Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-59833

Don't disclose groups on participants page

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • 3.4
    • 3.4
    • User management
    • MOODLE_34_STABLE
    • MOODLE_34_STABLE
    • MDL-59833_master
    • Hide
      1. Create a course.
      2. Assign 3 (A, B and C) students to the course.
      3. Create two groups (G1 and G2).
      4. Assign A and B to G1.
      5. Assign A and C to G2.
      6. Visit 'Site administration' > 'Users' > 'Permissions' > 'User policies'.
      7. Select 'Groups' in the 'Hide user fields' setting and click save.
      8. Visit the course.
      9. Click on participants.
      10. Ensure you can see the groups column.
      11. Log in as user A.
      12. Visit the course.
      13. Click on participants.
      14. Ensure you can not see the groups column.
      Show
      Create a course. Assign 3 (A, B and C) students to the course. Create two groups (G1 and G2). Assign A and B to G1. Assign A and C to G2. Visit 'Site administration' > 'Users' > 'Permissions' > 'User policies'. Select 'Groups' in the 'Hide user fields' setting and click save. Visit the course. Click on participants. Ensure you can see the groups column. Log in as user A. Visit the course. Click on participants. Ensure you can not see the groups column.

      Don't show groups if groups is in hiddenuserfields and user cannot see hidden fields.

      From Marina - "I followed this up a little more. In 3.3 student can see groups of other students on their course profile page. This means that what I originally reported is not a bug or security issue. However if "groups" is selected in $CFG->hiddenuserfields , student will not see list of groups of other students. On master students can always see the groups. So security aspect is still there".

            markn Mark Nelson
            damyon Damyon Wiese
            Adrian Greeve Adrian Greeve
            Jun Pataleta Jun Pataleta
            David Mudrák (@mudrd8mz) David Mudrák (@mudrd8mz)
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.