Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-79174

"Membership is hidden" groups do not work for availability restrictions.

XMLWordPrintable

    • MOODLE_402_STABLE
    • MOODLE_402_STABLE, MOODLE_403_STABLE
    • MDL-79174_403_STABLE
    • MDL-79174_master
    • Hide
      1. Create a course.
      2. Create a group with visibility set to "Membership is hidden".
      3. Enroll a user "user1" in the course and add them to the group.
      4. Enroll a second user "user2" in the course and do not add them to the group.
      5. Create a Page activity. Under Restrict Access, add a new restriction.
      6. Add a Group restriction
        1. Select the "Membership is hidden" group.
      7. Save the page.
      8. Log out
      9. Log in as "user1" and view the course
        1. Confirm that the Page activity is displayed.
      10. Log out
      11. Log in as "user2" and view the course
        1. Confirm that the Page activity is not displayed.
      Show
      Create a course. Create a group with visibility set to "Membership is hidden". Enroll a user "user1" in the course and add them to the group. Enroll a second user "user2" in the course and do not add them to the group. Create a Page activity. Under Restrict Access, add a new restriction. Add a Group restriction Select the "Membership is hidden" group. Save the page. Log out Log in as "user1" and view the course Confirm that the Page activity is displayed. Log out Log in as "user2" and view the course Confirm that the Page activity is not displayed.

      Steps to reproduce:

      1. Create a course.
      2. Create a group with visibility set to "Membership is hidden".
      3. Create a user, enrol them on the course and add them to the group.
      4. Create a Page activity. Under Restrict Access, add a Group restriction and select the group. Add some content and save the activity.
      5. Confirm that the Page appears on the course with the activity restriction.
      6. Log out and log in as the student.
      7. Visit the course page.
      8. The Page is not visible, even though you are a member of the group.

      This is because when the availability API calls groups_get_user_groups(), it excludes "Membership is hidden" groups as the user isn't allowed to know about them.

      Either, we need to remove these groups from the list of available groups for availability restrictions so we cannot create useless conditions, or we need a way for the groups API to return a list of the user's groups including those with "Membership is hidden".

      The second option presents a risk, as it puts the responsibility on the calling code to ensure it does not expose the hidden group memberships to the user.

        1. (1) 11 Passed -- (Main)MDL-79174.png
          (1) 11 Passed -- (Main)MDL-79174.png
          57 kB
        2. (1) 9 Passed -- (Main)MDL-79174.png
          (1) 9 Passed -- (Main)MDL-79174.png
          56 kB

            marxjohnson Mark Johnson
            marxjohnson Mark Johnson
            Simon Adams Simon Adams
            Huong Nguyen Huong Nguyen
            Kim Jared Lucas Kim Jared Lucas
            Votes:
            12 Vote for this issue
            Watchers:
            12 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 hours, 17 minutes
                4h 17m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.