Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-62663

Visibility of custom user fields is not consistently enforced

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      See behat test.

      User with moodle/user:update capability can update visible profile fields.

      User with moodle/user:viewalldetails capability can view all profile fields.

      User with moodle/user:viewalldetails and moodle/user:update capabilities can view and edit all profile fields.

      Users can view custom profile fieds except those marked as not visible.

      Show
      See behat test. User with moodle/user:update capability can update visible profile fields. User with moodle/user:viewalldetails capability can view all profile fields. User with moodle/user:viewalldetails and moodle/user:update capabilities can view and edit all profile fields. Users can view custom profile fieds except those marked as not visible.
    • Affected Branches:
      MOODLE_35_STABLE
    • Fixed Branches:
      MOODLE_34_STABLE, MOODLE_35_STABLE
    • Pull 3.5 Branch:
    • Pull Master Branch:

      Description

      If a user has the moodle/user:update capability but is denied or lacks the  moodle/user:viewalldetails they can still view/edit private profile fields.

       

       

      In some places - e.g. \profile_field_base::is_visible a user must have the moodle/user:viewalldetails capability to view other user's fields that are marked as PROFILE_VISIBLE_PRIVATE

      I would say that this is the correct behaviour.

      There are three places where the viewalldetails capability is ignored and the moodle/user:update capability is checked instead. This means that if a user is denied the moodle/user:viewalldetails capability they can still edit (and so view) the values of private custom fields.
      The places this is an issue are:
      user/profile/lib.php function profile_definition
      The line:
      if ($display or $update) {
      should be changed to:
      if ($display && $update) {

      \profile_field_base::edit_field
      The line:
      if ($this->field->visible != PROFILE_VISIBLE_NONE
      or has_capability('moodle/user:update', context_system::instance())) {
      should be changed to check the viewalldetails capability

      \profile_field_base::edit_after_data
      The line:
      if ($this->field->visible != PROFILE_VISIBLE_NONE
      or has_capability('moodle/user:update', context_system::instance())) {
      should be changed to check the viewalldetails capability

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              andrew_dc_hancox Andrew Hancox
              Reporter:
              andrew_dc_hancox Andrew Hancox
              Peer reviewer:
              Sara Arjona (@sarjona)
              Integrator:
              David Monllaó
              Tester:
              CiBoT
              Participants:
              Component watchers:
              Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                10/Sep/18