Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-65852

Capability check missmatch & white page error in user/action_redir.php

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.6.4
    • Fix Version/s: None
    • Component/s: Other
    • Labels:
    • Testing Instructions:
      Hide

      Download the participant of a course as a non-editing teacher

      Show
      Download the participant of a course as a non-editing teacher
    • Workaround:
      Hide

      Added a customscipt with a modified capability check and an error print

      Show
      Added a customscipt with a modified capability check and an error print
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_36_STABLE

      Description

      STEPS TO REPRODUCE:

      While viewing the participants list of a course as non-editing teacher, select one or more users and choose to download the table data as any file type.

      EXPECTED RESULT:

      The chosen file type being offered for download, or an error message explaining why the action failed.

      ACTUAL RESULT:

      The browser location switches to the script user/action_redir.php, which in turn show only a white page, lacking any output or error message.

      CAUSE:

      The capability check for allowing the creation of the download file in the script user/action_redir.php is for the capability moodle/course:manageactivities. Non-editing teachers by default have the permission course:viewparticipants, but lack the permission course:manageactivities. As a result the have access to download the user list, but then are denied by the script. Also the if statement checking for the capability has no else section, so no error is printed when the check fails.

      COMMENTS:

      It is understandable that it is not possible to declare a capability for every single action in the platform, still there is a big difference between being able to download a user list that is already visible, and managing the course's activities. Also, even if the capability check is to remain unchanged, a print_error would be necessary for the user's information. Of course another solution would be to hide the download option too with the same capability check, although this sounds like an overkill.

      SUGGESTED FIX

      Change the capability check in user/action_redir.php Line 82 to something more appropriate, like moodle/course:viewparticipants.

      Add an else{print_error()} statement after the capability check  (user/action_redir.php Line 119) so that users are informed about the situation

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 10 minutes
                10m