Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-62273

Profile: Allow plugins to control profile access via callback

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.6
    • Fix Version/s: 3.6
    • Component/s: User management
    • Labels:
    • Testing Instructions:
      Hide

      This test will require (in one step below) using the following PHP code:

      function mod_forum_control_view_profile($user, $course = null, context_user $usercontext = null) {
          return core_user::VIEWPROFILE_DO_NOT_PREVENT;
      }
      

      1. Create a new course. Set the group mode to 'Separate groups'.
      2. Enrol 3 test accounts as students on the course.
      3. Create two groups, A and B.
      4. Add users 1 and 2 into group A, and user 3 into group B.
      5. From the Participants page, copy the URL links to view profile of each of the three users on the course, and store them temporarily (e.g. in Notepad) - alternatively, leave this page open and use a different browser for the next step.
      6. Log in as user 1.
      7. Paste in the link to user 2 profile.
        • EXPECTED (no change): You can see it (they're in the same group)
      8. Paste in the link to user 3 profile.
        • EXPECTED (no change): Error 'You cannot view the profile of this user'
      9. Now we will test adding the callback function. It could be any plugin, but for example, let's use mod_forum. Open mod/forum/lib.php and copy-paste the above PHP function definition into the end of the file.
      10. In order for this to take effect, log in as admin and purge caches (Site administration / Development / Purge call caches).
      11. Log back in as user 1 and paste in the link to user 2 profile.
        • EXPECTED (no change): You can still see it.
      12. Paste in the link to user 3 profile.
        • EXPECTED (no change): You still get the error.
      13. Edit the above code and change the return value from VIEWPROFILE_DO_NOT_PREVENT to VIEWPROFILE_PREVENT.
      14. Paste in the link to user 2 profile.
        • EXPECTED: You now get the error on this profile as well.
      15. Paste in the link to user 3 profile.
        • EXPECTED (no change): You still get the error.
      16. Edit the above code and change the return value from VIEWPROFILE_DO_NOT_PREVENT to VIEWPROFILE_FORCE_ALLOW.
      17. Paste in the link to user 2 profile.
        • EXPECTED: You can see the profile.
      18. Paste in the link to user 3 profile.
        • EXPECTED: You can also see user 3 profile as well now.
      Show
      This test will require (in one step below) using the following PHP code: function mod_forum_control_view_profile($user, $course = null, context_user $usercontext = null) { return core_user::VIEWPROFILE_DO_NOT_PREVENT; } Create a new course. Set the group mode to 'Separate groups'. Enrol 3 test accounts as students on the course. Create two groups, A and B. Add users 1 and 2 into group A, and user 3 into group B. From the Participants page, copy the URL links to view profile of each of the three users on the course, and store them temporarily (e.g. in Notepad) - alternatively, leave this page open and use a different browser for the next step. Log in as user 1. Paste in the link to user 2 profile. EXPECTED (no change): You can see it (they're in the same group) Paste in the link to user 3 profile. EXPECTED (no change): Error 'You cannot view the profile of this user' Now we will test adding the callback function. It could be any plugin, but for example, let's use mod_forum. Open mod/forum/lib.php and copy-paste the above PHP function definition into the end of the file. In order for this to take effect, log in as admin and purge caches (Site administration / Development / Purge call caches). Log back in as user 1 and paste in the link to user 2 profile. EXPECTED (no change): You can still see it. Paste in the link to user 3 profile. EXPECTED (no change): You still get the error. Edit the above code and change the return value from VIEWPROFILE_DO_NOT_PREVENT to VIEWPROFILE_PREVENT . Paste in the link to user 2 profile. EXPECTED: You now get the error on this profile as well. Paste in the link to user 3 profile. EXPECTED (no change): You still get the error. Edit the above code and change the return value from VIEWPROFILE_DO_NOT_PREVENT to VIEWPROFILE_FORCE_ALLOW . Paste in the link to user 2 profile. EXPECTED: You can see the profile. Paste in the link to user 3 profile. EXPECTED: You can also see user 3 profile as well now.
    • Affected Branches:
      MOODLE_36_STABLE
    • Fixed Branches:
      MOODLE_36_STABLE
    • Pull Master Branch:
      MDL-62273-master

      Description

      At present, user profile access in Moodle is controlled using the user_can_view_profile function. This applies a number of restrictions (for example, you must normally be enrolled on the same course, unless you have certain capabilities).

      There are cases where, in a specific institution, it might be necessary to override this behaviour - either to prevent view of a user's profile, or occasionally to allow it when it would normally be prevented.

      I propose implementing a new callback control_view_profile which would allow any plugin to alter this permission according to custom logic.

      Most likely this would be implemented by a local plugin at the institution that wants to apply additional profile access rules.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                3/Dec/18