MDL-65852 user: Fix permission check to download course participants.
authorIlya Tregubov <ilya@moodle.com>
Fri, 13 Nov 2020 09:02:52 +0000 (11:02 +0200)
committerIlya Tregubov <ilya@moodle.com>
Wed, 25 Nov 2020 09:27:36 +0000 (11:27 +0200)
user/action_redir.php

index 62bf3c5..cccc8e9 100644 (file)
@@ -23,6 +23,7 @@
  */
 
 require_once("../config.php");
+require_once($CFG->dirroot . '/course/lib.php');
 
 $formaction = required_param('formaction', PARAM_LOCALURL);
 $id = required_param('id', PARAM_INT);
@@ -78,7 +79,8 @@ if ($formaction == 'bulkchange.php') {
 
     if (empty($plugin) AND $operationname == 'download_participants') {
         // Check permissions.
-        if (has_capability('moodle/course:manageactivities', $context)) {
+        $pagecontext = ($course->id == SITEID) ? context_system::instance() : $context;
+        if (course_can_view_participants($pagecontext)) {
             $plugins = core_plugin_manager::instance()->get_plugins_of_type('dataformat');
             if (isset($plugins[$dataformat])) {
                 if ($plugins[$dataformat]->is_enabled()) {