From 57b81c93f5ac90319b67ec15d182c7829eefab3f Mon Sep 17 00:00:00 2001
From: =?utf8?q?David=20Mudr=C3=A1k?= <david@moodle.com>
Date: Tue, 23 Aug 2016 14:10:41 +0200
Subject: [PATCH] MDL-55667 navigation: Do not display site participants link
 to students

The problem here was that user/index.php checks the system level
capability moodle/site:viewparticipants when the user is on the front
page, and the moodle/course:viewparticipants on non-front pages.

But the navigation displayed the link by mistake even in situations,
when the user has the capability moodle/course:viewparticipants on the
front page (typically when the default role for the front page is set to
student).

Added behat tests for reproducing the bug and also for checking the
basic functionality of the feature.
---
 .../tests/behat/participants_link.feature     | 45 +++++++++++++++++++
 lib/navigationlib.php                         |  5 ++-
 2 files changed, 48 insertions(+), 2 deletions(-)
 create mode 100644 blocks/navigation/tests/behat/participants_link.feature

diff --git a/blocks/navigation/tests/behat/participants_link.feature b/blocks/navigation/tests/behat/participants_link.feature
new file mode 100644
index 00000000000..5b2f4d6afba
--- /dev/null
+++ b/blocks/navigation/tests/behat/participants_link.feature
@@ -0,0 +1,45 @@
+@block @block_navigation
+Feature: Displaying the link to the Participants page
+  In order to see the course / site participants
+  As a student / admin respectively
+  I need a link to the Participants page be displayed (but only if I can access that page)
+
+  Background:
+    Given the following "users" exist:
+      | username | firstname | lastname | email                |
+      | student1 | Student   | One      | student1@example.com |
+      | student2 | Student   | Two      | student2@example.com |
+    And the following "courses" exist:
+      | fullname | shortname |
+      | Course1  | C1        |
+    And the following "course enrolments" exist:
+      | user     | course | role    |
+      | student1 | C1     | student |
+
+  @javascript
+  Scenario: Course participants link is displayed to enrolled students after expanding the course node
+    When I log in as "student1"
+    And I expand "C1" node
+    Then "Participants" "link" should exist in the "Navigation" "block"
+    And I navigate to "Participants" node in "My courses > C1"
+    And I should see "Participants"
+    And "Student One" "link" should exist
+    And "Student Two" "link" should not exist
+
+  Scenario: Site participants link is displayed to admins
+    When I log in as "admin"
+    Then "Participants" "link" should exist in the "Navigation" "block"
+    And I navigate to "Participants" node in "Site pages"
+    And I should see "Participants"
+    And "Student One" "link" should exist
+    And "Student Two" "link" should exist
+
+  @javascript
+  Scenario: Site participants link is not displayed to students (MDL-55667)
+    Given I log in as "admin"
+    And I set the following administration settings values:
+      | defaultfrontpageroleid | Student (student) |
+    And I log out
+    When I log in as "student2"
+    And I expand "Site pages" node
+    Then "Participants" "link" should not exist in the "Navigation" "block"
diff --git a/lib/navigationlib.php b/lib/navigationlib.php
index c495a63489d..ec308c6bf87 100644
--- a/lib/navigationlib.php
+++ b/lib/navigationlib.php
@@ -2600,6 +2600,7 @@ class global_navigation extends navigation_node {
         }
 
         $sitecontext = context_system::instance();
+        $isfrontpage = ($course->id == SITEID);
 
         // Hidden node that we use to determine if the front page navigation is loaded.
         // This required as there are not other guaranteed nodes that may be loaded.
@@ -2608,8 +2609,8 @@ class global_navigation extends navigation_node {
         // Participants.
         // If this is the site course, they need to have moodle/site:viewparticipants at the site level.
         // If no, then they need to have moodle/course:viewparticipants at the course level.
-        if ((($course->id == SITEID) && has_capability('moodle/site:viewparticipants', $sitecontext)) ||
-                has_capability('moodle/course:viewparticipants', context_course::instance($course->id))) {
+        if (($isfrontpage && has_capability('moodle/site:viewparticipants', $sitecontext)) ||
+                (!$isfrontpage && has_capability('moodle/course:viewparticipants', context_course::instance($course->id)))) {
             $coursenode->add(get_string('participants'), new moodle_url('/user/index.php?id='.$course->id), self::TYPE_CUSTOM, get_string('participants'), 'participants');
         }
 
-- 
2.17.1