-
Bug
-
Resolution: Fixed
-
Minor
-
3.6.4, 3.9.3, 3.10
-
MOODLE_310_STABLE, MOODLE_36_STABLE, MOODLE_39_STABLE
-
MOODLE_310_STABLE, MOODLE_39_STABLE
-
MDL-65852-master -
Easy
-
-
Moppies Kanban
STEPS TO REPRODUCE:
While viewing the participants list of a course as non-editing teacher, select one or more users and choose to download the table data as any file type.
EXPECTED RESULT:
The chosen file type being offered for download, or an error message explaining why the action failed.
ACTUAL RESULT:
The browser location switches to the script user/action_redir.php, which in turn show only a white page, lacking any output or error message.
CAUSE:
The capability check for allowing the creation of the download file in the script user/action_redir.php is for the capability moodle/course:manageactivities. Non-editing teachers by default have the permission course:viewparticipants, but lack the permission course:manageactivities. As a result the have access to download the user list, but then are denied by the script. Also the if statement checking for the capability has no else section, so no error is printed when the check fails.
COMMENTS:
It is understandable that it is not possible to declare a capability for every single action in the platform, still there is a big difference between being able to download a user list that is already visible, and managing the course's activities. Also, even if the capability check is to remain unchanged, a print_error would be necessary for the user's information. Of course another solution would be to hide the download option too with the same capability check, although this sounds like an overkill.
SUGGESTED FIX
Change the capability check in user/action_redir.php Line 82 to something more appropriate, like moodle/course:viewparticipants.
Add an else{print_error()} statement after the capability check (user/action_redir.php Line 119) so that users are informed about the situation