[MDL-49934] Admins or managers are not able to retrieve assignments info via get_assignments - Moodle Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.9, 3.1
Fix Version/s: 3.1
Component/s: Assignment, Web Services
Labels:
- api_change
- ci
- release_notes
- triaged

Testing Instructions:
Hide

As admin or teacher, create a new course with an assignment (default settings)

Enable "Mobile services": Plugins ► Web Services ► Mobile

Create a Token for the Moodle main admin user:

Click on Site administration ► Plugins ► Web services ► Manage tokens

Ensure that the admin user (or the user you created the token for) is not enrolled in the course you created in the first step.

Next, you can do a CURL REST call simulating a WS client.

You need to replace the wstoken and URL.

You need to replace also the courseids value to match the course you created in the first step.

curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'courseids%5B0%5D=4&wsfunction=mod_assign_get_assignments&wstoken=ffbe3a3002f235bf9d01fd9369e10b66'

Note, you can use jsonlint.com to validate and format the json returned string or append "| python -m json.tool" to automatically format the command output

Confirm that

The json returned does NOT contain any assignment.

Now, do the same request but adding this new parameter: &includenotenrolledcourses=1

Confirm that

Now, you see the assignment information
Show
As admin or teacher, create a new course with an assignment (default settings) Enable "Mobile services": Plugins ► Web Services ► Mobile Create a Token for the Moodle main admin user: Click on Site administration ► Plugins ► Web services ► Manage tokens Ensure that the admin user (or the user you created the token for) is not enrolled in the course you created in the first step. Next, you can do a CURL REST call simulating a WS client. You need to replace the wstoken and URL. You need to replace also the courseids value to match the course you created in the first step. curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'courseids%5B0%5D=4&wsfunction=mod_assign_get_assignments&wstoken=ffbe3a3002f235bf9d01fd9369e10b66' Note, you can use jsonlint.com to validate and format the json returned string or append "| python -m json.tool" to automatically format the command output Confirm that The json returned does NOT contain any assignment. Now, do the same request but adding this new parameter: &includenotenrolledcourses=1 Confirm that Now, you see the assignment information
Affected Branches:
MOODLE_29_STABLE, MOODLE_31_STABLE
Fixed Branches:
MOODLE_31_STABLE
Pull from Repository:
git://github.com/jleyva/moodle.git
Pull Master Branch:
~~MDL-49934~~-master
Pull Master Diff URL:
https://github.com/jleyva/moodle/compare/e8952c5...MDL-49934-master

Description

This external function doesn't work for not-enrolled users (even if they are admins or managers with global roles that can access the course and manage it).

The functions uses incorrectly the enrol_get_users_courses function instead of relying in validate_context checks

Attachments

Activity

People

Assignee:

Juan Leyva

Reporter:

Juan Leyva

Peer reviewer:

Adrian Greeve

Integrator:

David Monllaó

Tester:

Marina Glancy

Participants:

Adrian Greeve, Andrew Nicols, Ankit Agarwal, CiBoT, David Monllaó, Eloy Lafuente (stronk7), Juan Leyva, Marina Glancy

Component watchers:

Damyon Wiese, Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Juan Leyva, Jake Dallimore, Jun Pataleta

Votes:

0 Vote for this issue

Watchers:

4 Start watching this issue

Dates

Created:

21/Apr/15 3:45 AM

Updated:

25/Mar/16 7:11 AM

Resolved:

25/Mar/16 7:11 AM

Fix Release Date:

23/May/16