From fdf9d2c0d74770f70525963d7b0c4e1f1612e37c Mon Sep 17 00:00:00 2001 From: Juan Segarra Montesinos Date: Tue, 27 Oct 2020 19:07:28 +0100 Subject: [PATCH] MDL-69797 core_grades: Implement authorization into fetch method --- .../gradingpanel/point/external/fetch.php | 8 ++- ...gradingpanel_point_external_fetch_test.php | 52 +++++++++++++++++-- 2 files changed, 56 insertions(+), 4 deletions(-) diff --git a/grade/classes/grades/grader/gradingpanel/point/external/fetch.php b/grade/classes/grades/grader/gradingpanel/point/external/fetch.php index 5feb55da73f9b..2f9dad593f9b3 100644 --- a/grade/classes/grades/grader/gradingpanel/point/external/fetch.php +++ b/grade/classes/grades/grader/gradingpanel/point/external/fetch.php @@ -128,7 +128,13 @@ public static function execute(string $component, int $contextid, string $itemna } // Fetch the actual data. - $gradeduser = \core_user::get_user($gradeduserid); + $gradeduser = \core_user::get_user($gradeduserid, '*', MUST_EXIST); + + // One can access its own grades. Others just if they're graders. + if ($gradeduserid != $USER->id) { + $gradeitem->require_user_can_grade($gradeduser, $USER); + } + $hasgrade = $gradeitem->user_has_grade($gradeduser); $grade = $gradeitem->get_grade_for_user($gradeduser, $USER); $maxgrade = (int) $gradeitem->get_grade_item()->grademax; diff --git a/grade/tests/grades_grader_gradingpanel_point_external_fetch_test.php b/grade/tests/grades_grader_gradingpanel_point_external_fetch_test.php index 66db17e7d0a05..cc0aa9a0f61b5 100644 --- a/grade/tests/grades_grader_gradingpanel_point_external_fetch_test.php +++ b/grade/tests/grades_grader_gradingpanel_point_external_fetch_test.php @@ -149,14 +149,60 @@ public function test_execute_fetch_graded(): void { $course = $forum->get_course_record(); $teacher = $this->getDataGenerator()->create_and_enrol($course, 'teacher'); $student = $this->getDataGenerator()->create_and_enrol($course, 'student'); - $this->setUser($teacher); + + $this->execute_and_assert_fetch($forum, $teacher, $teacher, $student); + } + + /** + * Class mates should not get other's grades. + */ + public function test_execute_fetch_does_not_return_data_to_other_students(): void { + $this->resetAfterTest(); + + $forum = $this->get_forum_instance([ + // Negative numbers mean a scale. + 'grade_forum' => 5, + ]); + $course = $forum->get_course_record(); + $teacher = $this->getDataGenerator()->create_and_enrol($course, 'teacher'); + $student = $this->getDataGenerator()->create_and_enrol($course, 'student'); + $evilstudent = $this->getDataGenerator()->create_and_enrol($course, 'student'); + + $this->expectException(\required_capability_exception::class); + $this->execute_and_assert_fetch($forum, $evilstudent, $teacher, $student); + } + + /** + * Grades can be returned to graded user. + */ + public function test_execute_fetch_return_data_to_graded_user(): void { + $this->resetAfterTest(); + + $forum = $this->get_forum_instance([ + // Negative numbers mean a scale. + 'grade_forum' => 5, + ]); + $course = $forum->get_course_record(); + $teacher = $this->getDataGenerator()->create_and_enrol($course, 'teacher'); + $student = $this->getDataGenerator()->create_and_enrol($course, 'student'); + + $this->execute_and_assert_fetch($forum, $student, $teacher, $student); + } + + /** + * Executes the fetch method with the given users and returns the result. + */ + private function execute_and_assert_fetch ($forum, $fetcheruser, $grader, $gradeduser) { + $this->setUser($grader); $gradeitem = component_gradeitem::instance('mod_forum', $forum->get_context(), 'forum'); - $gradeitem->store_grade_from_formdata($student, $teacher, (object) [ + $gradeitem->store_grade_from_formdata($gradeduser, $grader, (object) [ 'grade' => 4, ]); - $result = fetch::execute('mod_forum', (int) $forum->get_context()->id, 'forum', (int) $student->id); + $this->setUser($fetcheruser); + + $result = fetch::execute('mod_forum', (int) $forum->get_context()->id, 'forum', (int) $gradeduser->id); $result = external_api::clean_returnvalue(fetch::execute_returns(), $result); $this->assertIsArray($result);