Affects Version/s: 3.4.1, 3.6.6
Create a course Allow guest access to it. Go to the calendar and create a course event for the course Open another browser session (e.g. incognito) Log in as guest Go the course Open the calendar Confirm that you see the event Click on the event Confirm that you see the event details in a modal. Make sure no permission errors are displayed.
- Create a course
- Allow guest access to it.
- Go to the calendar and create a course event for the course
- Open another browser session (e.g. incognito)
- Log in as guest
- Go the course
- Open the calendar
- Confirm that you see the event
- Click on the event
- Confirm that you see the event details in a modal.
- Make sure no permission errors are displayed.
Affected Branches:MOODLE_34_STABLE, MOODLE_36_STABLE
Fixed Branches:MOODLE_36_STABLE, MOODLE_37_STABLE
Pull from Repository:
Pull 3.6 Branch:
Pull 3.6 Diff URL:
Pull 3.7 Branch:
Pull 3.7 Diff URL:
Pull Master Branch:
Pull Master Diff URL:
A user who is not enrolled in a course, but who has course:view permissions, sees error/nopermission in the calendar event popover when clicking an event in the Upcoming Events block.
The calendar_view_event_allowed() function within calendar/lib.php returns false for a given course event, even if the logged in user has course:view permission to the course and would normally be able to view the event from the course page's Upcoming Events block or the calendar/view.php page.
If the user is enrolled in the course, this issue does not occur. However, if the user has course:view, such that they can view the course without being enrolled, we see the issue.
- Define a role "testeventviewer"
- Add 'category' to the context types where the testeventviewer role can be assigned
- Add the moodle/course:view capability ("View courses without participation") to the role
- Add a category
- Assign the role testeventviewer in the context of this category to a test end user
- Add a course in the new category
- Add a course event to this course "Test course event", a couple of days in the future so it should appear in Upcoming Events
- Add an Upcoming Events block to the course page if not already existing
- Ensure the end user is not enrolled in the target course, but verify they appear in Users > Other users with the testeventviewer role
- Log in as the end user, go to the course page
- Click on the created event "Test course event" in the Upcoming Events block
- Note that the error/nopermission error is displayed in the popover instead of the event details.
- Note that it is still possible to right-click the "Test course event" and open in a new tab to bypass the popover and the user can view the event details on the calendar/view.php page.
At step 12, the event popover should appear with "Test course event" details, because the user does have permission to view the event.
The event popover appears with:
The attached patch adds a call to can_access_course() to function calendar_view_event_allowed() and resolves the issue specifically for course events connected to modules. However, it is acknowledged that this patch may not be complete – there are probably other cases where this is an issue and it may not be the 'right' approach!