MDL-59172 user: user_can_view_profile() now checks viewalldetails cap
authorJake Dallimore <jake@moodle.com>
Tue, 1 Aug 2017 06:53:33 +0000 (14:53 +0800)
committerJake Dallimore <jake@moodle.com>
Mon, 7 Aug 2017 01:27:04 +0000 (09:27 +0800)
lib/upgrade.txt
mod/forum/user.php
user/lib.php
user/tests/userlib_test.php

index bf81ed5..77e180a 100644 (file)
@@ -41,6 +41,7 @@ information provided here is intended especially for developers.
 * New optional parameter 'closeSuggestionsOnSelect' for the enhance() function for form-autocomplete. Setting this to true will
   close the suggestions popup immediately after an option has been selected. If not specified, it defaults to true for single-select
   elements and false for multiple-select elements.
+* user_can_view_profile() now also checks the moodle/user:viewalldetails capability.
 
 === 3.3.1 ===
 
index 5922e55..b3c7f17 100644 (file)
@@ -135,8 +135,7 @@ if (empty($result->posts)) {
     // In either case we need to decide whether we can show personal information
     // about the requested user to the current user so we will execute some checks
 
-    // TODO - Remove extra cap check once MDL-59172 is resolved.
-    $canviewuser = user_can_view_profile($user, null, $usercontext) || has_capability('moodle/user:viewalldetails', $usercontext);
+    $canviewuser = user_can_view_profile($user, null, $usercontext);
 
     // Prepare the page title
     $pagetitle = get_string('noposts', 'mod_forum');
index 83044f2..b8b4a63 100644 (file)
@@ -1143,7 +1143,7 @@ function user_can_view_profile($user, $course = null, $usercontext = null) {
         $usercontext = context_user::instance($user->id);
     }
     // Number 3.
-    if (has_capability('moodle/user:viewdetails', $usercontext)) {
+    if (has_capability('moodle/user:viewdetails', $usercontext) || has_capability('moodle/user:viewalldetails', $usercontext)) {
         return true;
     }
 
index 0683cba..3e88074 100644 (file)
@@ -576,6 +576,15 @@ class core_userliblib_testcase extends advanced_testcase {
         $this->setUser($user5);
         $this->assertTrue(user_can_view_profile($user4));
 
+        // Test the user:viewalldetails cap check using the course creator role which, by default, can't see student profiles.
+        $this->setUser($user7);
+        $this->assertFalse(user_can_view_profile($user4));
+        assign_capability('moodle/user:viewalldetails', CAP_ALLOW, $coursecreatorrole->id, context_system::instance()->id, true);
+        reload_all_capabilities();
+        $this->assertTrue(user_can_view_profile($user4));
+        unassign_capability('moodle/user:viewalldetails', $coursecreatorrole->id, $coursecontext->id);
+        reload_all_capabilities();
+
         $CFG->coursecontact = null;
 
         // Visitor (Not a guest user, userid=0).