Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-61450

error/nopermission shown on course event summary modal for user not enrolled in course



    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.4.1, 3.6.6
    • Fix Version/s: 3.6.7, 3.7.3
    • Component/s: Calendar
    • Labels:
    • Testing Instructions:
      1. Create a course
      2. Allow guest access to it.
      3. Go to the calendar and create a course event for the course
      4. Open another browser session (e.g. incognito)
      5. Log in as guest
      6. Go the course
      7. Open the calendar
      8. Confirm that you see the event
      9. Click on the event
      10. Confirm that you see the event details in a modal.
      11. Make sure no permission errors are displayed.
      Create a course Allow guest access to it. Go to the calendar and create a course event for the course Open another browser session (e.g. incognito) Log in as guest Go the course Open the calendar Confirm that you see the event Click on the event Confirm that you see the event details in a modal. Make sure no permission errors are displayed.
    • Affected Branches:
    • Fixed Branches:
    • Pull from Repository:
    • Pull Master Branch:


      A user who is not enrolled in a course, but who has course:view permissions, sees error/nopermission in the calendar event popover when clicking an event in the Upcoming Events block.

      The calendar_view_event_allowed() function within calendar/lib.php returns false for a given course event, even if the logged in user has course:view permission to the course and would normally be able to view the event from the course page's Upcoming Events block or the calendar/view.php page.

      If the user is enrolled in the course, this issue does not occur. However, if the user has course:view, such that they can view the course without being enrolled, we see the issue.

      Instructions to Reproduce

      1. Define a role "testeventviewer"
      2. Add 'category' to the context types where the testeventviewer role can be assigned
      3. Add the moodle/course:view capability ("View courses without participation") to the role
      4. Add a category
      5. Assign the role testeventviewer in the context of this category to a test end user
      6. Add a course in the new category
      7. Add a course event to this course "Test course event", a couple of days in the future so it should appear in Upcoming Events
      8. Add an Upcoming Events block to the course page if not already existing
      9. Ensure the end user is not enrolled in the target course, but verify they appear in Users > Other users with the testeventviewer role
      10. Log in as the end user, go to the course page
      11. Click on the created event "Test course event" in the Upcoming Events block
      12. Note that the error/nopermission error is displayed in the popover instead of the event details.
      13. Note that it is still possible to right-click the "Test course event" and open in a new tab to bypass the popover and the user can view the event details on the calendar/view.php page.

      Expected Behaviour

      At step 12, the event popover should appear with "Test course event" details, because the user does have permission to view the event.

      Actual Behaviour

      The event popover appears with:


      error/nopermissionFile: /calendar/externallib.php
      Line: 786
      Stack trace:
      Error code: nopermission $a contents:
      View courses without participation
      * line 786 of /calendar/externallib.php: required_capability_exception thrown
      * line 228 of /lib/externallib.php: call to core_calendar_external::get_calendar_event_by_id()
      * line 59 of /lib/ajax/service.php: call to external_api::call_external_function() 



      The attached patch adds a call to can_access_course() to function calendar_view_event_allowed() and resolves the issue specifically for course events connected to modules. However, it is acknowledged that this patch may not be complete – there are probably other cases where this is an issue and it may not be the 'right' approach!

      --- calendar/lib.php
      +++ calendar/lib.php
      @@ -2174,6 +2174,10 @@ function calendar_view_event_allowed(calendar_event $event) {
                   return false;
               $mycourses = enrol_get_my_courses('id');
      +        if (can_access_course($DB->get_record('course', array('id' => $courseid ), '*', MUST_EXIST))) {
      +            return true;
      +        }
               return isset($mycourses[$courseid]);
           } else if ($event->categoryid) {
               // If this is a category we need to be able to see the category.




            lameze Simey Lameze
            TestValleySchool Test Valley School
            Peer reviewer:
            Carlos Escobedo
            Jun Pataleta
            Gladys Basiana
            Component watchers:
            Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            1 Vote for this issue
            7 Start watching this issue


              Fix Release Date:

                Time Tracking

                Original Estimate - 0 minutes
                Remaining Estimate - 0 minutes
                Time Spent - 5 hours, 24 minutes
                5h 24m