Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-64444

mod_assign_get_submissions and mod_assign_get_grades incorrectly check permissions

XMLWordPrintable

    • MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE
    • MOODLE_35_STABLE, MOODLE_36_STABLE
    • MDL-64444-master
    • Hide
      Note
      1. To be tested only in 36_STABLE and master. For 35_STABLE it's enough if automated tests are passing, so no action needed there.
      Prerequisite
      1. Moodle mobile app.
      2. Your Moodle mobile app should be able to connect to your Moodle website. You can either do the following:
        • Ensure that the phone with the mobile app and the web server are on the same network. Or
        • Expose the web server over the internet via ngrok.
      Test
      1. As admin, enable "Mobile services": Site administration ► Mobile app ► Mobile settings
      2. Enable "Context freezing": Administration >Development > Experimental >Experimental settings
      3. Create a new course
      4. Enrol one user as student in the course and another one as teacher
      5. Create a new assignment activity, configured to allow only "Online text" submissions
      6. As the student user, log in into the Moodle site, go to the assignment activity, and do a submission
      7. As the teacher user, log i into the Moodle site, go to the assignment activity and grade the submission the student did
      8. Now, in the assignment main page, go to settings (via the cog) and click on "Freeze this context"
      9. As teacher, log in to the site via the Moodle Mobile app, open the assignment activity, and check that you can see the submission the student did and the grade the teacher gave.
      Show
      Note To be tested only in 36_STABLE and master. For 35_STABLE it's enough if automated tests are passing, so no action needed there. Prerequisite Moodle mobile app. Your Moodle mobile app should be able to connect to your Moodle website. You can either do the following: Ensure that the phone with the mobile app and the web server are on the same network. Or Expose the web server over the internet via ngrok. Test As admin, enable "Mobile services": Site administration ► Mobile app ► Mobile settings Enable "Context freezing": Administration >Development > Experimental >Experimental settings Create a new course Enrol one user as student in the course and another one as teacher Create a new assignment activity, configured to allow only "Online text" submissions As the student user, log in into the Moodle site, go to the assignment activity, and do a submission As the teacher user, log i into the Moodle site, go to the assignment activity and grade the submission the student did Now, in the assignment main page, go to settings (via the cog) and click on "Freeze this context" As teacher, log in to the site via the Moodle Mobile app, open the assignment activity, and check that you can see the submission the student did and the grade the teacher gave.

      The web service functions mod_assign_get_submissions and mod_assign_get_grades use the capability "mod/assign:grade" to check if the user can view all submissions of an assignment. This does not work in all cases: for example when the course is frozen. These web services should use the method "can_view_grades" of the assign class, that properly checks when the user can view all submissions.

            jleyva Juan Leyva
            albert.gasset Albert Gasset
            Jun Pataleta Jun Pataleta
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Anna Carissa Sadia Anna Carissa Sadia
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours
                2h

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.