MDL-72012 mod_h5pactivity: respect user access when getting report.

moodle · Sep 8, 2022 · 670b636 · 670b636
1 parent e48460c
commit 670b636
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/mod/h5pactivity/classes/local/manager.php b/mod/h5pactivity/classes/local/manager.php
@@ -451,7 +451,9 @@ public function get_grader(): grader {
      * @return report|null available report (or null if no report available)
      */
     public function get_report(int $userid = null, int $attemptid = null, $currentgroup = false): ?report {
-        global $USER;
+        global $USER, $CFG;
+
+        require_once("{$CFG->dirroot}/user/lib.php");
 
         // If tracking is disabled, no reports are available.
         if (!$this->instance->enabletracking) {
@@ -470,6 +472,14 @@ public function get_report(int $userid = null, int $attemptid = null, $currentgr
 
         if ($this->can_view_all_attempts()) {
             $user = core_user::get_user($userid);
+
+            // Ensure user can view the attempt of specific userid, respecting access checks.
+            if ($user && $user->id != $USER->id) {
+                $course = get_course($this->coursemodule->course);
+                if ($this->coursemodule->effectivegroupmode == SEPARATEGROUPS && !user_can_view_profile($user, $course)) {
+                    return null;
+                }
+            }
         } else if ($this->can_view_own_attempts()) {
             $user = core_user::get_user($USER->id);
             if ($userid && $user->id != $userid) {