Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-63832

Web service mod_assign_get_submissions returns submissions the user has no permission to view

XMLWordPrintable

    • MOODLE_31_STABLE, MOODLE_33_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • MOODLE_35_STABLE
    • MDL-63832-master
    • Hide
      Prerequisite
      1. Moodle mobile app.
      2. Your Moodle mobile app should be able to connect to your Moodle website. You can either do the following:
        • Ensure that the phone with the mobile app and the web server are on the same network. Or
        • Expose the web server over the internet via ngrok.
      Test
      1. As admin, enable "Mobile services": Site administration ► Mobile app ► Mobile settings
      2. Now create a course, "C1"
      3. Enrol two users: S1 as student and T1 as teacher in C1
      4. Create an assignment activity, in the settings allow only "Online text" submissions
      5. As U1, login to the site via the browser, access the course and do a text submission
      6. As T1, login to the site via the Mobile app and check that you see U1 submission in the submission list.
      7. As admin, unenrol U1 from the course
      8. As T1, again, using the app check that you don't see U1 submission anymore listed (you may have to do a PTR - pull down to refresh action - in the device to avoid cache)
      Show
      Prerequisite Moodle mobile app. Your Moodle mobile app should be able to connect to your Moodle website. You can either do the following: Ensure that the phone with the mobile app and the web server are on the same network. Or Expose the web server over the internet via ngrok. Test As admin, enable "Mobile services": Site administration ► Mobile app ► Mobile settings Now create a course, "C1" Enrol two users: S1 as student and T1 as teacher in C1 Create an assignment activity, in the settings allow only "Online text" submissions As U1, login to the site via the browser, access the course and do a text submission As T1, login to the site via the Mobile app and check that you see U1 submission in the submission list. As admin, unenrol U1 from the course As T1, again, using the app check that you don't see U1 submission anymore listed (you may have to do a PTR - pull down to refresh action - in the device to avoid cache)

      The web service function mod_assign_get_submissions returns all the submissions of one or more assign activities, but it does not check if each of the submissions can be viewed by the user using $assign->can_view_submission. For example, it includes submissions of users that are not participants of the course.

        1. screenshot-1.png
          122 kB
          Janelle Barcega
        2. unenrolled-but-can-still-see-submission.png
          280 kB
          Jun Pataleta

            jleyva Juan Leyva
            albert.gasset Albert Gasset
            Damyon Wiese Damyon Wiese
            Jun Pataleta Jun Pataleta
            Janelle Barcega Janelle Barcega
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 25 minutes
                25m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.