Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-56285

In learning plan templates, cannot move competencies around even if capability "templatemanage" is given to the role because of bad context check

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1, 3.1.1, 3.1.2
    • Fix Version/s: 3.1.3
    • Component/s: Competencies
    • Labels:
    • Testing Instructions:
      Hide
      • connect with admin account
      • create category "Cat test template"
      • create a competency framework in category "Cat test template"
      • add competency A and competency B
      • create a learning plan template in the category "Cat test template"
      • add new role "Managetemplate" in category "Cat test template"
      • create a user "User templatemanage"
      • go the category "Cat test template" and in assign role, add the user to the role
      • connect with "User templatemanage" and go to the category "Cat test template"
      • go the template learning plan and reorder the competencies (drag and drop)
      • make sure there is no permission error.
      Show
      connect with admin account create category "Cat test template" create a competency framework in category "Cat test template" add competency A and competency B create a learning plan template in the category "Cat test template" add new role "Managetemplate" in category "Cat test template" create a user "User templatemanage" go the category "Cat test template" and in assign role, add the user to the role connect with "User templatemanage" and go to the category "Cat test template" go the template learning plan and reorder the competencies (drag and drop) make sure there is no permission error.
    • Affected Branches:
      MOODLE_31_STABLE
    • Fixed Branches:
      MOODLE_31_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-56285-master

      Description

      While testing around with learning plan templates, we manage to come across a bug concerning the capability "templatemanage". it seems that Moodle checks the capability at the system level :

      Competency/api.php
        /**
           * Move the template competency up or down in the display list.
           *
           * Requires moodle/competency:templatemanage capability at the system context.
           *
           * @param int $templateid The template id
           * @param int $competencyidfrom The id of the competency we are moving.
           * @param int $competencyidto The id of the competency we are moving to.
           * @return boolean
           */
          public static function reorder_template_competency($templateid, $competencyidfrom, $competencyidto) {
              static::require_enabled();
             // First we do a permissions check.
              $context = context_system::instance();
       
              require_capability('moodle/competency:templatemanage', $context);
      

      Moodle should check the context of the template instead :

       /**
           * Move the template competency up or down in the display list.
           *
           * Requires moodle/competency:templatemanage capability at the system context.
           *
           * @param int $templateid The template id
           * @param int $competencyidfrom The id of the competency we are moving.
           * @param int $competencyidto The id of the competency we are moving to.
           * @return boolean
           */
          public static function reorder_template_competency($templateid, $competencyidfrom, $competencyidto) {
              static::require_enabled();
       
             // First we do a permissions check.
              $template = new template($templateid);
      if (!$template->can_manage()) {
          throw new required_capability_exception($template->get_context(), 'moodle/competency:templatemanage','nopermissions', '');
      }
      

      Otherwise, a user within a category context will get a "no permission" error every time he/she tries to move a competency in his learning plan templates.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                14/Nov/16