Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68425

Participants page shows option to send messages without capability check

    XMLWordPrintable

Details

    • MOODLE_38_STABLE, MOODLE_39_STABLE
    • MOODLE_38_STABLE
    • Hide
      • As admin, change capability for an Authenticated user to prevent/prohibit 'moodle/site:sendmessage' and 'moodle/course:bulkmessaging'.
      • Flush caches
      • Log in as a teacher.
      • Go to a course.
      • Go to the Participants page.
      • Select one or more users.
      • Click the drop-down labelled 'With selected users...'

      Expected result:

      • No option to send a message should be shown.
      Show
      As admin, change capability for an Authenticated user to prevent/prohibit 'moodle/site:sendmessage' and 'moodle/course:bulkmessaging'. Flush caches Log in as a teacher. Go to a course. Go to the Participants page. Select one or more users. Click the drop-down labelled 'With selected users...' Expected result: No option to send a message should be shown.

    Description

      At present, on the Participants page, the option to send users a message is show, regardless of the user's capability to send messages.

      Replication steps:

      • As admin, change capability for an Authenticated user to prevent/prohibit 'moodle/site:sendmessage'.
      • Flush caches
      • Log in as a teacher.
      • Go to a course.
      • Go to the Participants page.
      • Select one or more users.
      • Click the drop-down labelled 'With selected users...'

      Expected result:

      • No option to send a message should be shown.

      Actual result

      • The option to send a message is included in the list.

       

      I found there is a missing capability check in user\index.php when building the list. This capability check is present in other similar instances in core.

      Attachments

        1. image-2020-04-16-09-45-55-560.png
          image-2020-04-16-09-45-55-560.png
          37 kB
        2. MDL-68425.jpg
          MDL-68425.jpg
          31 kB
        3. patch.diff
          0.6 kB

        Issue Links

          Activity

            People

              salvetore Michael de Raadt
              salvetore Michael de Raadt
              Andrew Lyons Andrew Lyons
              Jake Dallimore Jake Dallimore
              Anna Carissa Sadia Anna Carissa Sadia
              Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Laurent David, Raquel Ortega, Sara Arjona (@sarjona)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                13/Jul/20

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 50 minutes
                  50m