Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-81983

Remove double capabilities check in main "Browse list of users" page

XMLWordPrintable

    • MOODLE_404_STABLE
    • MOODLE_403_STABLE, MOODLE_404_STABLE
    • MDL-81983_403
    • MDL-81983_404
    • Hide

      It's covered by automated tests, for manual testing:

      Setup

      • Create a new role without archetype:
        • Short name : MU
        • Custom full name : Manager users
        • Context types where this role may be assigned : System
        • Allowed capabilities : moodle/site:configview & moodle/user:update
      • Create a user "manager" and assign the previous role

      Test

      1. Log in as "manager"
      2. Confirm you can see Site administration > Users > Accounts > Browse list of users and access to it.
      3. Confirm that not exception error is shown
      4. Log out
      5. Log in as "admin" an edit the "Manager users" role enabling the moodle/user:delete capability and disabling moodle/user:update.
      6. Log out
      7. Log in as "manager"
      8. Confirm you can see Site administration > Users > Accounts > Browse list of users and access to it.
      9. Confirm that not exception error is shown
      10. Log out
      11. Log in as "admin"and edit "Manager users" role disabling both moodle/user:delete & moodle/user:update capabilities.
      12. Log out
      13. Log in as "manager"
      14. Confirm you can not see Site administration > Users > Accounts > Browse list of users.
      15. Confirm that trying to access to /admin/user.php directly shown an Access denied moodle exception.
      Show
      It's covered by automated tests, for manual testing: Setup Create a new role without archetype: Short name : MU Custom full name : Manager users Context types where this role may be assigned : System Allowed capabilities : moodle/site:configview & moodle/user:update Create a user "manager" and assign the previous role Test Log in as "manager" Confirm you can see Site administration > Users > Accounts > Browse list of users and access to it. Confirm that not exception error is shown Log out Log in as "admin" an edit the "Manager users" role enabling the moodle/user:delete capability and disabling moodle/user:update . Log out Log in as "manager" Confirm you can see Site administration > Users > Accounts > Browse list of users and access to it. Confirm that not exception error is shown Log out Log in as "admin"and edit "Manager users" role disabling both moodle/user:delete &   moodle/user:update capabilities. Log out Log in as "manager" Confirm you can not see Site administration > Users > Accounts > Browse list of users. Confirm that trying to access to /admin/user.php directly shown an Access denied moodle exception.
    • WP Sprint 2024-I2.1 (Clones)

      In the main page admin/user.php we're initialising the admin page using method admin_externalpage_setup where the check_access() is performed based on the req_capabilities sent when we add an external page into the admin tree using admin_externalpage API.

      Then couple of lines later in the same file we are checking again the same capabilities. 

      Probably we could remove the lastest since we have a previous checking

      This change is also required for workplace because we make some overrides on the settings page in order to make it suitable when using multitenancy, so this extra check breaks the implementation.

            carlos.castillo@moodle.com Carlos Castillo
            carlos.castillo@moodle.com Carlos Castillo
            Paul Holden Paul Holden
            Sara Arjona (@sarjona) Sara Arjona (@sarjona)
            Ron Carl Alfon Yu Ron Carl Alfon Yu
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 hours, 16 minutes
                3h 16m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.