Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-65101

Messaging: Users with capability moodle/site:messageanyuser cannot write to non contacts with privacy setting on

XMLWordPrintable

    • MOODLE_37_STABLE
    • MOODLE_36_STABLE, MOODLE_37_STABLE
    • MDL-65101_master
    • Hide
      Prerequisites.
      1. Create two users (S1 and S2).
      2. Create a course.
      3. Enrol both users in the course.
      4. Log in as S1.
      5. Click on the messaging icon to open the drawer.
      6. Click on the gear.
      7. Select 'My contacts only'
      Test 1.
      1. Log in as the admin.
      2. Visit Site administration > Users > Accounts > Browse list of users.
      3. Search for the user.
      4. Click on 'Message' next to their profile picture.
      5. Confirm you can send them a message.
      6. Log in as S1.
      7. Confirm you received the message.
      Test 2
      1. Log in as S2.
      2. Click on the messaging icon in the top right to open the drawer.
      3. Search for S1.
      4. Attempt to message them.
      5. Confirm you get a message saying you need to request to be a contact to message them.
      6. Send them a contact request.
      7. Log in as S1.
      8. Accept the contact request.
      9. Log in as S2.
      10. Confirm you can now send them a message.
      11. Log in as S1.
      12. Confirm you received the message.
      Show
      Prerequisites. Create two users (S1 and S2). Create a course. Enrol both users in the course. Log in as S1. Click on the messaging icon to open the drawer. Click on the gear. Select 'My contacts only' Test 1. Log in as the admin. Visit Site administration > Users > Accounts > Browse list of users. Search for the user. Click on 'Message' next to their profile picture. Confirm you can send them a message. Log in as S1. Confirm you received the message. Test 2 Log in as S2. Click on the messaging icon in the top right to open the drawer. Search for S1. Attempt to message them. Confirm you get a message saying you need to request to be a contact to message them. Send them a contact request. Log in as S1. Accept the contact request. Log in as S2. Confirm you can now send them a message. Log in as S1. Confirm you received the message.

      Hi there,

      while testing the new messaging interface and the newly introduced capability moodle/site:messageanyuser, we've stumbled over this issue.

      Status quo and problem
      As far as we understand users with that capability can write to other users even if they have been blocked by them. For example user A has the capability and user B blocks user A, user A can still write messages to user B.

      The strange thing is that if user B changes his privacy restriction setting to "My contacts only", the user A, who has the capability cannot send messages to B anymore.
      On the one hand, blocking feels more strict than just allowing contacts to contact me. On the other hand if the capability is called messageanyuser and "ignores" blocking, it's surprising that this setting levers this out.

      Steps to reproduce

      1. Having users A and B in your system
      2. Make sure that moodle/site:messageanyuser is given to teachers
      3. Go to a course X (or create one) and enrol user A as teacher and user B as student
      4. Login as user B, open the messaging interface and search for user A
      5. In the list, click on the three dots for user A and click on context menu item "Block user"
      6. Confirm the blocking action by clicking the button "Block"
      7. Verify that you see the information "You have blocked this user in the past" with the button "Unblock user"
      8. Login as user A
      9. Open the messaging interface and search for user B
      10. Make sure that you have the messaging text area
      11. Enter a message and send it to user B
      12. Login as user B and see that he's got a new message from user A and the blocking icon is shown after the name of user A
      13. Now change the privacy setting to "My contacts only"
      14. Login as A again
      15. Go to the conversation with B and click on it
      16. See that you cannot write to B anymore because you see the hint "B is not in your contacts. You need to request Adam Ant to add you as a contact to be able to message them."

      Proposal
      Either this is intended behavior, then the capability should be defined in a more restrictive way or should get another title (maybe messsageblockedusers).

      We would assume that this is not intended behavior, because in that case it would be possible for students to prevent messages from their teachers. And we don't think that it's practicable that a teacher requests contact approval for many of his students...

      If it's not intended, then this is a bug (as I declared the issue) and the capability should also make it possible to override this privacy setting.
      Analogous to MDL-65093, the user then should also get a hint that the privacy setting has no effect on users with this capability.

      Best, Kathrin

            markn Mark Nelson
            kosswa Kathrin Osswald
            Kathrin Osswald Kathrin Osswald
            Sara Arjona (@sarjona) Sara Arjona (@sarjona)
            Anna Carissa Sadia Anna Carissa Sadia
            Votes:
            6 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 45 minutes
                1h 45m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.