-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
4.1.4, 4.2.1
-
MOODLE_401_STABLE, MOODLE_402_STABLE
The capabilities 'mod/lti:addmanualinstance' and 'mod/lti:addpreconfiguredinstance' were added in MDL-62815, but I think a bug slipped through there unnoticed.
In that issue:
a) There was a comment from Eloy essentially noting that the USE of preconfigured tools (whether site or course) was supposed to be controlled by 'mod/lti:addpreconfiguredinstance'. https://tracker.moodle.org/browse/MDL-62815?focusedCommentId=662714&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-662714
b) The manual testing didn't cover the case where there was a preconfigured COURSE tool. It only tested with preconfigured SITE tools.
c) Subsequently, the part of the testing that covered the 'mod/lti:addmanualinstance' capability failed to see what I think is a bug in the 'lti_get_lti_types_by_course()' method.
The bug:
When the user ONLY has 'mod/lti:addmanualinstance' capability, they aren't supposed to see anything other than 'automatic, based on tool URL' in the preconfigured tool select (per the testing instructions). If there's a course tool present, however, they'll also see that. Given a course tool is supposed to be considered a 'preconfigured' tool (per Eloy's comment and per my understanding too), this entry should not be present when the user doesn't have permissions 'mod/lti:addpreconfiguredinstance'. I don't think the intention was to treat course tools as a special case. Certainly there's no testing covering that.
Furthermore, if the user were to select that course-level tool when creating the instance, subsequent edits would not permit the user to change it in any way. They'll see Tool URL and can then set that, overriding the course tool they were able to set when creating the instance.
To reproduce:
- Login as the admin
- Go to "Site admin > Plugins > Activities > External tool > Manage tools"
- Click "Configure a tool manually"
- Enter the name "Site tool" and enter the URL "https://moodle.org"
- Save the tool
- Create a course
- Click to add an activity/resource, selecting "External tool" from the activity chooser
- Next to the "Preconfigured tools" select, click the "+" icon to add a course tool
- Name it "Course tool" and set the URL to "http://example.com"
- Save changes and when the tab closes, just cancel out of the activity instance form (we don't need an instance, we just need the course tool to be created).
- Enrol an editing teacher in the course
- Go to "Participants > Permissions" and select the "Editing teacher" role from the "Advanced role override" select
- filter using 'mod/lti' to make it easier to see the relevant caps
- Set the following cap values:
- "mod/lti:addmanualinstance" to "Inhert (Allow)"
- "mod/lti:addpreconfiguredinstance" to "Prohibit"
- Save the overrides.
- Log out
- Log in as the teacher
- Go to the course
- Click to add an activity/resource, selecting "External tool" from the activity chooser
- Look at the options in the "Preconfigured tools" select:
Expected: You only see the "Automatic, based on tool URL" option
Actual: You see the above option as well as the "Course tool" course preconfigured tool. - Select "Course tool" and save
- Edit the instance you just created
- Note you cannot change the preconfigured tool now
- Log out
- Log in as the admin
- Go to the course and edit the activity
- Note that you do see the preconfigured tool listed as "Course tool" here.
Changing this code to match the expectations above (no preconfigured tools listed, whether they be course or site) won't break any existing phpunit or behat tests.