-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
4.1
-
MOODLE_401_STABLE
We're trying to expose custom user profile fields to students; in this case, we have a custom user profile for pronouns that is visible to "Everyone" and the checkbox for "Show user identity" is checked. Configured that way, students can see pronouns on the user profile page but not on the participants list, while a teacher can see them in both places.
The display of custom fields in participants is driven by moodle/site:viewuseridentity; if a user does not have that capability in the given context no fields are displayed, regardless of the visibility of the field, which is inconsistent.
Further testing shows that a teacher may override the moodle/site:viewuseridentity capability for students in their course. This does resolve the issue, but it also exposes any user field visible to "user, teachers, and admins" in addition to those available to "everyone." This does not happen on the user profile page; that still properly restricts the display of the user field.
Steps to reproduce:
- Create a course with a teacher and some students.
- Create a custom user profile field named "pronoun", visible to everyone, 30 character display size and maximum length of 255 characters.
- Check the box for "Show user identity" for the pronoun field.
- Set the pronoun field for at least one student.
- As a teacher, verify that you can see the student's pronoun on the participants list and on the user profile page.
- As a student, verify that you cannot see the student's pronoun on the participants list and can see it on the user profile page.
- As the site administrator, set the visibility of the pronoun field to "user, teachers, and admins".
- As a teacher, override moodle/site:viewuseridentity capability to allow students in that course.
- As a student, verify that you can see the student's pronoun on the participants list and cannot see it on the user profile page.
The capability definition for moodle/site:viewuseridentity contains no mention of potential exposure of user data, but that appears to be an inadvertent possibility. Discovered in current beta but probably present elsewhere.