marxjohnson / moodle-block_quickfindlist

Moodle block providing a quick method of searching users
http://moodle.org/mod/data/view.php?d=13&rid=2200
6 stars 15 forks source link

use permission is only checked in system context #1

Open marxjohnson opened 12 years ago

marxjohnson commented 12 years ago

As reported by Alan Woerner

The issue Alan describes occurs as the has_capability call in get_content uses the system context, not the current instance context. This is partly due to laziness, but also partly down to security as the block potentially searches all users in the system. Extra permissions checking may need to be implemented to ensure that a user only sees results for users that they are allowed to know about.

emmarichardson commented 11 years ago

As a huge fan of this block, I would love to see this functionality implemented. I have been able to get this working for teachers with the use of a system role but am having to give them permission to view profiles of all users on the site to get it to work. Within the course, it works as intended but I would like them to be able to search across all of their courses from the front page and only be provided with results from their courses (not sure how complicated that would be to put together).

sensei-hacker commented 10 years ago

If anyone authors the capability, I'll integrate it.

emmarichardson commented 8 years ago

I discovered that if you change the .js file to reference a ? instead of & in the url and then specify the profile page in the settings, this works great. I can now get to any user regardless of whether I am on a course page or not.