Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-61450

error/nopermission shown on course event summary modal for user not enrolled in course

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.4.1, 3.6.6
    • Fix Version/s: 3.6.7, 3.7.3
    • Component/s: Calendar
    • Labels:

      Description

      A user who is not enrolled in a course, but who has course:view permissions, sees error/nopermission in the calendar event popover when clicking an event in the Upcoming Events block.

      The calendar_view_event_allowed() function within calendar/lib.php returns false for a given course event, even if the logged in user has course:view permission to the course and would normally be able to view the event from the course page's Upcoming Events block or the calendar/view.php page.

      If the user is enrolled in the course, this issue does not occur. However, if the user has course:view, such that they can view the course without being enrolled, we see the issue.

      Instructions to Reproduce

      1. Define a role "testeventviewer"
      2. Add 'category' to the context types where the testeventviewer role can be assigned
      3. Add the moodle/course:view capability ("View courses without participation") to the role
      4. Add a category
      5. Assign the role testeventviewer in the context of this category to a test end user
      6. Add a course in the new category
      7. Add a course event to this course "Test course event", a couple of days in the future so it should appear in Upcoming Events
      8. Add an Upcoming Events block to the course page if not already existing
      9. Ensure the end user is not enrolled in the target course, but verify they appear in Users > Other users with the testeventviewer role
      10. Log in as the end user, go to the course page
      11. Click on the created event "Test course event" in the Upcoming Events block
      12. Note that the error/nopermission error is displayed in the popover instead of the event details.
      13. Note that it is still possible to right-click the "Test course event" and open in a new tab to bypass the popover and the user can view the event details on the calendar/view.php page.

      Expected Behaviour

      At step 12, the event popover should appear with "Test course event" details, because the user does have permission to view the event.

      Actual Behaviour

      The event popover appears with:

       

      error/nopermissionFile: /calendar/externallib.php
      Line: 786
       
      Stack trace:
      Error code: nopermission $a contents:
      View courses without participation
      * line 786 of /calendar/externallib.php: required_capability_exception thrown
      * line 228 of /lib/externallib.php: call to core_calendar_external::get_calendar_event_by_id()
      * line 59 of /lib/ajax/service.php: call to external_api::call_external_function() 

       
       

      Patch

      The attached patch adds a call to can_access_course() to function calendar_view_event_allowed() and resolves the issue specifically for course events connected to modules. However, it is acknowledged that this patch may not be complete – there are probably other cases where this is an issue and it may not be the 'right' approach!

      --- calendar/lib.php
      +++ calendar/lib.php
      @@ -2174,6 +2174,10 @@ function calendar_view_event_allowed(calendar_event $event) {
                   return false;
               }
               $mycourses = enrol_get_my_courses('id');
      +
      +        if (can_access_course($DB->get_record('course', array('id' => $courseid ), '*', MUST_EXIST))) {
      +            return true;
      +        }
               return isset($mycourses[$courseid]);
           } else if ($event->categoryid) {
               // If this is a category we need to be able to see the category.

        Attachments

          Activity

            People

            • Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                11/Nov/19

                Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 5 hours, 24 minutes
                5h 24m