[MDL-59847] Check situation when city/country are hiddenfields and identityfields at the same time - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 3.4, 3.4.4, 3.5.1
Fix Version/s: 3.4.5, 3.5.2
Component/s: Roles / Access, User management
Labels:
- ci
- release_notes
- triaged

Testing Instructions:
Hide

Human testing is not strictly necessary as the functionality is covered by unit tests.

If required, the human testing should focus on following scenarios. No point to provide detailed steps to reproduce as those were already checked obviously. The human testing could be more of exploration style seeking for more places not covered by this patch.

Select Country and City as hiddenuserfields fields (Users > Permissions > User policies > Hide user fields)

Select Country and City as showuseridentity fields (Users > Permissions > User policies > Show user identity)

Check various places where we display list of users, both inside courses and outside courses - such as:

Course participants page

Group membership UI inside a course

Manual enrolment UI inside a course

Cohort membership UI outside a course

Make sure that depending on the logged user and the permissions:

The user needs https://docs.moodle.org/en/Capabilities/moodle/site:viewuseridentity to have the fields Country and City shown as user identifiers on these lists. Without this capability, they should not appear at all.

When outside the course, the user also needs to have https://docs.moodle.org/en/Capabilities/moodle/user:viewhiddendetails to see the hiddenCountry and City fields in lists

When inside a course, the user also needs to have https://docs.moodle.org/35/en/Capabilities/moodle/course:viewhiddenuserfields to see the Country and City fields in lists

Please note that currently, displaying these fields on users profile pages is implemented separately and has not been affected in this issue.
Show
Human testing is not strictly necessary as the functionality is covered by unit tests. If required, the human testing should focus on following scenarios. No point to provide detailed steps to reproduce as those were already checked obviously. The human testing could be more of exploration style seeking for more places not covered by this patch. Select Country and City as hiddenuserfields fields (Users > Permissions > User policies > Hide user fields) Select Country and City as showuseridentity fields (Users > Permissions > User policies > Show user identity) Check various places where we display list of users, both inside courses and outside courses - such as: Course participants page Group membership UI inside a course Manual enrolment UI inside a course Cohort membership UI outside a course Make sure that depending on the logged user and the permissions: The user needs https://docs.moodle.org/en/Capabilities/moodle/site:viewuseridentity to have the fields Country and City shown as user identifiers on these lists. Without this capability, they should not appear at all. When outside the course, the user also needs to have https://docs.moodle.org/en/Capabilities/moodle/user:viewhiddendetails to see the hiddenCountry and City fields in lists When inside a course, the user also needs to have https://docs.moodle.org/35/en/Capabilities/moodle/course:viewhiddenuserfields to see the Country and City fields in lists Please note that currently, displaying these fields on users profile pages is implemented separately and has not been affected in this issue.
Affected Branches:
MOODLE_34_STABLE, MOODLE_35_STABLE
Fixed Branches:
MOODLE_34_STABLE, MOODLE_35_STABLE
Epic Link:
Merge Participants page follow-up
Pull from Repository:
https://github.com/snake/moodle.git
Pull 3.5 Branch:
~~MDL-59847~~-35
Pull 3.5 Diff URL:
https://github.com/moodle/moodle/compare/a1d89760050...snake:MDL-59847-35
Pull Master Branch:
~~MDL-59847~~-master
Pull Master Diff URL:
https://github.com/moodle/moodle/compare/6e8235c7d3...snake:MDL-59847-master

Description

Create a situation when city/country are in both $CFG->showuseridentity and $CFG->hiddenuserfields

Make sure that user who has 'moodle/site:viewuseridentity' capability but does not have capability 'moodle/course:viewhiddenuserfields' can never see city and country of other users.

Before ~~MDL-59436~~ the lists $CFG->showuseridentity and $CFG->hiddenuserfields never overlapped and it is VERY possible that we do not check viewhiddenuserfields when preparing list of showuseridentity fields

See also discussions https://tracker.moodle.org/browse/MDL-59370?focusedCommentId=475653&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-475653

Attachments

Issue Links

has a non-specific relationship to

MDL-60191 Visibility problems with identity fields like email or phone

Closed

has been marked as being related by

MDL-66471 Adding user to role in course category causes: "The user_selector classes do not support custom list of extra identity fields any more..."

Closed

MDL-59436 Remove the columns from the participants page that are not in showuseridentity

Closed

Activity

People

Assignee:: David Mudrák (@mudrd8mz)

Reporter:: Marina Glancy

Peer reviewer:: Jake Dallimore

Integrator:: Andrew Nicols

Tester:: CiBoT

Participants:: Andrew Nicols, CiBoT, Damyon Wiese, David Mudrák (@mudrd8mz), Jake Dallimore, Marina Glancy, Neill Magill

Component watchers:: Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona), Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona)

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 17/Aug/17 7:13 PM

Updated:: 22/Aug/19 11:09 PM

Resolved:: 03/Aug/18 10:34 PM

Fix Release Date:: 10/Sep/18