MDL-72772 gradereport_overview: access checks for viewing grades.

moodle · Jan 12, 2022 · 311d7ce · 311d7ce
1 parent 3f91f38
commit 311d7ce
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 9 deletions.
diff --git a/course/user.php b/course/user.php
@@ -173,6 +173,9 @@
         require_once $CFG->dirroot.'/grade/lib.php';
         require_once $CFG->dirroot.'/grade/report/'.$CFG->grade_profilereport.'/lib.php';
 
+        // User must be able to view this grade report.
+        require_capability('gradereport/' . $CFG->grade_profilereport .':view', $coursecontext);
+
         $functionname = 'grade_report_'.$CFG->grade_profilereport.'_profilereport';
         if (function_exists($functionname)) {
             $functionname($course, $user, $viewasuser);

diff --git a/grade/report/overview/lib.php b/grade/report/overview/lib.php
@@ -279,17 +279,24 @@ public function fill_table($activitylink = false, $studentcoursesonly = false) {
                 $finalgrade = $coursedata['finalgrade'];
                 $courseitem = $coursedata['courseitem'];
 
-                $coursename = format_string(get_course_display_name_for_list($course), true, array('context' => $coursecontext));
-                // Link to the activity report version of the user grade report.
-                if ($activitylink) {
-                    $courselink = html_writer::link(new moodle_url('/course/user.php', array('mode' => 'grade', 'id' => $course->id,
-                        'user' => $this->user->id)), $coursename);
-                } else {
-                    $courselink = html_writer::link(new moodle_url('/grade/report/user/index.php', array('id' => $course->id,
-                        'userid' => $this->user->id, 'group' => $this->gpr->groupid)), $coursename);
+                $coursenamelink = format_string(get_course_display_name_for_list($course), true, ['context' => $coursecontext]);
+
+                // Link to the course grade report pages (performing same capability checks as the pages themselves).
+                if ($activitylink && has_capability('gradereport/' . $CFG->grade_profilereport .':view', $coursecontext)) {
+                    $coursenamelink = html_writer::link(new moodle_url('/course/user.php', [
+                        'mode' => 'grade',
+                        'id' => $course->id,
+                        'user' => $this->user->id,
+                    ]), $coursenamelink);
+                } else if (!$activitylink && has_capability('gradereport/user:view', $coursecontext)) {
+                    $coursenamelink = html_writer::link(new moodle_url('/grade/report/user/index.php', [
+                        'id' => $course->id,
+                        'userid' => $this->user->id,
+                        'group' => $this->gpr->groupid,
+                    ]), $coursenamelink);
                 }
 
-                $data = array($courselink, grade_format_gradevalue($finalgrade, $courseitem, true));
+                $data = [$coursenamelink, grade_format_gradevalue($finalgrade, $courseitem, true)];
 
                 if ($this->showrank['any']) {
                     if ($this->showrank[$course->id] && !is_null($finalgrade)) {