MDL-71621 core_user: Parents could edit custom fields in child profile

moodle · Jul 23, 2021 · 9108771 · 9108771
1 parent 8c0853d
commit 9108771
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 1 deletion.
diff --git a/lang/en/admin.php b/lang/en/admin.php
@@ -1026,7 +1026,7 @@
 $string['profilesignup'] = 'Display on signup page?';
 $string['profilespecificsettings'] = 'Specific settings';
 $string['profilevisible'] = 'Who is this field visible to?';
-$string['profilevisible_help'] = '* Not visible - For private data only viewable by administrators
+$string['profilevisible_help'] = '* Not visible - For private data only viewable by administrators and managers
 * Visible to user - For private data only viewable by the user and administrators
 * Visible to user, teachers and admins - For private data only viewable by the user, administrators and teachers (on course profile)
 * Visible to everyone';

diff --git a/user/profile/lib.php b/user/profile/lib.php
@@ -453,6 +453,8 @@ public function is_visible() {
                     return true;
                 } else if ($this->userid == $USER->id) {
                     return true;
+                } else if ($this->userid > 0) {
+                    return has_capability('moodle/user:viewalldetails', $context);
                 } else {
                     $coursecontext = context_course::instance($COURSE->id);
                     return has_capability('moodle/site:viewuseridentity', $coursecontext);
@@ -468,6 +470,10 @@ public function is_visible() {
                     return has_capability('moodle/user:viewalldetails', $context);
                 }
             default:
+                // PROFILE_VISIBLE_NONE, so let's check capabilities at system level.
+                if ($this->userid > 0) {
+                    $context = context_system::instance();
+                }
                 return has_capability('moodle/user:viewalldetails', $context);
         }
     }
@@ -499,6 +505,12 @@ public function is_editable() {
             return true;
         }
 
+        // Checking for mentors have capability to edit user's profile.
+        $usercontext = context_user::instance($this->userid);
+        if ($this->userid != $USER->id && has_capability('moodle/user:editprofile', $usercontext, $USER->id)) {
+            return true;
+        }
+
         return false;
     }
 

diff --git a/user/tests/behat/custom_profile_fields.feature b/user/tests/behat/custom_profile_fields.feature
@@ -241,3 +241,41 @@ Feature: Custom profile fields should be visible and editable by those with the
     And I should not see "notvisible_field_information"
 
     And I should not see "Edit profile"
+
+  @javascript
+  Scenario: User with parent permissions on other user context can view and edit all profile fields.
+    Given the following "roles" exist:
+      | name   | shortname  | description | archetype |
+      | Parent | parent     | parent      |           |
+    And the following "users" exist:
+      | username  | firstname | lastname | email              |
+      | parent    | Parent    | user     | parent@example.com |
+    And the following "role assigns" exist:
+      | user   | role   | contextlevel | reference            |
+      | parent | parent | User         | userwithinformation  |
+    And the following "permission overrides" exist:
+      | capability                  | permission | role   | contextlevel | reference           |
+      | moodle/user:viewalldetails  | Allow      | parent | User         | userwithinformation |
+      | moodle/user:viewdetails     | Allow      | parent | User         | userwithinformation |
+      | moodle/user:editprofile     | Allow      | parent | User         | userwithinformation |
+    Given I log in as "admin"
+    And I am on site homepage
+    And I navigate to "Turn editing on" in current page administration
+    And I add the "Mentees" block
+    And I log out
+    And I log in as "parent"
+    And I am on site homepage
+    When I follow "userwithinformation"
+    Then I should see "everyonevisible_field"
+    And I should see "everyonevisible_field_information"
+    And I should see "uservisible_field"
+    And I should see "uservisible_field_information"
+    And I should see "teachervisible_field"
+    And I should see "teachervisible_field_information"
+    And I should not see "notvisible_field"
+    And I should not see "notvisible_field_information"
+    And I follow "Edit profile"
+    And the following fields match these values:
+      | everyonevisible_field | everyonevisible_field_information |
+      | uservisible_field     | uservisible_field_information     |
+      | teachervisible_field  | teachervisible_field_information  |