[MDL-59172] update user_can_view_profile to check for "viewalldetails" - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.3
Fix Version/s: 3.2.5, 3.3.2
Component/s: Libraries, User management
Labels:
- api_change
- ci
- triaged

Affected Branches:
MOODLE_33_STABLE
Fixed Branches:
MOODLE_32_STABLE, MOODLE_33_STABLE
Epic Link:
TODOs in core
Pull from Repository:
https://github.com/snake/moodle.git
Pull Master Branch:
~~MDL-59172~~-master
Pull Master Diff URL:
https://github.com/moodle/moodle/compare/8146b1f06d...snake:MDL-59172-master
Testing Instructions:
Hide

This is covered by unit tests, but we'll check anyway

Make sure there are no courses on your site. We don't want interference here.

As admin user, create a course and enrol a student. Remember the student id

Now, assign a course creator at system level.

Log in as the course creator and view your profile

Swap the ?id=x for the student id and confirm that you can't access the profile.

Now, log in as admin again and edit the course creator role.

Grant the 'viewalldetails' capability to this role.

Now, log in as the course creator again and try to view the student profile like you did before.

Confirm that you are able to view the student profile

Clean up: Remove the 'viewalldetails' capability from the course creator role.
Show
This is covered by unit tests, but we'll check anyway Make sure there are no courses on your site. We don't want interference here. As admin user, create a course and enrol a student. Remember the student id Now, assign a course creator at system level. Log in as the course creator and view your profile Swap the ?id=x for the student id and confirm that you can't access the profile. Now, log in as admin again and edit the course creator role. Grant the 'viewalldetails' capability to this role. Now, log in as the course creator again and try to view the student profile like you did before. Confirm that you are able to view the student profile Clean up: Remove the 'viewalldetails' capability from the course creator role.

Sprint:
3.4 Sprint 3

Description

Api user_can_view_profile() should check for both "viewdetail" and "viewalldetails" caps.

Attachments

Activity

People

Assignee:: Jake Dallimore

Reporter:: Ankit Agarwal

Peer reviewer:: Ankit Agarwal

Integrator:: Dan Poltawski

Tester:: Mark Nelson

Participants:: Andrew Lyons, Ankit Agarwal, CiBoT, Dan Poltawski, Jake Dallimore, Mark Nelson

Component watchers:: Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Laurent David, Raquel Ortega, Sara Arjona (@sarjona), Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Laurent David, Raquel Ortega, Sara Arjona (@sarjona)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 08/Jun/17 12:29 AM

Updated:: 11/Aug/17 1:42 AM

Resolved:: 11/Aug/17 1:42 AM

Fix Release Date:: 11/Sep/17