Search moodle.org's
Developer Documentation

See Release Notes

  • Bug fixes for general core bugs in 3.10.x will end 8 November 2021 (12 months).
  • Bug fixes for security issues in 3.10.x will end 9 May 2022 (18 months).
  • PHP version: minimum PHP 7.2.0 Note: minimum PHP version has increased since Moodle 3.8. PHP 7.3.x and 7.4.x are supported too.

Differences Between: [Versions 310 and 311] [Versions 310 and 400] [Versions 310 and 401] [Versions 310 and 402] [Versions 310 and 403]

   1  <?php
   2  // This file is part of Moodle - https://moodle.org/
   3  //
   4  // Moodle is free software: you can redistribute it and/or modify
   5  // it under the terms of the GNU General Public License as published by
   6  // the Free Software Foundation, either version 3 of the License, or
   7  // (at your option) any later version.
   8  //
   9  // Moodle is distributed in the hope that it will be useful,
  10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  // GNU General Public License for more details.
  13  //
  14  // You should have received a copy of the GNU General Public License
  15  // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16  
  17  /**
  18   * Provides {@link core_user_selector_testcase} class.
  19   *
  20   * @package     core_user
  21   * @category    test
  22   * @copyright   2018 David Mudrák <david@moodle.com>
  23   * @license     http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  24   */
  25  
  26  defined('MOODLE_INTERNAL') || die();
  27  
  28  global $CFG;
  29  require_once($CFG->dirroot.'/user/selector/lib.php');
  30  require_once($CFG->dirroot.'/user/tests/fixtures/testable_user_selector.php');
  31  
  32  /**
  33   * Tests for the implementation of {@link user_selector_base} class.
  34   *
  35   * @copyright 2018 David Mudrák <david@moodle.com>
  36   * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  37   */
  38  class core_user_selector_testcase extends advanced_testcase {
  39  
  40      /**
  41       * Setup the environment for the tests.
  42       */
  43      protected function setup_hidden_siteidentity() {
  44          global $CFG, $DB;
  45  
  46          $CFG->showuseridentity = 'idnumber,country,city';
  47          $CFG->hiddenuserfields = 'country,city';
  48  
  49          $env = new stdClass();
  50  
  51          $env->student = $this->getDataGenerator()->create_user();
  52          $env->teacher = $this->getDataGenerator()->create_user();
  53          $env->manager = $this->getDataGenerator()->create_user();
  54  
  55          $env->course = $this->getDataGenerator()->create_course();
  56          $env->coursecontext = context_course::instance($env->course->id);
  57  
  58          $env->teacherrole = $DB->get_record('role', array('shortname' => 'teacher'));
  59          $env->studentrole = $DB->get_record('role', array('shortname' => 'student'));
  60          $env->managerrole = $DB->get_record('role', array('shortname' => 'manager'));
  61  
  62          role_assign($env->studentrole->id, $env->student->id, $env->coursecontext->id);
  63          role_assign($env->teacherrole->id, $env->teacher->id, $env->coursecontext->id);
  64          role_assign($env->managerrole->id, $env->manager->id, SYSCONTEXTID);
  65  
  66          return $env;
  67      }
  68  
  69      /**
  70       * No identity fields are not shown to student user (no permission to view identity fields).
  71       */
  72      public function test_hidden_siteidentity_fields_no_access() {
  73          $this->resetAfterTest();
  74          $env = $this->setup_hidden_siteidentity();
  75          $this->setUser($env->student);
  76  
  77          $selector = new testable_user_selector('test');
  78  
  79          foreach ($selector->find_users('') as $found) {
  80              foreach ($found as $user) {
  81                  $this->assertObjectNotHasAttribute('idnumber', $user);
  82                  $this->assertObjectNotHasAttribute('country', $user);
  83                  $this->assertObjectNotHasAttribute('city', $user);
  84              }
  85          }
  86      }
  87  
  88      /**
  89       * Teacher can see students' identity fields only within the course.
  90       */
  91      public function test_hidden_siteidentity_fields_course_only_access() {
  92          $this->resetAfterTest();
  93          $env = $this->setup_hidden_siteidentity();
  94          $this->setUser($env->teacher);
  95  
  96          $systemselector = new testable_user_selector('test');
  97          $courseselector = new testable_user_selector('test', ['accesscontext' => $env->coursecontext]);
  98  
  99          foreach ($systemselector->find_users('') as $found) {
 100              foreach ($found as $user) {
 101                  $this->assertObjectNotHasAttribute('idnumber', $user);
 102                  $this->assertObjectNotHasAttribute('country', $user);
 103                  $this->assertObjectNotHasAttribute('city', $user);
 104              }
 105          }
 106  
 107          foreach ($courseselector->find_users('') as $found) {
 108              foreach ($found as $user) {
 109                  $this->assertObjectHasAttribute('idnumber', $user);
 110                  $this->assertObjectHasAttribute('country', $user);
 111                  $this->assertObjectHasAttribute('city', $user);
 112              }
 113          }
 114      }
 115  
 116      /**
 117       * Teacher can be prevented from seeing students' identity fields even within the course.
 118       */
 119      public function test_hidden_siteidentity_fields_course_prevented_access() {
 120          $this->resetAfterTest();
 121          $env = $this->setup_hidden_siteidentity();
 122          $this->setUser($env->teacher);
 123  
 124          assign_capability('moodle/course:viewhiddenuserfields', CAP_PREVENT, $env->teacherrole->id, $env->coursecontext->id);
 125  
 126          $courseselector = new testable_user_selector('test', ['accesscontext' => $env->coursecontext]);
 127  
 128          foreach ($courseselector->find_users('') as $found) {
 129              foreach ($found as $user) {
 130                  $this->assertObjectHasAttribute('idnumber', $user);
 131                  $this->assertObjectNotHasAttribute('country', $user);
 132                  $this->assertObjectNotHasAttribute('city', $user);
 133              }
 134          }
 135      }
 136  
 137      /**
 138       * Manager can see students' identity fields anywhere.
 139       */
 140      public function test_hidden_siteidentity_fields_anywhere_access() {
 141          $this->resetAfterTest();
 142          $env = $this->setup_hidden_siteidentity();
 143          $this->setUser($env->manager);
 144  
 145          $systemselector = new testable_user_selector('test');
 146          $courseselector = new testable_user_selector('test', ['accesscontext' => $env->coursecontext]);
 147  
 148          foreach ($systemselector->find_users('') as $found) {
 149              foreach ($found as $user) {
 150                  $this->assertObjectHasAttribute('idnumber', $user);
 151                  $this->assertObjectHasAttribute('country', $user);
 152                  $this->assertObjectHasAttribute('city', $user);
 153              }
 154          }
 155  
 156          foreach ($courseselector->find_users('') as $found) {
 157              foreach ($found as $user) {
 158                  $this->assertObjectHasAttribute('idnumber', $user);
 159                  $this->assertObjectHasAttribute('country', $user);
 160                  $this->assertObjectHasAttribute('city', $user);
 161              }
 162          }
 163      }
 164  
 165      /**
 166       * Manager can be prevented from seeing hidden fields outside the course.
 167       */
 168      public function test_hidden_siteidentity_fields_schismatic_access() {
 169          $this->resetAfterTest();
 170          $env = $this->setup_hidden_siteidentity();
 171          $this->setUser($env->manager);
 172  
 173          // Revoke the capability to see hidden user fields outside the course.
 174          // Note that inside the course, the manager can still see the hidden identifiers as this is currently
 175          // controlled by a separate capability for legacy reasons. This is counter-intuitive behaviour and is
 176          // likely to be fixed in MDL-51630.
 177          assign_capability('moodle/user:viewhiddendetails', CAP_PREVENT, $env->managerrole->id, SYSCONTEXTID, true);
 178  
 179          $systemselector = new testable_user_selector('test');
 180          $courseselector = new testable_user_selector('test', ['accesscontext' => $env->coursecontext]);
 181  
 182          foreach ($systemselector->find_users('') as $found) {
 183              foreach ($found as $user) {
 184                  $this->assertObjectHasAttribute('idnumber', $user);
 185                  $this->assertObjectNotHasAttribute('country', $user);
 186                  $this->assertObjectNotHasAttribute('city', $user);
 187              }
 188          }
 189  
 190          foreach ($courseselector->find_users('') as $found) {
 191              foreach ($found as $user) {
 192                  $this->assertObjectHasAttribute('idnumber', $user);
 193                  $this->assertObjectHasAttribute('country', $user);
 194                  $this->assertObjectHasAttribute('city', $user);
 195              }
 196          }
 197      }
 198  
 199      /**
 200       * Two capabilities must be currently set to prevent manager from seeing hidden fields.
 201       */
 202      public function test_hidden_siteidentity_fields_hard_to_prevent_access() {
 203          $this->resetAfterTest();
 204          $env = $this->setup_hidden_siteidentity();
 205          $this->setUser($env->manager);
 206  
 207          assign_capability('moodle/user:viewhiddendetails', CAP_PREVENT, $env->managerrole->id, SYSCONTEXTID, true);
 208          assign_capability('moodle/course:viewhiddenuserfields', CAP_PREVENT, $env->managerrole->id, SYSCONTEXTID, true);
 209  
 210          $systemselector = new testable_user_selector('test');
 211          $courseselector = new testable_user_selector('test', ['accesscontext' => $env->coursecontext]);
 212  
 213          foreach ($systemselector->find_users('') as $found) {
 214              foreach ($found as $user) {
 215                  $this->assertObjectHasAttribute('idnumber', $user);
 216                  $this->assertObjectNotHasAttribute('country', $user);
 217                  $this->assertObjectNotHasAttribute('city', $user);
 218              }
 219          }
 220  
 221          foreach ($courseselector->find_users('') as $found) {
 222              foreach ($found as $user) {
 223                  $this->assertObjectHasAttribute('idnumber', $user);
 224                  $this->assertObjectNotHasAttribute('country', $user);
 225                  $this->assertObjectNotHasAttribute('city', $user);
 226              }
 227          }
 228      }
 229  
 230      /**
 231       * For legacy reasons, user selectors supported ability to override $CFG->showuseridentity.
 232       *
 233       * However, this was found as violating the principle of respecting site privacy settings. So the feature has been
 234       * dropped in Moodle 3.6.
 235       */
 236      public function test_hidden_siteidentity_fields_explicit_extrafields() {
 237          $this->resetAfterTest();
 238          $env = $this->setup_hidden_siteidentity();
 239          $this->setUser($env->manager);
 240  
 241          $implicitselector = new testable_user_selector('test');
 242          $explicitselector = new testable_user_selector('test', ['extrafields' => ['email', 'department']]);
 243  
 244          $this->assertDebuggingCalled();
 245  
 246          foreach ($implicitselector->find_users('') as $found) {
 247              foreach ($found as $user) {
 248                  $this->assertObjectHasAttribute('idnumber', $user);
 249                  $this->assertObjectHasAttribute('country', $user);
 250                  $this->assertObjectHasAttribute('city', $user);
 251                  $this->assertObjectNotHasAttribute('email', $user);
 252                  $this->assertObjectNotHasAttribute('department', $user);
 253              }
 254          }
 255  
 256          foreach ($explicitselector->find_users('') as $found) {
 257              foreach ($found as $user) {
 258                  $this->assertObjectHasAttribute('idnumber', $user);
 259                  $this->assertObjectHasAttribute('country', $user);
 260                  $this->assertObjectHasAttribute('city', $user);
 261                  $this->assertObjectNotHasAttribute('email', $user);
 262                  $this->assertObjectNotHasAttribute('department', $user);
 263              }
 264          }
 265      }
 266  }