Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-64596

New capability for searching for users across the site

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Login as Admin user:

      1. Create User Accounts: User 1, User 2, User 3
      2. Create a system role: eg LookUpUser
      3. Allow the “moodle/site:lookupuser” capability to the role
      4. Assign role to User 1
      5. Enable Allow site-wide messaging (to allow adding contact)

      Login as User 1

      1. Go to Messages
      2. Search for “User”, the contacts of User 2 and User 3 shall be displayed
      3. Add User 2 to contact list

      Login as User 2

      1. Go to Messages
      2. Accept the add contact request
      3. Search for “User”, only the contact of User 1 shall be displayed.
      Show
      Login as Admin user: Create User Accounts: User 1, User 2, User 3 Create a system role: eg LookUpUser Allow the “moodle/site:lookupuser” capability to the role Assign role to User 1 Enable Allow site-wide messaging (to allow adding contact) Login as User 1 Go to Messages Search for “User”, the contacts of User 2 and User 3 shall be displayed Add User 2 to contact list Login as User 2 Go to Messages Accept the add contact request Search for “User”, only the contact of User 1 shall be displayed.
    • Affected Branches:
      MOODLE_37_STABLE
    • Pull Master Branch:
      MDL-64596-Master

      Description

      We have clients who have high security needs and want to lock things down really tightly.

      One identified user risk is stopping users, or those in a role, from search for other users. This is leaking through the message interface. There doesn't appear to be a single capability for this, it seems broken up into a few other caps and none are quite up to the task. So I'm proposing to introduce a new cap which would be checked as well as the existing caps for different use cases so it's easy to lock it down everywhere.

      A new capability called “moodle/site:lookupuser” is added to restrict searching for non-contact user

       

      Expected behavior

       The user without moodle/site:lookupuser capability:

       - Will be able to search users who are already in their contact list

       - Will not be able to search users who are not in their contact list

      User with moodle/site:lookupuser capability will be able to search users in contact, non-contact list.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                12 Vote for this issue
                Watchers:
                20 Start watching this issue

                Dates

                • Created:
                  Updated: