Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68425

Participants page shows option to send messages without capability check

XMLWordPrintable

    • MOODLE_38_STABLE, MOODLE_39_STABLE
    • MOODLE_38_STABLE
    • Hide
      • As admin, change capability for an Authenticated user to prevent/prohibit 'moodle/site:sendmessage' and 'moodle/course:bulkmessaging'.
      • Flush caches
      • Log in as a teacher.
      • Go to a course.
      • Go to the Participants page.
      • Select one or more users.
      • Click the drop-down labelled 'With selected users...'

      Expected result:

      • No option to send a message should be shown.
      Show
      As admin, change capability for an Authenticated user to prevent/prohibit 'moodle/site:sendmessage' and 'moodle/course:bulkmessaging'. Flush caches Log in as a teacher. Go to a course. Go to the Participants page. Select one or more users. Click the drop-down labelled 'With selected users...' Expected result: No option to send a message should be shown.

      At present, on the Participants page, the option to send users a message is show, regardless of the user's capability to send messages.

      Replication steps:

      • As admin, change capability for an Authenticated user to prevent/prohibit 'moodle/site:sendmessage'.
      • Flush caches
      • Log in as a teacher.
      • Go to a course.
      • Go to the Participants page.
      • Select one or more users.
      • Click the drop-down labelled 'With selected users...'

      Expected result:

      • No option to send a message should be shown.

      Actual result

      • The option to send a message is included in the list.

       

      I found there is a missing capability check in user\index.php when building the list. This capability check is present in other similar instances in core.

        1. image-2020-04-16-09-45-55-560.png
          image-2020-04-16-09-45-55-560.png
          37 kB
        2. MDL-68425.jpg
          MDL-68425.jpg
          31 kB
        3. patch.diff
          0.6 kB

            salvetore Michael de Raadt
            salvetore Michael de Raadt
            Andrew Lyons Andrew Lyons
            Jake Dallimore Jake Dallimore
            Anna Carissa Sadia Anna Carissa Sadia
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 50 minutes
                50m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.