Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-64596

New capability for searching for users across the site

XMLWordPrintable

    • MOODLE_37_STABLE
    • MDL-64596-Master
    • Hide

      Login as Admin user:

      1. Create User Accounts: User 1, User 2, User 3
      2. Create a system role: eg LookUpUser
      3. Allow the “moodle/site:lookupuser” capability to the role
      4. Assign role to User 1
      5. Enable Allow site-wide messaging (to allow adding contact)

      Login as User 1

      1. Go to Messages
      2. Search for “User”, the contacts of User 2 and User 3 shall be displayed
      3. Add User 2 to contact list

      Login as User 2

      1. Go to Messages
      2. Accept the add contact request
      3. Search for “User”, only the contact of User 1 shall be displayed.
      Show
      Login as Admin user: Create User Accounts: User 1, User 2, User 3 Create a system role: eg LookUpUser Allow the “moodle/site:lookupuser” capability to the role Assign role to User 1 Enable Allow site-wide messaging (to allow adding contact) Login as User 1 Go to Messages Search for “User”, the contacts of User 2 and User 3 shall be displayed Add User 2 to contact list Login as User 2 Go to Messages Accept the add contact request Search for “User”, only the contact of User 1 shall be displayed.

      We have clients who have high security needs and want to lock things down really tightly.

      One identified user risk is stopping users, or those in a role, from search for other users. This is leaking through the message interface. There doesn't appear to be a single capability for this, it seems broken up into a few other caps and none are quite up to the task. So I'm proposing to introduce a new cap which would be checked as well as the existing caps for different use cases so it's easy to lock it down everywhere.

      A new capability called “moodle/site:lookupuser” is added to restrict searching for non-contact user

       

      Expected behavior

       The user without moodle/site:lookupuser capability:

       - Will be able to search users who are already in their contact list

       - Will not be able to search users who are not in their contact list

      User with moodle/site:lookupuser capability will be able to search users in contact, non-contact list.

        1. eLeDia_18.02.2019 _15.39.08.png
          eLeDia_18.02.2019 _15.39.08.png
          17 kB
        2. eLeDia_18.02.2019 _15.41.38.png
          eLeDia_18.02.2019 _15.41.38.png
          12 kB

            Votes:
            13 Vote for this issue
            Watchers:
            20 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.