Search moodle.org's
Developer Documentation

See Release Notes
Long Term Support Release

  • Bug fixes for general core bugs in 4.1.x will end 13 November 2023 (12 months).
  • Bug fixes for security issues in 4.1.x will end 10 November 2025 (36 months).
  • PHP version: minimum PHP 7.4.0 Note: minimum PHP version has increased since Moodle 4.0. PHP 8.0.x is supported too.

Differences Between: [Versions 310 and 401] [Versions 39 and 401]

   1  <?php
   2  // This file is part of Moodle - https://moodle.org/
   3  //
   4  // Moodle is free software: you can redistribute it and/or modify
   5  // it under the terms of the GNU General Public License as published by
   6  // the Free Software Foundation, either version 3 of the License, or
   7  // (at your option) any later version.
   8  //
   9  // Moodle is distributed in the hope that it will be useful,
  10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  // GNU General Public License for more details.
  13  //
  14  // You should have received a copy of the GNU General Public License
  15  // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16  
  17  namespace core_user;
  18  
  19  use testable_user_selector;
  20  
  21  defined('MOODLE_INTERNAL') || die();
  22  
  23  global $CFG;
  24  require_once($CFG->dirroot.'/user/selector/lib.php');
  25  require_once($CFG->dirroot.'/user/tests/fixtures/testable_user_selector.php');
  26  
  27  /**
  28   * Tests for the implementation of {@link user_selector_base} class.
  29   *
  30   * @package   core_user
  31   * @category  test
  32   * @copyright 2018 David Mudrák <david@moodle.com>
  33   * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  34   */
  35  class userselector_test extends \advanced_testcase {
  36  
  37      /**
  38       * Setup the environment for the tests.
  39       */
  40      protected function setup_hidden_siteidentity() {
  41          global $CFG, $DB;
  42  
  43          $CFG->showuseridentity = 'idnumber,country,city';
  44          $CFG->hiddenuserfields = 'country,city';
  45  
  46          $env = new \stdClass();
  47  
  48          $env->student = $this->getDataGenerator()->create_user();
  49          $env->teacher = $this->getDataGenerator()->create_user();
  50          $env->manager = $this->getDataGenerator()->create_user();
  51  
  52          $env->course = $this->getDataGenerator()->create_course();
  53          $env->coursecontext = \context_course::instance($env->course->id);
  54  
  55          $env->teacherrole = $DB->get_record('role', array('shortname' => 'teacher'));
  56          $env->studentrole = $DB->get_record('role', array('shortname' => 'student'));
  57          $env->managerrole = $DB->get_record('role', array('shortname' => 'manager'));
  58  
  59          role_assign($env->studentrole->id, $env->student->id, $env->coursecontext->id);
  60          role_assign($env->teacherrole->id, $env->teacher->id, $env->coursecontext->id);
  61          role_assign($env->managerrole->id, $env->manager->id, SYSCONTEXTID);
  62  
  63          return $env;
  64      }
  65  
  66      /**
  67       * No identity fields are not shown to student user (no permission to view identity fields).
  68       */
  69      public function test_hidden_siteidentity_fields_no_access() {
  70          $this->resetAfterTest();
  71          $env = $this->setup_hidden_siteidentity();
  72          $this->setUser($env->student);
  73  
  74          $selector = new testable_user_selector('test');
  75  
  76          foreach ($selector->find_users('') as $found) {
  77              foreach ($found as $user) {
  78                  $this->assertObjectNotHasAttribute('idnumber', $user);
  79                  $this->assertObjectNotHasAttribute('country', $user);
  80                  $this->assertObjectNotHasAttribute('city', $user);
  81              }
  82          }
  83      }
  84  
  85      /**
  86       * Teacher can see students' identity fields only within the course.
  87       */
  88      public function test_hidden_siteidentity_fields_course_only_access() {
  89          $this->resetAfterTest();
  90          $env = $this->setup_hidden_siteidentity();
  91          $this->setUser($env->teacher);
  92  
  93          $systemselector = new testable_user_selector('test');
  94          $courseselector = new testable_user_selector('test', ['accesscontext' => $env->coursecontext]);
  95  
  96          foreach ($systemselector->find_users('') as $found) {
  97              foreach ($found as $user) {
  98                  $this->assertObjectNotHasAttribute('idnumber', $user);
  99                  $this->assertObjectNotHasAttribute('country', $user);
 100                  $this->assertObjectNotHasAttribute('city', $user);
 101              }
 102          }
 103  
 104          foreach ($courseselector->find_users('') as $found) {
 105              foreach ($found as $user) {
 106                  $this->assertObjectHasAttribute('idnumber', $user);
 107                  $this->assertObjectHasAttribute('country', $user);
 108                  $this->assertObjectHasAttribute('city', $user);
 109              }
 110          }
 111      }
 112  
 113      /**
 114       * Teacher can be prevented from seeing students' identity fields even within the course.
 115       */
 116      public function test_hidden_siteidentity_fields_course_prevented_access() {
 117          $this->resetAfterTest();
 118          $env = $this->setup_hidden_siteidentity();
 119          $this->setUser($env->teacher);
 120  
 121          assign_capability('moodle/course:viewhiddenuserfields', CAP_PREVENT, $env->teacherrole->id, $env->coursecontext->id);
 122  
 123          $courseselector = new testable_user_selector('test', ['accesscontext' => $env->coursecontext]);
 124  
 125          foreach ($courseselector->find_users('') as $found) {
 126              foreach ($found as $user) {
 127                  $this->assertObjectHasAttribute('idnumber', $user);
 128                  $this->assertObjectNotHasAttribute('country', $user);
 129                  $this->assertObjectNotHasAttribute('city', $user);
 130              }
 131          }
 132      }
 133  
 134      /**
 135       * Manager can see students' identity fields anywhere.
 136       */
 137      public function test_hidden_siteidentity_fields_anywhere_access() {
 138          $this->resetAfterTest();
 139          $env = $this->setup_hidden_siteidentity();
 140          $this->setUser($env->manager);
 141  
 142          $systemselector = new testable_user_selector('test');
 143          $courseselector = new testable_user_selector('test', ['accesscontext' => $env->coursecontext]);
 144  
 145          foreach ($systemselector->find_users('') as $found) {
 146              foreach ($found as $user) {
 147                  $this->assertObjectHasAttribute('idnumber', $user);
 148                  $this->assertObjectHasAttribute('country', $user);
 149                  $this->assertObjectHasAttribute('city', $user);
 150              }
 151          }
 152  
 153          foreach ($courseselector->find_users('') as $found) {
 154              foreach ($found as $user) {
 155                  $this->assertObjectHasAttribute('idnumber', $user);
 156                  $this->assertObjectHasAttribute('country', $user);
 157                  $this->assertObjectHasAttribute('city', $user);
 158              }
 159          }
 160      }
 161  
 162      /**
 163       * Manager can be prevented from seeing hidden fields outside the course.
 164       */
 165      public function test_hidden_siteidentity_fields_schismatic_access() {
 166          $this->resetAfterTest();
 167          $env = $this->setup_hidden_siteidentity();
 168          $this->setUser($env->manager);
 169  
 170          // Revoke the capability to see hidden user fields outside the course.
 171          // Note that inside the course, the manager can still see the hidden identifiers as this is currently
 172          // controlled by a separate capability for legacy reasons. This is counter-intuitive behaviour and is
 173          // likely to be fixed in MDL-51630.
 174          assign_capability('moodle/user:viewhiddendetails', CAP_PREVENT, $env->managerrole->id, SYSCONTEXTID, true);
 175  
 176          $systemselector = new testable_user_selector('test');
 177          $courseselector = new testable_user_selector('test', ['accesscontext' => $env->coursecontext]);
 178  
 179          foreach ($systemselector->find_users('') as $found) {
 180              foreach ($found as $user) {
 181                  $this->assertObjectHasAttribute('idnumber', $user);
 182                  $this->assertObjectNotHasAttribute('country', $user);
 183                  $this->assertObjectNotHasAttribute('city', $user);
 184              }
 185          }
 186  
 187          foreach ($courseselector->find_users('') as $found) {
 188              foreach ($found as $user) {
 189                  $this->assertObjectHasAttribute('idnumber', $user);
 190                  $this->assertObjectHasAttribute('country', $user);
 191                  $this->assertObjectHasAttribute('city', $user);
 192              }
 193          }
 194      }
 195  
 196      /**
 197       * Two capabilities must be currently set to prevent manager from seeing hidden fields.
 198       */
 199      public function test_hidden_siteidentity_fields_hard_to_prevent_access() {
 200          $this->resetAfterTest();
 201          $env = $this->setup_hidden_siteidentity();
 202          $this->setUser($env->manager);
 203  
 204          assign_capability('moodle/user:viewhiddendetails', CAP_PREVENT, $env->managerrole->id, SYSCONTEXTID, true);
 205          assign_capability('moodle/course:viewhiddenuserfields', CAP_PREVENT, $env->managerrole->id, SYSCONTEXTID, true);
 206  
 207          $systemselector = new testable_user_selector('test');
 208          $courseselector = new testable_user_selector('test', ['accesscontext' => $env->coursecontext]);
 209  
 210          foreach ($systemselector->find_users('') as $found) {
 211              foreach ($found as $user) {
 212                  $this->assertObjectHasAttribute('idnumber', $user);
 213                  $this->assertObjectNotHasAttribute('country', $user);
 214                  $this->assertObjectNotHasAttribute('city', $user);
 215              }
 216          }
 217  
 218          foreach ($courseselector->find_users('') as $found) {
 219              foreach ($found as $user) {
 220                  $this->assertObjectHasAttribute('idnumber', $user);
 221                  $this->assertObjectNotHasAttribute('country', $user);
 222                  $this->assertObjectNotHasAttribute('city', $user);
 223              }
 224          }
 225      }
 226  
 227      /**
 228       * For legacy reasons, user selectors supported ability to override $CFG->showuseridentity.
 229       *
 230       * However, this was found as violating the principle of respecting site privacy settings. So the feature has been
 231       * dropped in Moodle 3.6.
 232       */
 233      public function test_hidden_siteidentity_fields_explicit_extrafields() {
 234          $this->resetAfterTest();
 235          $env = $this->setup_hidden_siteidentity();
 236          $this->setUser($env->manager);
 237  
 238          $implicitselector = new testable_user_selector('test');
 239          $explicitselector = new testable_user_selector('test', ['extrafields' => ['email', 'department']]);
 240  
 241          $this->assertDebuggingCalled();
 242  
 243          foreach ($implicitselector->find_users('') as $found) {
 244              foreach ($found as $user) {
 245                  $this->assertObjectHasAttribute('idnumber', $user);
 246                  $this->assertObjectHasAttribute('country', $user);
 247                  $this->assertObjectHasAttribute('city', $user);
 248                  $this->assertObjectNotHasAttribute('email', $user);
 249                  $this->assertObjectNotHasAttribute('department', $user);
 250              }
 251          }
 252  
 253          foreach ($explicitselector->find_users('') as $found) {
 254              foreach ($found as $user) {
 255                  $this->assertObjectHasAttribute('idnumber', $user);
 256                  $this->assertObjectHasAttribute('country', $user);
 257                  $this->assertObjectHasAttribute('city', $user);
 258                  $this->assertObjectNotHasAttribute('email', $user);
 259                  $this->assertObjectNotHasAttribute('department', $user);
 260              }
 261          }
 262      }
 263  }