Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-62600

Admin is misinformed that there are no data requests

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Setup:

      1. Ensure you have at least 2 admin users, and one non-admin user set up on your test Moodle site. These will be referred to as 'adminPO', 'adminNormal' and 'studentuser' respectively.
      2. If a privacy officer role does not already exist on your test site, visit https://docs.moodle.org/35/en/Privacy_officer_role and follow the 'Role set-up' instructions. Make note of the role name and short name, these will be referenced later (eg Privacy Officer, privacyofficer).
      3. Use the 'Role assignment' instructions on that page to assign only the adminPO user as a Privacy officer.

      Testing link restrictions are applied when PO assigned
      This tests only non-PO admins now receive a custom error message, other users' access/errors remain unchanged.

      1. Log into your test site as adminPO.
      2. Navigate to Site administration > Users and scroll down to 'Privacy and policies'.
      3. CONFIRM you see links to the following options:
        1. Data requests
        2. Data registry
        3. Data deletion
        4. Plugin privacy registry
      4. Open each of the four links in new tabs. NOTE: You should keep these 4 tabs, plus your current tab (Site administration > Users) open for the remainder of the test, so do not close them when looking at the other tabs.
      5. Visit each of the four new tabs, and CONFIRM each of the pages loads in full. For example:
        1. 'Data registry' will show options relating to site category and purpose.
        2. 'Data deletion' will have a dropdown with values such as Course and User.
        3. 'Plugin privacy registry' will show a long list of expandable sections.
      6. Log out and log back in as adminNormal.
      7. Navigate back to your browser tab for Site administration > Users. Perform a hard refresh on the page, and then scroll down to 'Privacy and policies'.
      8. CONFIRM you DO NOT see links to the following options:
        1. Data requests
        2. Data registry
        3. Data deletion
        4. Plugin privacy registry
      9. Visit each of the four other tabs you have open from earlier, perform a hard refresh on each, then CONFIRM the page content described earlier is now replaced with an error message reading "Only users who are assigned a privacy officer role ( {shortname}) have access to this content ", where {shortname} is your privacy officer role's shortname (eg privacyofficer).
      10. Log out and log back in as studentuser.
      11. Visit each of the four options tabs you have open from earlier, perform a hard refresh on each, then CONFIRM the page content described earlier is now replaced with an error message reading "Sorry, but you do not currently have permissions to do that (Manage data registry)".

      Testing link restrictions are applied when no PO assigned
      This tests admins are not restricted from viewing the pages tested earlier, but non-admins are still restricted.

      1. Log into your test site as adminPO.
      2. Navigate to Site administration > Users > Assign system roles.
      3. Click on the 'Privacy officer' role (or whatever you configured the role name as in the setup steps).
      4. Under 'Existing users', select adminPO, then click the 'Remove' button. CONFIRM Existing users now shows as 'None'.
      5. Repeat steps 2-5 above and CONFIRM all pages load in full.
      6. Close the browser tabs, rather than refreshing them as you did earlier.
      7. Log out and log back in as adminNormal.
      8. Repeat steps 2-5 above and CONFIRM all pages load in full (no longer show an error message).
      9. Close the browser tabs, rather than refreshing them as you did earlier.
      10. Log out and log back in as studentuser.
      11. Visit each of the following pages in your test site, and CONFIRM you receive the error message "Sorry, but you do not currently have permissions to do that (Manage data registry)", and the full page content available to the admin users does not load:
        {wwwroot}/admin/tool/dataprivacy/datarequests.php
        {wwwroot}/admin/tool/dataprivacy/dataregistry.php
        {wwwroot}/admin/tool/dataprivacy/datadeletion.php
        {wwwroot}/admin/tool/dataprivacy/pluginregistry.php
      Show
      Setup: Ensure you have at least 2 admin users, and one non-admin user set up on your test Moodle site. These will be referred to as 'adminPO', 'adminNormal' and 'studentuser' respectively. If a privacy officer role does not already exist on your test site, visit https://docs.moodle.org/35/en/Privacy_officer_role and follow the 'Role set-up' instructions. Make note of the role name and short name, these will be referenced later (eg Privacy Officer, privacyofficer). Use the 'Role assignment' instructions on that page to assign only the adminPO user as a Privacy officer. Testing link restrictions are applied when PO assigned This tests only non-PO admins now receive a custom error message, other users' access/errors remain unchanged. Log into your test site as adminPO. Navigate to Site administration > Users and scroll down to 'Privacy and policies'. CONFIRM you see links to the following options: Data requests Data registry Data deletion Plugin privacy registry Open each of the four links in new tabs. NOTE: You should keep these 4 tabs, plus your current tab (Site administration > Users) open for the remainder of the test, so do not close them when looking at the other tabs. Visit each of the four new tabs, and CONFIRM each of the pages loads in full. For example: 'Data registry' will show options relating to site category and purpose. 'Data deletion' will have a dropdown with values such as Course and User. 'Plugin privacy registry' will show a long list of expandable sections. Log out and log back in as adminNormal. Navigate back to your browser tab for Site administration > Users. Perform a hard refresh on the page, and then scroll down to 'Privacy and policies'. CONFIRM you DO NOT see links to the following options: Data requests Data registry Data deletion Plugin privacy registry Visit each of the four other tabs you have open from earlier, perform a hard refresh on each, then CONFIRM the page content described earlier is now replaced with an error message reading "Only users who are assigned a privacy officer role ( {shortname}) have access to this content ", where {shortname} is your privacy officer role's shortname (eg privacyofficer). Log out and log back in as studentuser. Visit each of the four options tabs you have open from earlier, perform a hard refresh on each, then CONFIRM the page content described earlier is now replaced with an error message reading "Sorry, but you do not currently have permissions to do that (Manage data registry)". Testing link restrictions are applied when no PO assigned This tests admins are not restricted from viewing the pages tested earlier, but non-admins are still restricted. Log into your test site as adminPO. Navigate to Site administration > Users > Assign system roles. Click on the 'Privacy officer' role (or whatever you configured the role name as in the setup steps). Under 'Existing users', select adminPO, then click the 'Remove' button. CONFIRM Existing users now shows as 'None'. Repeat steps 2-5 above and CONFIRM all pages load in full. Close the browser tabs, rather than refreshing them as you did earlier. Log out and log back in as adminNormal. Repeat steps 2-5 above and CONFIRM all pages load in full (no longer show an error message). Close the browser tabs, rather than refreshing them as you did earlier. Log out and log back in as studentuser. Visit each of the following pages in your test site, and CONFIRM you receive the error message "Sorry, but you do not currently have permissions to do that (Manage data registry)", and the full page content available to the admin users does not load: {wwwroot}/admin/tool/dataprivacy/datarequests.php {wwwroot}/admin/tool/dataprivacy/dataregistry.php {wwwroot}/admin/tool/dataprivacy/datadeletion.php {wwwroot}/admin/tool/dataprivacy/pluginregistry.php
    • Affected Branches:
      MOODLE_33_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE
    • Fixed Branches:
      MOODLE_33_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE
    • Epic Link:
    • Pull 3.4 Branch:
    • Pull 3.5 Branch:
    • Pull Master Branch:
      MDL-62600-master
    • Sprint:
      GDPR Followup Sprint 1

      Description

      Steps to reproduce

      • Have a site with the privacy officer role set up
      • As the site user, fill some SARs
      • Log in as admin

      Expected output: Either the admin should not see the page "Site administration > Users > Privacy and policies > Data requests" at all, or the admin should see some relevant information. E.g. number of requests, status of requests or even the full list of requests.

      Actual behaviour: The page is shown to the admin with the misleading message "There are no data requests"

      Only the privacy officer can see the actual requests.

      This is even more serious as there can be problems with the requests processing (e.g. we have them stuck in the "pre-processing" state for some reason) and the admin is not even notified about it.

        Attachments

        1. disable_PO_notifications.jpg
          disable_PO_notifications.jpg
          24 kB
        2. MDL-61600-error-example.png
          MDL-61600-error-example.png
          15 kB
        3. MDL-62600(P1).xlsx
          15.55 MB
        4. MDL-62600(P2).xlsx
          9.47 MB
        5. MDL-62600(P3).xlsx
          15.70 MB

          Issue Links

            Activity

              People

              • Votes:
                4 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  10/Sep/18

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour, 30 minutes
                  1h 30m