Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-62663

Visibility of custom user fields is not consistently enforced

    XMLWordPrintable

    Details

      Description

      If a user has the moodle/user:update capability but is denied or lacks the  moodle/user:viewalldetails they can still view/edit private profile fields.

       

       

      In some places - e.g. \profile_field_base::is_visible a user must have the moodle/user:viewalldetails capability to view other user's fields that are marked as PROFILE_VISIBLE_PRIVATE

      I would say that this is the correct behaviour.

      There are three places where the viewalldetails capability is ignored and the moodle/user:update capability is checked instead. This means that if a user is denied the moodle/user:viewalldetails capability they can still edit (and so view) the values of private custom fields.
      The places this is an issue are:
      user/profile/lib.php function profile_definition
      The line:
      if ($display or $update) {
      should be changed to:
      if ($display && $update) {

      \profile_field_base::edit_field
      The line:
      if ($this->field->visible != PROFILE_VISIBLE_NONE
      or has_capability('moodle/user:update', context_system::instance())) {
      should be changed to check the viewalldetails capability

      \profile_field_base::edit_after_data
      The line:
      if ($this->field->visible != PROFILE_VISIBLE_NONE
      or has_capability('moodle/user:update', context_system::instance())) {
      should be changed to check the viewalldetails capability

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  10/Sep/18