Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68425

Participants page shows option to send messages without capability check

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      • As admin, change capability for an Authenticated user to prevent/prohibit 'moodle/site:sendmessage' and 'moodle/course:bulkmessaging'.
      • Flush caches
      • Log in as a teacher.
      • Go to a course.
      • Go to the Participants page.
      • Select one or more users.
      • Click the drop-down labelled 'With selected users...'

      Expected result:

      • No option to send a message should be shown.
      Show
      As admin, change capability for an Authenticated user to prevent/prohibit 'moodle/site:sendmessage' and 'moodle/course:bulkmessaging'. Flush caches Log in as a teacher. Go to a course. Go to the Participants page. Select one or more users. Click the drop-down labelled 'With selected users...' Expected result: No option to send a message should be shown.
    • Affected Branches:
      MOODLE_38_STABLE, MOODLE_39_STABLE
    • Fixed Branches:
      MOODLE_38_STABLE

      Description

      At present, on the Participants page, the option to send users a message is show, regardless of the user's capability to send messages.

      Replication steps:

      • As admin, change capability for an Authenticated user to prevent/prohibit 'moodle/site:sendmessage'.
      • Flush caches
      • Log in as a teacher.
      • Go to a course.
      • Go to the Participants page.
      • Select one or more users.
      • Click the drop-down labelled 'With selected users...'

      Expected result:

      • No option to send a message should be shown.

      Actual result

      • The option to send a message is included in the list.

       

      I found there is a missing capability check in user\index.php when building the list. This capability check is present in other similar instances in core.

        Attachments

        1. image-2020-04-16-09-45-55-560.png
          37 kB
          Amaia Anabitarte
        2. MDL-68425.jpg
          31 kB
          Anna Carissa Sadia
        3. patch.diff
          0.6 kB
          Michael de Raadt

          Issue Links

            Activity

              People

              Assignee:
              salvetore Michael de Raadt
              Reporter:
              salvetore Michael de Raadt
              Peer reviewer:
              Andrew Lyons Andrew Lyons
              Integrator:
              Jake Dallimore Jake Dallimore
              Tester:
              Anna Carissa Sadia Anna Carissa Sadia
              Participants:
              Component watchers:
              Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                13/Jul/20

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 50 minutes
                  50m