Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-50292

mod_choice: Add new capability to view published results (on top of capability to view choice itself)

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Development in progress
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.9, 3.1, 3.4
    • Fix Version/s: None
    • Component/s: Choice
    • Labels:
    • Testing Instructions:
      Hide
      1. Testing the choice:viewpublishedresults permission
        1. Create a choice activity and set the publish results option to "Always show to users"
        2. Override the permissions on the choice activity so the choice:viewpublishedresults permission is prohibited for student2
        3. Have student1 make a selection
        4. Verify student1 can see the results
        5. Have student 2 make a selection
        6. Verify that student 2 CANNOT see the results
      2. Repeat both of the above tests using the Moodle Mobile App and verify everything works as expected.

      Automated testing:

      1. Run behat for mod_choice
      2. Run phpunit for mod_choice
      Show
      Testing the choice:viewpublishedresults permission Create a choice activity and set the publish results option to "Always show to users" Override the permissions on the choice activity so the choice:viewpublishedresults permission is prohibited for student2 Have student1 make a selection Verify student1 can see the results Have student 2 make a selection Verify that student 2 CANNOT see the results Repeat both of the above tests using the Moodle Mobile App and verify everything works as expected. Automated testing: Run behat for mod_choice Run phpunit for mod_choice
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_29_STABLE, MOODLE_31_STABLE, MOODLE_34_STABLE
    • Pull Master Branch:
      MDL-50292_m35v1

      Description

      It is possible for guests to see the details of participants' choices and there is no capability to control this. There is a setting to control whether results should be shown, but there is no way to discriminate between guests and authenticated users.

      This could potentially be considered a minor security issue as it is revealing student details to unauthorised users. There should be a capability that prevents guests from viewing choices made.

      Replication steps:

      1. Log in as admin/teacher
      2. Log into a course that is open to guests or use the Front page
      3. Create a Choice activity with a few choices
      4. Set Publish results to Always show results to students
      5. Save the activity
      6. Log in as a student
      7. Make a choice
      8. Log out
      9. Access the Choice activity

      Expected result
      Results should not be available to guests or shown in an anonymised form.

      Actual result
      The image and name of students who have made a choice is visible.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              sbourget Stephen Bourget
              Reporter:
              salvetore Michael de Raadt
              Peer reviewer:
              Adrian Greeve
              Integrator:
              Eloy Lafuente (stronk7)
              Participants:
              Component watchers:
              Dan Marsden, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón
              Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated: