[MDL-62663] Visibility of custom user fields is not consistently enforced - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.5
Fix Version/s: 3.4.5, 3.5.2
Component/s: User management
Labels:
- ci
- triaged

Affected Branches:
MOODLE_35_STABLE
Fixed Branches:
MOODLE_34_STABLE, MOODLE_35_STABLE
Pull from Repository:
https://github.com/andrewhancox/moodle
Pull Master Branch:
~~MDL-62663~~
Pull Master Diff URL:
https://github.com/moodle/moodle/compare/master...andrewhancox:MDL-62663
Testing Instructions:

Hide

See behat test.

User with moodle/user:update capability can update visible profile fields.

User with moodle/user:viewalldetails capability can view all profile fields.

User with moodle/user:viewalldetails and moodle/user:update capabilities can view and edit all profile fields.

Users can view custom profile fieds except those marked as not visible.

Show
See behat test. User with moodle/user:update capability can update visible profile fields. User with moodle/user:viewalldetails capability can view all profile fields. User with moodle/user:viewalldetails and moodle/user:update capabilities can view and edit all profile fields. Users can view custom profile fieds except those marked as not visible.

Description

If a user has the moodle/user:update capability but is denied or lacks the moodle/user:viewalldetails they can still view/edit private profile fields.

In some places - e.g. \profile_field_base::is_visible a user must have the moodle/user:viewalldetails capability to view other user's fields that are marked as PROFILE_VISIBLE_PRIVATE

I would say that this is the correct behaviour.

There are three places where the viewalldetails capability is ignored and the moodle/user:update capability is checked instead. This means that if a user is denied the moodle/user:viewalldetails capability they can still edit (and so view) the values of private custom fields.
The places this is an issue are:
user/profile/lib.php function profile_definition
The line:
if ($display or $update) {
should be changed to:
if ($display && $update) {

\profile_field_base::edit_field
The line:
if ($this->field->visible != PROFILE_VISIBLE_NONE
or has_capability('moodle/user:update', context_system::instance())) {
should be changed to check the viewalldetails capability

\profile_field_base::edit_after_data
The line:
if ($this->field->visible != PROFILE_VISIBLE_NONE
or has_capability('moodle/user:update', context_system::instance())) {
should be changed to check the viewalldetails capability

Attachments

Issue Links

caused a regression

MDL-62965 User profile fields missing on signup page

Closed

Activity

People

Assignee:: Andrew Hancox

Reporter:: Andrew Hancox

Peer reviewer:: Sara Arjona (@sarjona)

Integrator:: David Monllaó

Tester:: CiBoT

Participants:: Andrew Hancox, Andrew Lyons, CiBoT, David Monllaó, David Mudrák (@mudrd8mz), Davo Smith, Jake Dallimore, Sara Arjona (@sarjona), Zishan Javaid

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 08/Jun/18 3:18 AM

Updated:: 04/Jan/23 11:56 PM

Resolved:: 23/Jul/18 3:54 PM

Fix Release Date:: 10/Sep/18