-
Improvement
-
Resolution: Fixed
-
Minor
-
3.5.4
-
MOODLE_35_STABLE
-
MOODLE_37_STABLE
-
When creating a GDPR request on behalf of a user, you need to search for them in the user field.
The AJAX selector that searches for a user does not use the appropriate logic. It always searches the names (first/last), email, and username.
It never searches the extra fields that are specified in admin settings (showuseridentity).
This code is in admin/tool/dataprivacy/classes/external.php, function get_users.
Currently it uses the datalib get_users function, which behaves incorrectly (as above) - it should probably be deprecated really. For example, in sites that don't support email address or username for searching, it probably shouldn't be searched.
I searched the code for examples of how to do this correctly, I believe it is roughly:
$extrafields = get_extra_user_fields($context);
list($sql, $params) = users_search_sql($query, 'u', false, $extrafields, $excludedusers);
(And then do the SQL query.)
In addition to this, the display of the user name popup (after you search and it finds somebody) which can be found in templates/form-user-selector-suggestion.mustache is not really appropriate either - this should:
(a) display the user's name
and
(b) also show - probably as a comma separated list - any fields that are returned by the get_extra_user_fields($context) function.
Currently it shows like 'Full Name (email)'. So it should show:
- If there's nothing from get_extra_user_fields, just 'Full name'
- If there is a response, then those fields, in that order, comma-separated, e.g. 'Full Name (email, idnumber, department)'
A particular use case for this is to search for somebody by their student number (idnumber). This is not possible in the current system. Not very helpful for our admin staff. But anyway, it ought to support the standard admin settings in this area.
So to summarise all this into what needs doing (my opinion):
1. The search should use all the fields selected in the showuseridentify admin setting, in addition to names, if the current user has moodle/site:viewuseridentity permission. If they do not have that permission then it should only search names.
2. When displaying the popup of the selected user, this should also show all the fields selected in showuseridentity, in addition to names, if the current user has moodle/site:viewuseridentity permission. If they do not have that permission then it should only show names.
3. There should be a PHPunit test of the web service to test the search behaviour. This should cover (may be one or several tests):
- searching by name, as present (finds the user)
- searching by a field configured in admin settings when user has viewuseridentity permission (finds the user)
- searching by a field when user doesn't have viewuseridentity permission (doesn't find the user)
- searching for a different field that is not configured in admin settings, when user does have permission (doesn't find the user)
4. There should be a Behat test of the overall interface to test the popup appearance. This should cover:
- display when user does not have the viewuseridentity, name only
- display when they do have it, include all fields selected in admin settings (and not other fields)