Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-75086

Inconsistent behavior with moodle/site:viewuseridentity

    XMLWordPrintable

Details

    • Bug
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 4.1
    • None
    • User management
    • MOODLE_401_STABLE

    Description

      We're trying to expose custom user profile fields to students; in this case, we have a custom user profile for pronouns that is visible to "Everyone" and the checkbox for "Show user identity" is checked. Configured that way, students can see pronouns on the user profile page but not on the participants list, while a teacher can see them in both places.

      The display of custom fields in participants is driven by moodle/site:viewuseridentity; if a user does not have that capability in the given context no fields are displayed, regardless of the visibility of the field, which is inconsistent.

      Further testing shows that a teacher may override the moodle/site:viewuseridentity capability for students in their course. This does resolve the issue, but it also exposes any user field visible to "user, teachers, and admins" in addition to those available to "everyone." This does not happen on the user profile page; that still properly restricts the display of the user field.

      Steps to reproduce:

      1. Create a course with a teacher and some students.
      2. Create a custom user profile field named "pronoun", visible to everyone, 30 character display size and maximum length of 255 characters.
      3. Check the box for "Show user identity" for the pronoun field.
      4. Set the pronoun field for at least one student.
      5. As a teacher, verify that you can see the student's pronoun on the participants list and on the user profile page.
      6. As a student, verify that you cannot see the student's pronoun on the participants list and can see it on the user profile page. 
      7. As the site administrator, set the visibility of the pronoun field to "user, teachers, and admins".
      8. As a teacher, override moodle/site:viewuseridentity capability to allow students in that course.
      9. As a student, verify that you can see the student's pronoun on the participants list and cannot see it on the user profile page. 

      The capability definition for moodle/site:viewuseridentity contains no mention of potential exposure of user data, but that appears to be an inadvertent possibility. Discovered in current beta but probably present elsewhere.

      Attachments

        Activity

          People

            Unassigned Unassigned
            cfulton Charles Fulton
            Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Laurent David, Raquel Ortega, Sara Arjona (@sarjona)
            Votes:
            2 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated: