From 374d3e770085b1f30c066a03d08d78dd750fdc66 Mon Sep 17 00:00:00 2001
From: Tim Hunt <T.J.Hunt@open.ac.uk>
Date: Tue, 24 Nov 2020 17:20:12 +0000
Subject: [PATCH] MDL-70320 permission overrides: role names were
 double-escaped

---
 .../tests/behat/edit_permissions.feature      |  38 +++++++++++++++---
 lib/amd/build/permissionmanager.min.js        | Bin 3400 -> 3401 bytes
 lib/amd/build/permissionmanager.min.js.map    | Bin 17918 -> 17919 bytes
 lib/amd/src/permissionmanager.js              |   2 +-
 .../permissionmanager_panelcontent.mustache   |   7 ++--
 lib/templates/permissionmanager_role.mustache |   5 ++-
 6 files changed, 40 insertions(+), 12 deletions(-)

diff --git a/admin/tool/behat/tests/behat/edit_permissions.feature b/admin/tool/behat/tests/behat/edit_permissions.feature
index e3ffc92aef1..52599d31dca 100644
--- a/admin/tool/behat/tests/behat/edit_permissions.feature
+++ b/admin/tool/behat/tests/behat/edit_permissions.feature
@@ -6,14 +6,18 @@ Feature: Edit capabilities
 
   Background:
     Given the following "users" exist:
-      | username | firstname | lastname | email |
-      | teacher1 | Teacher | 1 | teacher1@example.com |
+      | username | firstname | lastname  |
+      | teacher1 | Teacher   | 1         |
+      | tutor    | Teaching  | Assistant |
+      | student  | Student   | One       |
     And the following "courses" exist:
-      | fullname | shortname | category |
-      | Course 1 | C1 | 0 |
+      | fullname | shortname |
+      | Course 1 | C1        |
     And the following "course enrolments" exist:
-      | user | course | role |
-      | teacher1 | C1 | editingteacher |
+      | user     | course | role           |
+      | teacher1 | C1     | editingteacher |
+      | tutor    | C1     | teacher        |
+      | student  | C1     | student        |
 
   Scenario: Default system capabilities modification
     Given I log in as "admin"
@@ -60,3 +64,25 @@ Feature: Edit capabilities
     Then "mod/forum:deleteanypost" capability has "Prohibit" permission
     And "mod/forum:editanypost" capability has "Prevent" permission
     And "mod/forum:addquestion" capability has "Allow" permission
+
+  @javascript
+  Scenario: Edit permissions escapes role names correctly
+    When I am on the "C1" "Course" page logged in as "admin"
+    And I navigate to "Edit settings" in current page administration
+    And I set the following fields to these values:
+      | Your word for 'Teacher'             | Teacher >= editing  |
+      | Your word for 'Non-editing teacher' | Teacher < "editing" |
+      | Your word for 'Student'             | Studier & 'learner' |
+    And I press "Save and display"
+    And I navigate to course participants
+    Then I should see "Teacher >= editing (Teacher)" in the "Teacher 1" "table_row"
+    And I should see "Teacher < \"editing\" (Non-editing teacher)" in the "Teaching Assistant" "table_row"
+    And I should see "Studier & 'learner' (Student)" in the "Student One" "table_row"
+    And I navigate to "Permissions" in current page administration
+    And I should see "Teacher >= editing" in the "mod/forum:replypost" "table_row"
+    And I should see "Teacher < \"editing\"" in the "mod/forum:replypost" "table_row"
+    And I should see "Studier & 'learner'" in the "mod/forum:replypost" "table_row"
+    And I follow "Prohibit"
+    And "Teacher >= editing" "button" in the "Prohibit role" "dialogue" should be visible
+    And "Teacher < \"editing\"" "button" in the "Prohibit role" "dialogue" should be visible
+    And "Studier & 'learner'" "button" in the "Prohibit role" "dialogue" should be visible
diff --git a/lib/amd/build/permissionmanager.min.js b/lib/amd/build/permissionmanager.min.js
index f53bd414708c7d58f0faa75595b4ab1be18703ed..3e200156772f1a4ff7996a79b746d32d1988b2d6 100644
GIT binary patch
delta 19
acmX>hby8}BI~QA0X-P?b-ew=JKTH5ilm~DC

delta 18
ZcmX>pbwX-`I~QwaUO{QeW?!y9OaMd-2Lu2B

diff --git a/lib/amd/build/permissionmanager.min.js.map b/lib/amd/build/permissionmanager.min.js.map
index 8413c766c4fb197e0599d97d84e6abac06d83487..63e284bc594606e2cc0b57fc1b2c4130b64264fc 100644
GIT binary patch
delta 66
zcmey@&G^5YaYM4WVxXgAj<b%lqoawlPOzh6u(1<}69OV4frN9x<`(fBHIAgxl9K#9
Qb)CuY>?Jny+r4K80Mio{s{jB1

delta 65
zcmez0&G@gIaYM4WqQ9eKj<b%lqoa|tPOzh6u(1<}69OV4frNA3<`(fBHTKNBg3=Oo
PoyqU*B{mD#y=MmiyX_S^

diff --git a/lib/amd/src/permissionmanager.js b/lib/amd/src/permissionmanager.js
index 07721043e58..3f350d30fce 100644
--- a/lib/amd/src/permissionmanager.js
+++ b/lib/amd/src/permissionmanager.js
@@ -204,7 +204,7 @@ define(['jquery', 'core/config', 'core/notification', 'core/templates', 'core/yu
                 .done(function(content) {
                     panel.set('bodyContent', content);
                     panel.show();
-                    $('div.role_buttons').on('click', 'input', function(e) {
+                    $('div.role_buttons').on('click', 'button', function(e) {
                         var roleid = $(e.currentTarget).data('role-id');
                         changePermissions(row, roleid, action);
                     });
diff --git a/lib/templates/permissionmanager_panelcontent.mustache b/lib/templates/permissionmanager_panelcontent.mustache
index dc74d2497e4..da3825cd839 100644
--- a/lib/templates/permissionmanager_panelcontent.mustache
+++ b/lib/templates/permissionmanager_panelcontent.mustache
@@ -27,17 +27,18 @@
 
     Context variables required for this template:
     * confirmation Confirmation text
-    * roles array of role details
+    * roles array of role details. Note: in this array, rolename must have been
+          prepared for output with format_string, or more likely one of the role API functions like role_fix_names.
 
     Example context (json):
     { "message": "Do you really want to remove Non-editing teacher from the list of allowed roles for capability View added and updated modules in recent activity block?",
-      "roles": [{"roleid": 1, "rolename": "manager", "disabled":"disabled"}]}
+      "roles": [{"roleid": 1, "rolename": "Manager", "disabled": "disabled"}]}
 }}
 <div class="popup_content" style="text-align:center;">
     {{message}} <hr/>
     <div class="role_buttons">
         {{#roles}}
-            <input type="button" value="{{rolename}}" class="btn btn-secondary mb-1" data-role-id="{{roleid}}" {{disabled}}/>
+            <button type="button" class="btn btn-secondary mb-1" data-role-id="{{roleid}}" {{disabled}}>{{{rolename}}}</button>
         {{/roles}}
     </div>
 </div>
diff --git a/lib/templates/permissionmanager_role.mustache b/lib/templates/permissionmanager_role.mustache
index d2a1652dc38..b30865371b8 100644
--- a/lib/templates/permissionmanager_role.mustache
+++ b/lib/templates/permissionmanager_role.mustache
@@ -27,7 +27,8 @@
     * action
 
     Context variables required for this template:
-    * rolename Name of the role rendered
+    * rolename Name of the role rendered - must have been prepared for output with format_string,
+                                           or more likely one of the role API functions like role_fix_names.
     * roleid Id of the role
     * action WEhich action is done on click
     * spanclass class attribute of span
@@ -43,7 +44,7 @@
      "linkclass": "preventlink",
      "adminurl" : "http://localhost/moodle/admin/"}
 }}
-<span style="display:inline-block;" class="{{spanclass}}">&nbsp;{{rolename}}&nbsp;
+<span style="display:inline-block;" class="{{spanclass}}">&nbsp;{{{rolename}}}&nbsp;
     <a href="{{adminurl}}roles/permissions.php" class="{{linkclass}}" data-role-id="{{roleid}}" data-action="{{action}}">
         {{#icon}}
             {{#pix}}{{icon}}, core, {{iconalt}}{{/pix}}
-- 
2.17.1