Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-51067

Remove the ability for users to add blocks to their profile page

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Deferred
    • Icon: Minor Minor
    • None
    • 2.8.7, 2.9.1, 2.9.4, 3.0.2
    • Blocks
    • MOODLE_28_STABLE, MOODLE_29_STABLE, MOODLE_30_STABLE
    • MDL-51067-master
    • Hide
      Note

      All profile pages should be accessed via user/profile.php, not user/view.php. (always site profile not course profile)

      Test 1
      1. Log in as an administrator.
      2. Visit your profile page and check that you can add blocks to it.
      3. Visit another user’s profile page and check that you can add blocks to it.
      Test 2
      1. Log in as an administrator and visit ‘Security’ > ‘Site policies’ and uncheck (if it isn’t already) ‘Force users to log in for profiles’ and save.
      2. Log in as a user with no system wide roles.
      3. Visit your profile page and check that you can NOT add blocks to it.
      4. Visit another user’s profile page and check that you can NOT add blocks to it.
      Test 3
      1. Log in as an administrator and edit the ‘Authenticated user’ role and set the capability and ‘moodle/user:manageblocks’ to ‘Prohibit’ and save.
      2. Log in as a user.
      3. Visit your profile page and check that you can NOT add blocks to it.
      4. Visit another user’s profile page and check that you can NOT add blocks to it.
      5. As the admin set the capability ‘moodle/user:manageblocks’ to 'Allow' for the 'Authenticated user' role and save.
      6. As the user visit your profile page and check that you can add blocks to it.
      7. As the user visit another user’s profile page and check that you can add blocks to it.
      Show
      Note All profile pages should be accessed via user/profile.php, not user/view.php. (always site profile not course profile) Test 1 Log in as an administrator. Visit your profile page and check that you can add blocks to it. Visit another user’s profile page and check that you can add blocks to it. Test 2 Log in as an administrator and visit ‘Security’ > ‘Site policies’ and uncheck (if it isn’t already) ‘Force users to log in for profiles’ and save. Log in as a user with no system wide roles. Visit your profile page and check that you can NOT add blocks to it. Visit another user’s profile page and check that you can NOT add blocks to it. Test 3 Log in as an administrator and edit the ‘Authenticated user’ role and set the capability and ‘moodle/user:manageblocks’ to ‘Prohibit’ and save. Log in as a user. Visit your profile page and check that you can NOT add blocks to it. Visit another user’s profile page and check that you can NOT add blocks to it. As the admin set the capability ‘moodle/user:manageblocks’ to 'Allow' for the 'Authenticated user' role and save. As the user visit your profile page and check that you can add blocks to it. As the user visit another user’s profile page and check that you can add blocks to it.
    • Team Beards Sprint 10
    • Medium

      This is a follow on from MDL-37736 where the ability to add blocks, or move them via ajax has been broken for a long time already and we don't know the use case for being able to do this. There are security concerns about adding javascript to blocks on your home page and then tempting an admin to view your profile.

      We need to decide what to do with existing blocks on this page...
      We could delete them on upgrade
      We could make them not-editable and only give the option to delete

      One (safeish) option is to only remove the ability to add.

      Course profile and site profile.

        1. jira-capture-screenshot-20150820-132516-843.png
          jira-capture-screenshot-20150820-132516-843.png
          8 kB

            Unassigned Unassigned
            moodle.com Moodle HQ
            Jun Pataleta Jun Pataleta
            David Monllaó David Monllaó
            Votes:
            0 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.