Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-57611

Capabilities checks are swapped when viewing logs

    XMLWordPrintable

Details

    • MOODLE_31_STABLE, MOODLE_32_STABLE, MOODLE_33_STABLE
    • MOODLE_32_STABLE, MOODLE_33_STABLE
    •  MDL-57611-master
    • Hide

      Without the patch.

      1. Create a course.
      2. Enroll few students.
      3. Enroll at least one non-editing teacher (tutor).
      4. Login as the tutor.
      5. Find one of the students and see their profiles.
      6. Under the Reports section you should see Today's logs and All logs (and probably others).
      7. Login back as admin.
      8. Change the non-editing teacher's role.
      9. Make the "View today's logs" capability to NOT SET.
      10. Login back as tutor.
      11. Find one of the students and see their profiles.
      12. Under the Reports section you still can see Today's logs and but not the All logs.
      13. Try the opposite way.
      14. Give back the "View today's log" capability but take out the "View course logs" capability.
      15. The tutor still can see the "All logs" report but not the "Today's log" report.

      With the patch, the correct displaying of reports should correspond to the permission
      settings.

      Show
      Without the patch. Create a course. Enroll few students. Enroll at least one non-editing teacher (tutor). Login as the tutor. Find one of the students and see their profiles. Under the Reports section you should see Today's logs and All logs (and probably others). Login back as admin. Change the non-editing teacher's role. Make the "View today's logs" capability to NOT SET. Login back as tutor. Find one of the students and see their profiles. Under the Reports section you still can see Today's logs and but not the All logs. Try the opposite way. Give back the "View today's log" capability but take out the "View course logs" capability. The tutor still can see the "All logs" report but not the "Today's log" report. With the patch, the correct displaying of reports should correspond to the permission settings.

    Description

      Hi All,
      it looks like the
      View today's log capability (https://docs.moodle.org/31/en/Capabilities/report/log:viewtoday)
      and the
      View course logs capability (https://docs.moodle.org/31/en/Capabilities/report/log:view)
      are swapped.

      create a course
      enroll few students
      enroll at least one non-editing teacher (tutor)

      login as the tutor
      find one of the students and see their profiles
      under the Reports section you should see Today's logs and All logs (and probably others)

      login back as admin
      change the non-editing teacher's role
      make the "View today's logs" capability to NOT SET
      login back as tutor
      find one of the students and see their profiles
      under the Reports section you still can see Today's logs and but not the All logs

      try the opposite way
      give back the "View today's log" capability but take out the "View course logs" capability
      the tutor still can see the "All logs" report but not the "Today's log" report.

      and it is because there is a tiny mistake in the code:
      see /report/log/lib.php, from line 95 in
      function report_log_can_access_user_report($user, $course)

      the code right now is:

      if (has_capability('report/log:view', $coursecontext)) { $today = true; }

      if (has_capability('report/log:viewtoday', $coursecontext)) { $all = true; }

      and it should be:

      if (has_capability('report/log:viewtoday', $coursecontext))

      { $today = true; }

      if (has_capability('report/log:view', $coursecontext))

      { $all = true; }

      I am sorry not to provide the code on GitHub, I have got account and everything but I do not have time to do it properly. I guess it is the same for other versions as well, but right now I work with 3.1.3. I have also checked in 2.9.4 and 3.0.4, the bug is there.

      I hope you find it helpful.

      Thanks
      Frank

      Attachments

        Activity

          People

            jebarvia Joshua Ebarvia
            lengyelke Ferenc Lengyel
            Ankit Agarwal Ankit Agarwal
            Jun Pataleta Jun Pataleta
            Mark Nelson Mark Nelson
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              11/Sep/17