Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-56138

Ensure searching does not reveal information it shouldn't

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.2
    • Fix Version/s: 3.2
    • Component/s: Messages
    • Labels:
    • Testing Instructions:
      Hide
      1. Create two courses.
      2. Enrol one set of students in one course and the others in the second course.
      3. Log in as one of the students and go to the messaging page "User menu > Messages".
      4. Click on contacts, and then try to search for the course that the user is not enrolled in. The course should not show up.
      5. Search for the course that the user is enrolled in. It should show up. Clicking the course will show users in that course.
      6. Do a search for a user in a different course. It should still be possible to find any student on the site.

      Removing permission to view participants

      1. Log in as the admin and navigate to a course.
      2. Go to "Course administration > Users > Permissions" and remove "Student" from "View participants" and put them as Prohibited.
      3. Log in as a student that is enrolled in the course with the changed permissions.
      4. Go to the messaging page.
      5. Try to search for the course.
      6. The student should no longer be able to find the course.
      Show
      Create two courses. Enrol one set of students in one course and the others in the second course. Log in as one of the students and go to the messaging page "User menu > Messages". Click on contacts, and then try to search for the course that the user is not enrolled in. The course should not show up. Search for the course that the user is enrolled in. It should show up. Clicking the course will show users in that course. Do a search for a user in a different course. It should still be possible to find any student on the site. Removing permission to view participants Log in as the admin and navigate to a course. Go to "Course administration > Users > Permissions" and remove "Student" from "View participants" and put them as Prohibited. Log in as a student that is enrolled in the course with the changed permissions. Go to the messaging page. Try to search for the course. The student should no longer be able to find the course.
    • Affected Branches:
      MOODLE_32_STABLE
    • Fixed Branches:
      MOODLE_32_STABLE
    • Epic Link:
    • Pull from Repository:
    • Pull Master Branch:
      wip-MDL-56138-master
    • Pull Master Diff URL:

      Description

      The user should not be able to search courses they do not have access to, or see students belonging to those courses.

        Attachments

          Activity

            People

            Assignee:
            abgreeve Adrian Greeve
            Reporter:
            markn Mark Nelson
            Peer reviewer:
            cameron1729
            Integrator:
            Andrew Nicols
            Tester:
            John Okely
            Participants:
            Component watchers:
            Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              5/Dec/16