Affects Version/s: 2.8.8, 2.9.2
Fix Version/s: None
- Create a course
- Override the moodle/site:accessallgroups capability to prohibit for Non editing teacher at the course
- Create a grouping (Grouping1)
- Enrol a user with Non editing teacher.
- Create an assignment.
- Add a restriction so users must be a member of Grouping1
- Log in as the user.
Expected: You can't interact with the activity
Actual: You can interact with the activity.Create a course Override the moodle/site:accessallgroups capability to prohibit for Non editing teacher at the course Create a grouping (Grouping1) Enrol a user with Non editing teacher. Create an assignment. Add a restriction so users must be a member of Grouping1 Log in as the user. Expected: You can't interact with the activity Actual: You can interact with the activity.
Removing the moodle/course:viewhiddenactivities capability is a stopgap measure, however there are use cases where you would want users to be able to see hidden activities while still being restricted otherwise.
Affected Branches:MOODLE_28_STABLE, MOODLE_29_STABLE
In Moodle 2.6 we had groupmemebersonly enabled, and restricted some activities to a certain grouping. Users without moodle/site:accessallgroups were correctly unable to see activities when they were not part of that grouping.
Upon upgrading to 2.8, we've instead used the access restrictions to restrict those activities to the grouping, but those users are able to access those activities.
Upon further investigation, this appears to be caused by the logic in update_user_visible functioning differently than how we expect it should.
The code as written allows the moodle/course:viewhiddenactivities capability to override the access restrictions placed on an activity, and this is contrary to how the old groupmembersonly + grouping restriction functioned.
Rewriting the logic thusly:
allows the restrictions to function as the 2.6 grouping restrictions would have.
Even without taking into 2.6's grouping restrictions we still think this is an issue because it prevents you from restricting access to anyone with moodle/course:viewhiddenactivities.