Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-55371

mod_assign_get_participant does not check user_get_user_details return status

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. In a course create an assignment with blind marking enabled
      2. As admin, enable "Mobile services": Site administration ► Mobile app ► Mobile settings
      3. Create a Token in the mobile app service for one editing teacher in the course:
        1. Click on Site administration ► Plugins ► Web services ► Manage tokens
      4. Next, you can do a CURL REST call simulating a WS client with the teacher wstoken.
        1. You need to replace the wstoken, assignid (the assignment instance id), userid (one student in the course id) and the URL of your moodle instance

          curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'assignid=14&userid=106&embeduser=1&wsfunction= mod_assign_get_participant&wstoken=12a2a65aeea2a177055e233f9e303218' | python -m "json.tool"

      5. Check that in the response you don't see a 'user' field containing the student information
      6. Re-configure the assignment to disable blind marking, check that you now see the user complete profile in the 'user' field
      7. Remove the moodle/user:viewdetails capability from the Editing Teacher role
      8. Run again, execute the curl request again and check that you don't see an error and don't see the user field
      9. Re-configure the assignment to enable blind marking
      10. Run again, execute the curl request again and check that you don't see an error and don't see the user field
      Show
      In a course create an assignment with blind marking enabled As admin, enable "Mobile services": Site administration ► Mobile app ► Mobile settings Create a Token in the mobile app service for one editing teacher in the course: Click on Site administration ► Plugins ► Web services ► Manage tokens Next, you can do a CURL REST call simulating a WS client with the teacher wstoken. You need to replace the wstoken, assignid (the assignment instance id), userid (one student in the course id) and the URL of your moodle instance curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'assignid=14&userid=106&embeduser=1&wsfunction= mod_assign_get_participant&wstoken=12a2a65aeea2a177055e233f9e303218' | python -m "json.tool" Check that in the response you don't see a 'user' field containing the student information Re-configure the assignment to disable blind marking, check that you now see the user complete profile in the 'user' field Remove the moodle/user:viewdetails capability from the Editing Teacher role Run again, execute the curl request again and check that you don't see an error and don't see the user field Re-configure the assignment to enable blind marking Run again, execute the curl request again and check that you don't see an error and don't see the user field
    • Affected Branches:
      MOODLE_30_STABLE, MOODLE_31_STABLE, MOODLE_32_STABLE
    • Fixed Branches:
      MOODLE_31_STABLE, MOODLE_32_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-55371-master

      Description

      mod/assign/externallib.php function get_participant()

      This web service that this function implements has a required return parameter of 'user' (the user object). However, this is obtained by calling user_get_user_details(). Unfortunately, there's lots of situations in which this function can simply return null. This will result in the web service returning an extremely unhelpful error (basically a required return field is empty) as lib/externallib checks the return values against the description and throws an exception due to the missing user object.

      This can happen - for example - if the moodle/user:viewdetails capability is "off" for the current user. It's unlikely but possible if a custom teacher-like role is created and/or capabilities are overridden within the course.

      To illustrate... a client had a "marker" role based on teacher for marking assignments. This had (probably by mistake, but I don't think that matters) been overiden in a course and moodle/user:viewdetails cap set to prevent. The result should probably be that you can't do marking if you can't see the user details. However, it got into the PDF interface and just produced an arcane message about an object or array being required in a JavaScript popup. Took a lot of tracking down.

        Attachments

          Activity

            People

            • Votes:
              3 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                8/May/17