Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-59833

Don't disclose groups on participants page

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 3.4
    • Fix Version/s: 3.4
    • Component/s: User management
    • Labels:
    • Testing Instructions:
      Hide
      1. Create a course.
      2. Assign 3 (A, B and C) students to the course.
      3. Create two groups (G1 and G2).
      4. Assign A and B to G1.
      5. Assign A and C to G2.
      6. Visit 'Site administration' > 'Users' > 'Permissions' > 'User policies'.
      7. Select 'Groups' in the 'Hide user fields' setting and click save.
      8. Visit the course.
      9. Click on participants.
      10. Ensure you can see the groups column.
      11. Log in as user A.
      12. Visit the course.
      13. Click on participants.
      14. Ensure you can not see the groups column.
      Show
      Create a course. Assign 3 (A, B and C) students to the course. Create two groups (G1 and G2). Assign A and B to G1. Assign A and C to G2. Visit 'Site administration' > 'Users' > 'Permissions' > 'User policies'. Select 'Groups' in the 'Hide user fields' setting and click save. Visit the course. Click on participants. Ensure you can see the groups column. Log in as user A. Visit the course. Click on participants. Ensure you can not see the groups column.
    • Affected Branches:
      MOODLE_34_STABLE
    • Fixed Branches:
      MOODLE_34_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-59833_master

      Description

      Don't show groups if groups is in hiddenuserfields and user cannot see hidden fields.

      From Marina - "I followed this up a little more. In 3.3 student can see groups of other students on their course profile page. This means that what I originally reported is not a bug or security issue. However if "groups" is selected in $CFG->hiddenuserfields , student will not see list of groups of other students. On master students can always see the groups. So security aspect is still there".

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              markn Mark Nelson
              Reporter:
              damyon Damyon Wiese
              Peer reviewer:
              Adrian Greeve
              Integrator:
              Jun Pataleta
              Tester:
              David Mudrák (@mudrd8mz)
              Participants:
              Component watchers:
              Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona)
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                13/Nov/17