Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-50292

mod_choice: Add new capability to view published results (on top of capability to view choice itself)

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Won't Do
    • Icon: Minor Minor
    • None
    • 2.9, 3.1, 3.4
    • Choice
    • MOODLE_29_STABLE, MOODLE_31_STABLE, MOODLE_34_STABLE
    • MDL-50292_m35v1
    • Easy
    • Hide
      1. Testing the choice:viewpublishedresults permission
        1. Create a choice activity and set the publish results option to "Always show to users"
        2. Override the permissions on the choice activity so the choice:viewpublishedresults permission is prohibited for student2
        3. Have student1 make a selection
        4. Verify student1 can see the results
        5. Have student 2 make a selection
        6. Verify that student 2 CANNOT see the results
      2. Repeat both of the above tests using the Moodle Mobile App and verify everything works as expected.

      Automated testing:

      1. Run behat for mod_choice
      2. Run phpunit for mod_choice
      Show
      Testing the choice:viewpublishedresults permission Create a choice activity and set the publish results option to "Always show to users" Override the permissions on the choice activity so the choice:viewpublishedresults permission is prohibited for student2 Have student1 make a selection Verify student1 can see the results Have student 2 make a selection Verify that student 2 CANNOT see the results Repeat both of the above tests using the Moodle Mobile App and verify everything works as expected. Automated testing: Run behat for mod_choice Run phpunit for mod_choice

      It is possible for guests to see the details of participants' choices and there is no capability to control this. There is a setting to control whether results should be shown, but there is no way to discriminate between guests and authenticated users.

      This could potentially be considered a minor security issue as it is revealing student details to unauthorised users. There should be a capability that prevents guests from viewing choices made.

      Replication steps:

      1. Log in as admin/teacher
      2. Log into a course that is open to guests or use the Front page
      3. Create a Choice activity with a few choices
      4. Set Publish results to Always show results to students
      5. Save the activity
      6. Log in as a student
      7. Make a choice
      8. Log out
      9. Access the Choice activity

      Expected result
      Results should not be available to guests or shown in an anonymised form.

      Actual result
      The image and name of students who have made a choice is visible.

        1. 2015-06-02 17_18_17-Choice on front page.png
          2015-06-02 17_18_17-Choice on front page.png
          418 kB

            Unassigned Unassigned
            salvetore Michael de Raadt
            Adrian Greeve Adrian Greeve
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Votes:
            2 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.