Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-67016

When hiddenuserfields contains "mycourses", a user can't see his enrolled courses on his own profile page

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. Create 2 courses and enrol 2 students in both of them
      2. As an Admin, go to the configuration section containing "hiddenuserfields" (…/admin/settings.php?section=userpolicies).
      3. In the setting 'Hide user fields' (hiddenuserfield) mark "My Courses" (and others, if you wish) and save.
      4. Log in as a student in course 1
      5. Then view your own profile page.
      6. Verify you see a 'course profiles' heading under the course details section, which shows 2 courses.
      7. Inspect the profile of another student in the course
      8. Verify you can't see the course profiles section mentioned above. There will be a course details section - this is normal
      Show
      Create 2 courses and enrol 2 students in both of them As an Admin, go to the configuration section containing "hiddenuserfields" (…/admin/settings.php?section=userpolicies). In the setting 'Hide user fields' (hiddenuserfield) mark "My Courses" (and others, if you wish) and save. Log in as a student in course 1 Then view your own profile page. Verify you see a 'course profiles' heading under the course details section, which shows 2 courses. Inspect the profile of another student in the course Verify you can't see the course profiles section mentioned above. There will be a course details section - this is normal
    • Affected Branches:
      MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE
    • Fixed Branches:
      MOODLE_36_STABLE, MOODLE_37_STABLE
    • Pull from Repository:
    • Pull 3.5 Branch:
      MDL-67016-35-user-profile-see-own-courses
    • Pull 3.7 Branch:
      MDL-67016-37-user-profile-see-own-courses
    • Pull Master Branch:
      MDL-67016-master-user-profile-see-own-courses

      Description

      See https://tracker.moodle.org/browse/MDL-21394.

      Our version is Moodle 3.5.8. The problem is still present in master.

      https://github.com/moodle/moodle/blob/9f997f9bd7edc6ea0b4371804f9a78b84f866e51/lib/myprofilelib.php#L230-L233

      Configure "mycourses" as a hidden user field, login as a user without the capability "moodle/user:viewhiddendetails" and you can't see your own courses.

      Solution would just be to check for $iscurrentuser, e.g.:

          if (!isset($hiddenfields['mycourses']) || $iscurrentuser) {
              $showallcourses = optional_param('showallcourses', 0, PARAM_INT);
              if ($mycourses = enrol_get_all_users_courses($user->id, true, null)) {
                  $shown = 0;
      

        Attachments

          Activity

            People

            Assignee:
            poggenpohlda Daniel Poggenpohl
            Reporter:
            poggenpohlda Daniel Poggenpohl
            Peer reviewer:
            Luca Bösch
            Integrator:
            Jake Dallimore
            Tester:
            Gladys Basiana
            Participants:
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              11/Nov/19

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 50 minutes
                50m