Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-63832

Web service mod_assign_get_submissions returns submissions the user has no permission to view

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.1.14, 3.3.8, 3.4.5, 3.5.2, 3.6
    • Fix Version/s: 3.5.4
    • Component/s: Assignment, Web Services
    • Labels:
    • Testing Instructions:
      Hide
      Prerequisite
      1. Moodle mobile app.
      2. Your Moodle mobile app should be able to connect to your Moodle website. You can either do the following:
        • Ensure that the phone with the mobile app and the web server are on the same network. Or
        • Expose the web server over the internet via ngrok.
      Test
      1. As admin, enable "Mobile services": Site administration ► Mobile app ► Mobile settings
      2. Now create a course, "C1"
      3. Enrol two users: S1 as student and T1 as teacher in C1
      4. Create an assignment activity, in the settings allow only "Online text" submissions
      5. As U1, login to the site via the browser, access the course and do a text submission
      6. As T1, login to the site via the Mobile app and check that you see U1 submission in the submission list.
      7. As admin, unenrol U1 from the course
      8. As T1, again, using the app check that you don't see U1 submission anymore listed (you may have to do a PTR - pull down to refresh action - in the device to avoid cache)
      Show
      Prerequisite Moodle mobile app. Your Moodle mobile app should be able to connect to your Moodle website. You can either do the following: Ensure that the phone with the mobile app and the web server are on the same network. Or Expose the web server over the internet via ngrok. Test As admin, enable "Mobile services": Site administration ► Mobile app ► Mobile settings Now create a course, "C1" Enrol two users: S1 as student and T1 as teacher in C1 Create an assignment activity, in the settings allow only "Online text" submissions As U1, login to the site via the browser, access the course and do a text submission As T1, login to the site via the Mobile app and check that you see U1 submission in the submission list. As admin, unenrol U1 from the course As T1, again, using the app check that you don't see U1 submission anymore listed (you may have to do a PTR - pull down to refresh action - in the device to avoid cache)
    • Affected Branches:
      MOODLE_31_STABLE, MOODLE_33_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • Fixed Branches:
      MOODLE_35_STABLE
    • Pull from Repository:
    • Pull 3.5 Branch:
    • Pull Master Branch:
      MDL-63832-master

      Description

      The web service function mod_assign_get_submissions returns all the submissions of one or more assign activities, but it does not check if each of the submissions can be viewed by the user using $assign->can_view_submission. For example, it includes submissions of users that are not participants of the course.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  14/Jan/19

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 25 minutes
                  25m