Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-57611

Capabilities checks are swapped when viewing logs

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Without the patch.

      1. Create a course.
      2. Enroll few students.
      3. Enroll at least one non-editing teacher (tutor).
      4. Login as the tutor.
      5. Find one of the students and see their profiles.
      6. Under the Reports section you should see Today's logs and All logs (and probably others).
      7. Login back as admin.
      8. Change the non-editing teacher's role.
      9. Make the "View today's logs" capability to NOT SET.
      10. Login back as tutor.
      11. Find one of the students and see their profiles.
      12. Under the Reports section you still can see Today's logs and but not the All logs.
      13. Try the opposite way.
      14. Give back the "View today's log" capability but take out the "View course logs" capability.
      15. The tutor still can see the "All logs" report but not the "Today's log" report.

      With the patch, the correct displaying of reports should correspond to the permission
      settings.

      Show
      Without the patch. Create a course. Enroll few students. Enroll at least one non-editing teacher (tutor). Login as the tutor. Find one of the students and see their profiles. Under the Reports section you should see Today's logs and All logs (and probably others). Login back as admin. Change the non-editing teacher's role. Make the "View today's logs" capability to NOT SET. Login back as tutor. Find one of the students and see their profiles. Under the Reports section you still can see Today's logs and but not the All logs. Try the opposite way. Give back the "View today's log" capability but take out the "View course logs" capability. The tutor still can see the "All logs" report but not the "Today's log" report. With the patch, the correct displaying of reports should correspond to the permission settings.
    • Affected Branches:
      MOODLE_31_STABLE, MOODLE_32_STABLE, MOODLE_33_STABLE
    • Fixed Branches:
      MOODLE_32_STABLE, MOODLE_33_STABLE
    • Pull Master Branch:
       MDL-57611-master

      Description

      Hi All,
      it looks like the
      View today's log capability (https://docs.moodle.org/31/en/Capabilities/report/log:viewtoday)
      and the
      View course logs capability (https://docs.moodle.org/31/en/Capabilities/report/log:view)
      are swapped.

      create a course
      enroll few students
      enroll at least one non-editing teacher (tutor)

      login as the tutor
      find one of the students and see their profiles
      under the Reports section you should see Today's logs and All logs (and probably others)

      login back as admin
      change the non-editing teacher's role
      make the "View today's logs" capability to NOT SET
      login back as tutor
      find one of the students and see their profiles
      under the Reports section you still can see Today's logs and but not the All logs

      try the opposite way
      give back the "View today's log" capability but take out the "View course logs" capability
      the tutor still can see the "All logs" report but not the "Today's log" report.

      and it is because there is a tiny mistake in the code:
      see /report/log/lib.php, from line 95 in
      function report_log_can_access_user_report($user, $course)

      the code right now is:

      if (has_capability('report/log:view', $coursecontext)) { $today = true; }

      if (has_capability('report/log:viewtoday', $coursecontext)) { $all = true; }

      and it should be:

      if (has_capability('report/log:viewtoday', $coursecontext))

      { $today = true; }

      if (has_capability('report/log:view', $coursecontext))

      { $all = true; }

      I am sorry not to provide the code on GitHub, I have got account and everything but I do not have time to do it properly. I guess it is the same for other versions as well, but right now I work with 3.1.3. I have also checked in 2.9.4 and 3.0.4, the bug is there.

      I hope you find it helpful.

      Thanks
      Frank

        Attachments

          Activity

            People

            Assignee:
            jebarvia Joshua Ebarvia
            Reporter:
            lengyelke Ferenc Lengyel
            Peer reviewer:
            Ankit Agarwal
            Integrator:
            Jun Pataleta
            Tester:
            Mark Nelson
            Participants:
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              11/Sep/17