Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Search users group add capability check #143

Merged
merged 1 commit into from
Jan 31, 2025
Merged

Search users group add capability check #143

merged 1 commit into from
Jan 31, 2025

Conversation

sumaiyamannan
Copy link
Contributor

Hi,

This will add capability check and remove suspended users from the ajax user search.

Whenever the field "Use course groups" within each Dialogue instance is ticked and the user's role doesn't have the 'accessallgroups' capability, then the 'search_users_with_groups' php function returns all users in the course who are in the same groups as the user. e.g. If the user clicking on the ajax Search field is in the course groups: ABC, G123, Course100, then the code returns all users who is also in all those groups: Students, teachers, admins, even users who's enrolments are suspended on the course. It is because the function is not checking whether the returned users have active enrolments and also the 'mod/dialogue:receive' capability.

Regards,
Sumaiya

danmarsden
danmarsden reviewed Jan 28, 2025
View reviewed changes
classes/local/course_enrolment_manager.php Outdated
WHERE $wherecondition
AND e.courseid = :courseid
AND u.suspended = 0
AND 1 = (SELECT permission FROM {role_capabilities}
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this doesn't look right to me? - 1 = (SELECT permission) ? won't this always fail?

Copy link
Contributor Author

@sumaiyamannan sumaiyamannan Jan 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@danmarsden
See below from the DB. The roleid 5 (student) row is what will be feeding to the above query.

select * from mdl_role_capabilities where capability like 'mod/dialogue:receive';
  id  | contextid | roleid |      capability      | permission | timemodified | modifierid 
------+-----------+--------+----------------------+------------+--------------+------------
 1525 |         1 |      5 | mod/dialogue:receive |          1 |   1738014397 |          0
 1526 |         1 |      4 | mod/dialogue:receive |          1 |   1738014397 |          0
 1527 |         1 |      3 | mod/dialogue:receive |          1 |   1738014397 |          0
 1528 |         1 |      1 | mod/dialogue:receive |         -1 |   1738014397 |          0

FYI, originally this check was happening here
a780f1a#diff-3225b1da5120a47d49b4b7c16c551baa2345b7752f3934d25424563dde571dfaL142
But it created a performance load on heavy courses as this way was first adding the users n then removing them.

@sumaiyamannan sumaiyamannan force-pushed the search_users_add_capability_check branch from a484481 to ddd946e Compare January 30, 2025 03:24
@sumaiyamannan
Copy link
Contributor Author

Hey @danmarsden
I have redone it using get_enrolled_sql() to get the sql fragments.
Please note the original reported issue had referred to activity instance with "Use course groups" but I noticed that suspended users were being included even if course groups were not being used. This will be fixed with this change.
Regards,
Sumaiya

@danmarsden danmarsden merged commit 5879fb7 into danmarsden:MOODLE_401_STABLE Jan 31, 2025
19 of 23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danmarsden danmarsden danmarsden left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sumaiyamannan @danmarsden