Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-56138

Ensure searching does not reveal information it shouldn't

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.2
    • Fix Version/s: 3.2
    • Component/s: Messages
    • Labels:
    • Testing Instructions:
      Hide
      1. Create two courses.
      2. Enrol one set of students in one course and the others in the second course.
      3. Log in as one of the students and go to the messaging page "User menu > Messages".
      4. Click on contacts, and then try to search for the course that the user is not enrolled in. The course should not show up.
      5. Search for the course that the user is enrolled in. It should show up. Clicking the course will show users in that course.
      6. Do a search for a user in a different course. It should still be possible to find any student on the site.

      Removing permission to view participants

      1. Log in as the admin and navigate to a course.
      2. Go to "Course administration > Users > Permissions" and remove "Student" from "View participants" and put them as Prohibited.
      3. Log in as a student that is enrolled in the course with the changed permissions.
      4. Go to the messaging page.
      5. Try to search for the course.
      6. The student should no longer be able to find the course.
      Show
      Create two courses. Enrol one set of students in one course and the others in the second course. Log in as one of the students and go to the messaging page "User menu > Messages". Click on contacts, and then try to search for the course that the user is not enrolled in. The course should not show up. Search for the course that the user is enrolled in. It should show up. Clicking the course will show users in that course. Do a search for a user in a different course. It should still be possible to find any student on the site. Removing permission to view participants Log in as the admin and navigate to a course. Go to "Course administration > Users > Permissions" and remove "Student" from "View participants" and put them as Prohibited. Log in as a student that is enrolled in the course with the changed permissions. Go to the messaging page. Try to search for the course. The student should no longer be able to find the course.
    • Affected Branches:
      MOODLE_32_STABLE
    • Fixed Branches:
      MOODLE_32_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      wip-MDL-56138-master

      Description

      The user should not be able to search courses they do not have access to, or see students belonging to those courses.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                5/Dec/16