I saw this while working on MDL-58953. The original function, user_can_view_profile($user, $course) was introduced in ---------MDL-27177---------, and was designed to be used to check whether the current user could view another user's (as specified by $user) course profile.

It provides 2 modes of checking this, depending on whether the $course param is provided:

• If provided, only permissions in that specific course are checked.
• If not provided, then it attempts to check all courses using enrol_get_shared_courses(). This function assumes that both the current user and the other user ($user) are both enrolled in the courses it returns. What this calls fails to capture however, are situations like when a manager has the capability 'user:viewdetails' in a course, but is not necessarily enrolled in said course.

I think what this function should be doing, when $course is not supplied, is checking all places which the $user is enrolled, not just the shared courses as this missed some courses where the current user may be able to view the profile.

Example (Replication steps):

Consider the following example using a manager override:

• Make sure you have just 1 course on the site with only 1 enrolled student, s1.
• Edit the manager role (define roles) and set 'viewdetails' and 'viewalldetails' to prevent.
• Assign manager role to a user at system level.
• Edit permissions in the course and override the manager role's capabilities, setting 'viewdetails' to 'allow'.
• View the user's profile within the course and confirm that you see the profile information (user pic might be missing - this is being addressed in MDL-59826)
• Now, view your own profile from the user menu and change the id to that of s1.
• Observe that you cannot view this profile, despite being able to view it in the course. This is a bug.

Given the above, the manager is now NOT enrolled in the course, thus this is not a shared course. They also have no capabilities in the user context (prevented), thus that check fails. This causes the user_can_view_profile() function to return false -  incorrectly, as the current user can view details of users in that course.