User selection seems to pull from sitewide "authenticated user" rights instead of course rights

[Matglou]

Hi all, I seem to have run across a bug while trying to get the plugin working again in our moodle enviroment. We used the plugin to have teachers contact individual students and have a message chain going throughout their education.

However after a recent update it seems that the plugin's user selection element derives its rights structure from the global "authenticated user" role that every user gets assigned on the homepage of moodle after logging in, instead of the role a user has in the course where the plugin is located. (teacher role in our case)

This creates the paradox where we can have a teacher role have the rights to

mod/dialogue:open mod/dialogue:receive mod/dialogue:reply mod/dialogue:replyany mod/dialogue:viewany

and sitewide: moodle/site:viewparticipants moodle/course:viewparticipants

but not be able to select any of the students to send a message to, because they get the error message "Nopermission, you do not have the right to do that (viewparticipants). After testing this error does no longer occur when we give "authenticated user" the moodle/site:viewparticipants and moodle/course:viewparticipants rights, but this is undesirable because then we would have to allow every user in the system access to all other users in the system, which seems unwise.

Moodle version is: 3.9.17 Plugin version is: 3.9.1

[cdipe]

It seems to me like a hard nut to crack... if not added to a specific role on site- or category level in Moodle, all logged in users are just "authenticated users" outside any course context.

[Matglou]

@cdipe yeah, that's how our system is set up, but the vast majority of rights allocations in the plugin refer to course level roles, whereas the selection of recipients is the only part that refers to a sitewide role.

This also seems to conflict with the mod/dialogue:receive right. As the selection process looks at sitewide users and allows to contact them regardless of the role they have in the course or whether or not they have the right to receive messages.

[danmarsden]

thanks - pull requests (or funding for my time) to improve this is always welcome :-)

[Matglou]

@danmarsden thanks for getting back to me! Sorry for the late reply. I've spent a bit of time going over the code, but honestly it's above my experience level, so I'd harm more than help on that front. As for funding, I'm working for a small educational group, with most of my time being volunteered as well so that's unfortunately not readily available.