Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68425

Participants page shows option to send messages without capability check

    XMLWordPrintable

Details

    • MOODLE_38_STABLE, MOODLE_39_STABLE
    • MOODLE_38_STABLE
    • Hide
      • As admin, change capability for an Authenticated user to prevent/prohibit 'moodle/site:sendmessage' and 'moodle/course:bulkmessaging'.
      • Flush caches
      • Log in as a teacher.
      • Go to a course.
      • Go to the Participants page.
      • Select one or more users.
      • Click the drop-down labelled 'With selected users...'

      Expected result:

      • No option to send a message should be shown.
      Show
      As admin, change capability for an Authenticated user to prevent/prohibit 'moodle/site:sendmessage' and 'moodle/course:bulkmessaging'. Flush caches Log in as a teacher. Go to a course. Go to the Participants page. Select one or more users. Click the drop-down labelled 'With selected users...' Expected result: No option to send a message should be shown.

    Description

      At present, on the Participants page, the option to send users a message is show, regardless of the user's capability to send messages.

      Replication steps:

      • As admin, change capability for an Authenticated user to prevent/prohibit 'moodle/site:sendmessage'.
      • Flush caches
      • Log in as a teacher.
      • Go to a course.
      • Go to the Participants page.
      • Select one or more users.
      • Click the drop-down labelled 'With selected users...'

      Expected result:

      • No option to send a message should be shown.

      Actual result

      • The option to send a message is included in the list.

       

      I found there is a missing capability check in user\index.php when building the list. This capability check is present in other similar instances in core.

      Attachments

        1. patch.diff
          0.6 kB
        2. MDL-68425.jpg
          MDL-68425.jpg
          31 kB
        3. image-2020-04-16-09-45-55-560.png
          image-2020-04-16-09-45-55-560.png
          37 kB

        Issue Links

          has been marked as being related by

          Improvement - An enhancement to an existing Moodle feature. MDL-66892 The participants page should use the new core_message/message_send_bulk

          • Minor - Minor loss of function where workaround is possible
          • Open
          will help resolve

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-59410 Sending a message from the participants list when messaging is disabled sends email containing link to error page

          • Minor - Minor loss of function where workaround is possible
          • Closed

          Activity

            People

              salvetore Michael de Raadt
              salvetore Michael de Raadt
              Andrew Lyons Andrew Lyons
              Jake Dallimore Jake Dallimore
              Anna Carissa Sadia Anna Carissa Sadia
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                13/Jul/20

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 50 minutes
                  50m