Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-65852

Non-editing teacher should be able to download course participants list

XMLWordPrintable

    • MOODLE_310_STABLE, MOODLE_36_STABLE, MOODLE_39_STABLE
    • MOODLE_310_STABLE, MOODLE_39_STABLE
    • MDL-65852-master
    • Easy
    • Hide

      Test

      1. Login as admin.
      2. Create a course.
      3. Enrol students and a non-editing teacher into the course.
      4. Login as the non-editing teacher.
      5. Go to the course.
      6. Go to the course participants page.
      7. Select all course participants from the table.
      8. From "With selected users..." choose "Download table data as: Comma separated values (.csv)"
        • confirm the curse participants list has been downloaded without any issues.
      Show
      Test Login as admin. Create a course. Enrol students and a non-editing teacher into the course. Login as the non-editing teacher. Go to the course. Go to the course participants page. Select all course participants from the table. From "With selected users..." choose "Download table data as: Comma separated values (.csv)" confirm the curse participants list has been downloaded without any issues.
    • Moppies Kanban

      STEPS TO REPRODUCE:

      While viewing the participants list of a course as non-editing teacher, select one or more users and choose to download the table data as any file type.

      EXPECTED RESULT:

      The chosen file type being offered for download, or an error message explaining why the action failed.

      ACTUAL RESULT:

      The browser location switches to the script user/action_redir.php, which in turn show only a white page, lacking any output or error message.

      CAUSE:

      The capability check for allowing the creation of the download file in the script user/action_redir.php is for the capability moodle/course:manageactivities. Non-editing teachers by default have the permission course:viewparticipants, but lack the permission course:manageactivities. As a result the have access to download the user list, but then are denied by the script. Also the if statement checking for the capability has no else section, so no error is printed when the check fails.

      COMMENTS:

      It is understandable that it is not possible to declare a capability for every single action in the platform, still there is a big difference between being able to download a user list that is already visible, and managing the course's activities. Also, even if the capability check is to remain unchanged, a print_error would be necessary for the user's information. Of course another solution would be to hide the download option too with the same capability check, although this sounds like an overkill.

      SUGGESTED FIX

      Change the capability check in user/action_redir.php Line 82 to something more appropriate, like moodle/course:viewparticipants.

      Add an else{print_error()} statement after the capability check  (user/action_redir.php Line 119) so that users are informed about the situation

            ilyatregubov Ilya Tregubov
            γιώργοςμαριός Γιώργος Μαριός
            Mihail Geshoski Mihail Geshoski
            Andrew Lyons Andrew Lyons
            Anna Carissa Sadia Anna Carissa Sadia
            Votes:
            3 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 hours
                4h

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.