Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68425

Participants page shows option to send messages without capability check

XMLWordPrintable

    • MOODLE_38_STABLE, MOODLE_39_STABLE
    • MOODLE_38_STABLE
    • Hide
      • As admin, change capability for an Authenticated user to prevent/prohibit 'moodle/site:sendmessage' and 'moodle/course:bulkmessaging'.
      • Flush caches
      • Log in as a teacher.
      • Go to a course.
      • Go to the Participants page.
      • Select one or more users.
      • Click the drop-down labelled 'With selected users...'

      Expected result:

      • No option to send a message should be shown.
      Show
      As admin, change capability for an Authenticated user to prevent/prohibit 'moodle/site:sendmessage' and 'moodle/course:bulkmessaging'. Flush caches Log in as a teacher. Go to a course. Go to the Participants page. Select one or more users. Click the drop-down labelled 'With selected users...' Expected result: No option to send a message should be shown.

      At present, on the Participants page, the option to send users a message is show, regardless of the user's capability to send messages.

      Replication steps:

      • As admin, change capability for an Authenticated user to prevent/prohibit 'moodle/site:sendmessage'.
      • Flush caches
      • Log in as a teacher.
      • Go to a course.
      • Go to the Participants page.
      • Select one or more users.
      • Click the drop-down labelled 'With selected users...'

      Expected result:

      • No option to send a message should be shown.

      Actual result

      • The option to send a message is included in the list.

       

      I found there is a missing capability check in user\index.php when building the list. This capability check is present in other similar instances in core.

        1. image-2020-04-16-09-45-55-560.png
          37 kB
          Amaia Anabitarte
        2. MDL-68425.jpg
          31 kB
          Anna Carissa Sadia
        3. patch.diff
          0.6 kB
          Michael de Raadt

            salvetore Michael de Raadt
            salvetore Michael de Raadt
            Andrew Lyons Andrew Lyons
            Jake Dallimore Jake Dallimore
            Anna Carissa Sadia Anna Carissa Sadia
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 50 minutes
                50m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.