Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-65852

Non-editing teacher should be able to download course participants list

    XMLWordPrintable

Details

    • MOODLE_310_STABLE, MOODLE_36_STABLE, MOODLE_39_STABLE
    • MOODLE_310_STABLE, MOODLE_39_STABLE
    • MDL-65852-master
    • Easy
    • Hide

      Test

      1. Login as admin.
      2. Create a course.
      3. Enrol students and a non-editing teacher into the course.
      4. Login as the non-editing teacher.
      5. Go to the course.
      6. Go to the course participants page.
      7. Select all course participants from the table.
      8. From "With selected users..." choose "Download table data as: Comma separated values (.csv)"
        • confirm the curse participants list has been downloaded without any issues.
      Show
      Test Login as admin. Create a course. Enrol students and a non-editing teacher into the course. Login as the non-editing teacher. Go to the course. Go to the course participants page. Select all course participants from the table. From "With selected users..." choose "Download table data as: Comma separated values (.csv)" confirm the curse participants list has been downloaded without any issues.
    • Moppies Kanban

    Description

      STEPS TO REPRODUCE:

      While viewing the participants list of a course as non-editing teacher, select one or more users and choose to download the table data as any file type.

      EXPECTED RESULT:

      The chosen file type being offered for download, or an error message explaining why the action failed.

      ACTUAL RESULT:

      The browser location switches to the script user/action_redir.php, which in turn show only a white page, lacking any output or error message.

      CAUSE:

      The capability check for allowing the creation of the download file in the script user/action_redir.php is for the capability moodle/course:manageactivities. Non-editing teachers by default have the permission course:viewparticipants, but lack the permission course:manageactivities. As a result the have access to download the user list, but then are denied by the script. Also the if statement checking for the capability has no else section, so no error is printed when the check fails.

      COMMENTS:

      It is understandable that it is not possible to declare a capability for every single action in the platform, still there is a big difference between being able to download a user list that is already visible, and managing the course's activities. Also, even if the capability check is to remain unchanged, a print_error would be necessary for the user's information. Of course another solution would be to hide the download option too with the same capability check, although this sounds like an overkill.

      SUGGESTED FIX

      Change the capability check in user/action_redir.php Line 82 to something more appropriate, like moodle/course:viewparticipants.

      Add an else{print_error()} statement after the capability check  (user/action_redir.php Line 119) so that users are informed about the situation

      Attachments

        Issue Links

          Activity

            People

              ilyatregubov Ilya Tregubov
              γιώργοςμαριός Γιώργος Μαριός
              Mihail Geshoski Mihail Geshoski
              Andrew Lyons Andrew Lyons
              Anna Carissa Sadia Anna Carissa Sadia
              Votes:
              3 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 hours
                  4h

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.