nb;q=0.2' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1798.0 Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' --data 'searchtext=test&onlymycourses=0&wsfunction=core_message_search_contacts?wstoken=1b9b8bd8d01acbf452c2bd77ca0d2925' --compressed Confirm that: The command returns a list of users matching the name you used for searching (except the current user), for checking if the returned profile image URL works you must copy the url in a new browser tab appending: &token=YOUR_TOKEN Note that is you are testing just with a couple of users, the search will return only one user because the user doing the search is excluded from the results

Affected Branches:
MOODLE_28_STABLE, MOODLE_29_STABLE
Fixed Branches:
MOODLE_28_STABLE
Pull from Repository:
git://github.com/jleyva/moodle.git
Pull Master Branch:
~~MDL-48525~~-master
Pull Master Diff URL:
https://github.com/jleyva/moodle/compare/4c27f52...MDL-48525-master

Description

The messaging external functions get_contacts and search_contacts doesn't return the profile user image in some cases.

This is because these functions uses internally the user_get_user_details() function that only returns the profile user images URLs if the requesting user has the moodle/user:viewdetails permitted.

In the web interface iff messaging is enabled, the global search doesn't check that capabilities so the profile user image must be returned always.
See https://tracker.moodle.org/browse/MDL-48329?focusedCommentId=326374&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-326374 for more info:

Attachments

Activity

People

Assignee:: Juan Leyva

Reporter:: Juan Leyva

Peer reviewer:: Ankit Agarwal

Integrator:: Eloy Lafuente (stronk7)

Tester:: Simey Lameze

Participants:: Ankit Agarwal, CiBoT, Dan Poltawski, Eloy Lafuente (stronk7), Juan Leyva, Marina Glancy, Simey Lameze

Component watchers:: Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona), Juan Leyva, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona)

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 09/Dec/14 1:32 AM

Updated:: 06/Feb/15 3:42 AM

Resolved:: 06/Feb/15 3:42 AM

Fix Release Date:: 9/Mar/15