-
Bug
-
Resolution: Fixed
-
Major
-
3.7
-
MOODLE_37_STABLE
-
MOODLE_37_STABLE
-
As has been experienced at learn.moodle.net, the site seems to send insight notifications to users even if they do not have the moodle/analytics:listowninsights capability assigned.
The method get_insights_users() should check that CONTEXT_USER users have moodle/analytics:listowninsights capability.
get_insights_users works also at CONTEXT_USER level since 3.7. This function is the one controlling who will get an insight notification. Users should not receive a notification about an insight if they don't have the capability to see it (moodle/analytics:listowninsights). We check that the user has the capability in check_can_list_insights (the function that controls the access to the insight) but we should not even generate a notification if the user has no permission to see it.