Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-62663

Visibility of custom user fields is not consistently enforced

    XMLWordPrintable

Details

    • MOODLE_35_STABLE
    • MOODLE_34_STABLE, MOODLE_35_STABLE
    • Hide

      See behat test.

      User with moodle/user:update capability can update visible profile fields.

      User with moodle/user:viewalldetails capability can view all profile fields.

      User with moodle/user:viewalldetails and moodle/user:update capabilities can view and edit all profile fields.

      Users can view custom profile fieds except those marked as not visible.

      Show
      See behat test. User with moodle/user:update capability can update visible profile fields. User with moodle/user:viewalldetails capability can view all profile fields. User with moodle/user:viewalldetails and moodle/user:update capabilities can view and edit all profile fields. Users can view custom profile fieds except those marked as not visible.

    Description

      If a user has the moodle/user:update capability but is denied or lacks the  moodle/user:viewalldetails they can still view/edit private profile fields.

       

       

      In some places - e.g. \profile_field_base::is_visible a user must have the moodle/user:viewalldetails capability to view other user's fields that are marked as PROFILE_VISIBLE_PRIVATE

      I would say that this is the correct behaviour.

      There are three places where the viewalldetails capability is ignored and the moodle/user:update capability is checked instead. This means that if a user is denied the moodle/user:viewalldetails capability they can still edit (and so view) the values of private custom fields.
      The places this is an issue are:
      user/profile/lib.php function profile_definition
      The line:
      if ($display or $update) {
      should be changed to:
      if ($display && $update) {

      \profile_field_base::edit_field
      The line:
      if ($this->field->visible != PROFILE_VISIBLE_NONE
      or has_capability('moodle/user:update', context_system::instance())) {
      should be changed to check the viewalldetails capability

      \profile_field_base::edit_after_data
      The line:
      if ($this->field->visible != PROFILE_VISIBLE_NONE
      or has_capability('moodle/user:update', context_system::instance())) {
      should be changed to check the viewalldetails capability

      Attachments

        Issue Links

          Activity

            People

              andrew_dc_hancox Andrew Hancox
              andrew_dc_hancox Andrew Hancox
              Sara Arjona (@sarjona) Sara Arjona (@sarjona)
              David Monllaó David Monllaó
              CiBoT CiBoT
              Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Laurent David, Sara Arjona (@sarjona)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                10/Sep/18