MDL-58032 core_user: Fix case when acting user is a visitor

moodle · Feb 22, 2017 · 3450210 · 3450210
1 parent 0767770
commit 3450210
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/user/lib.php b/user/lib.php
@@ -1134,6 +1134,11 @@ function user_can_view_profile($user, $course = null, $usercontext = null) {
     } else {
         $sharedcourses = enrol_get_shared_courses($USER->id, $user->id, true);
     }
+
+    if (empty($sharedcourses)) {
+        return false;
+    }
+
     foreach ($sharedcourses as $sharedcourse) {
         $coursecontext = context_course::instance($sharedcourse->id);
         if (has_capability('moodle/user:viewdetails', $coursecontext)) {

diff --git a/user/tests/userlib_test.php b/user/tests/userlib_test.php
@@ -501,6 +501,8 @@ public function test_user_can_view_profile() {
         $user5 = $this->getDataGenerator()->create_user();
         $user6 = $this->getDataGenerator()->create_user(array('deleted' => 1));
         $user7 = $this->getDataGenerator()->create_user();
+        $user8 = $this->getDataGenerator()->create_user();
+        $user8->id = 0; // Visitor.
 
         $studentrole = $DB->get_record('role', array('shortname' => 'student'));
         // Add the course creator role to the course contact and assign a user to that role.
@@ -574,6 +576,24 @@ public function test_user_can_view_profile() {
         $this->assertTrue(user_can_view_profile($user4));
 
         $CFG->coursecontact = null;
+
+        // Visitor (Not a guest user, userid=0).
+        $CFG->forceloginforprofiles = 1;
+        $this->setUser($user8);
+
+        // By default guest has 'moodle/user:viewdetails' cap.
+        $this->assertTrue(user_can_view_profile($user1));
+        $CFG->forceloginforprofiles = 0;
+        $this->assertTrue(user_can_view_profile($user1));
+
+        // Let us remove this cap.
+        $allroles = $DB->get_records_menu('role', array(), 'id', 'archetype, id');
+        assign_capability('moodle/user:viewdetails', CAP_PROHIBIT, $allroles['guest'], context_system::instance()->id, true);
+        reload_all_capabilities();
+        $CFG->forceloginforprofiles = 1;
+        $this->assertFalse(user_can_view_profile($user1));
+        $CFG->forceloginforprofiles = 0;
+        $this->assertTrue(user_can_view_profile($user1));
     }
 
     /**