Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-64444

mod_assign_get_submissions and mod_assign_get_grades incorrectly check permissions

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.5.3, 3.6.1, 3.7
    • Fix Version/s: 3.5.5, 3.6.3
    • Component/s: Assignment, Web Services
    • Labels:
    • Testing Instructions:
      Hide
      Note
      1. To be tested only in 36_STABLE and master. For 35_STABLE it's enough if automated tests are passing, so no action needed there.
      Prerequisite
      1. Moodle mobile app.
      2. Your Moodle mobile app should be able to connect to your Moodle website. You can either do the following:
        • Ensure that the phone with the mobile app and the web server are on the same network. Or
        • Expose the web server over the internet via ngrok.
      Test
      1. As admin, enable "Mobile services": Site administration ► Mobile app ► Mobile settings
      2. Enable "Context freezing": Administration >Development > Experimental >Experimental settings
      3. Create a new course
      4. Enrol one user as student in the course and another one as teacher
      5. Create a new assignment activity, configured to allow only "Online text" submissions
      6. As the student user, log in into the Moodle site, go to the assignment activity, and do a submission
      7. As the teacher user, log i into the Moodle site, go to the assignment activity and grade the submission the student did
      8. Now, in the assignment main page, go to settings (via the cog) and click on "Freeze this context"
      9. As teacher, log in to the site via the Moodle Mobile app, open the assignment activity, and check that you can see the submission the student did and the grade the teacher gave.
      Show
      Note To be tested only in 36_STABLE and master. For 35_STABLE it's enough if automated tests are passing, so no action needed there. Prerequisite Moodle mobile app. Your Moodle mobile app should be able to connect to your Moodle website. You can either do the following: Ensure that the phone with the mobile app and the web server are on the same network. Or Expose the web server over the internet via ngrok. Test As admin, enable "Mobile services": Site administration ► Mobile app ► Mobile settings Enable "Context freezing": Administration >Development > Experimental >Experimental settings Create a new course Enrol one user as student in the course and another one as teacher Create a new assignment activity, configured to allow only "Online text" submissions As the student user, log in into the Moodle site, go to the assignment activity, and do a submission As the teacher user, log i into the Moodle site, go to the assignment activity and grade the submission the student did Now, in the assignment main page, go to settings (via the cog) and click on "Freeze this context" As teacher, log in to the site via the Moodle Mobile app, open the assignment activity, and check that you can see the submission the student did and the grade the teacher gave.
    • Affected Branches:
      MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE
    • Fixed Branches:
      MOODLE_35_STABLE, MOODLE_36_STABLE
    • Epic Link:
    • Pull from Repository:
    • Pull Master Branch:
      MDL-64444-master
    • Pull Master Diff URL:

      Description

      The web service functions mod_assign_get_submissions and mod_assign_get_grades use the capability "mod/assign:grade" to check if the user can view all submissions of an assignment. This does not work in all cases: for example when the course is frozen. These web services should use the method "can_view_grades" of the assign class, that properly checks when the user can view all submissions.

        Attachments

          Issue Links

          has a non-specific relationship to

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-64336 When an assignment is frozen students cannot see their submission

          • Minor - Minor loss of function where workaround is possible
          • Closed

            Activity

              People

              Assignee:
              jleyva Juan Leyva
              Reporter:
              albert.gasset Albert Gasset
              Peer reviewer:
              Jun Pataleta
              Integrator:
              Eloy Lafuente (stronk7)
              Tester:
              Anna Carissa Sadia
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan, Juan Leyva, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                11/Mar/19

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 hours
                  2h