Differences Between: [Versions 310 and 403] [Versions 39 and 403]
1 <?php 2 // This file is part of Moodle - https://moodle.org/ 3 // 4 // Moodle is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // Moodle is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License 15 // along with Moodle. If not, see <http://www.gnu.org/licenses/>. 16 17 namespace core_user; 18 19 use testable_user_selector; 20 21 defined('MOODLE_INTERNAL') || die(); 22 23 global $CFG; 24 require_once($CFG->dirroot.'/user/selector/lib.php'); 25 require_once($CFG->dirroot.'/user/tests/fixtures/testable_user_selector.php'); 26 27 /** 28 * Tests for the implementation of {@link user_selector_base} class. 29 * 30 * @package core_user 31 * @category test 32 * @copyright 2018 David Mudrák <david@moodle.com> 33 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 34 */ 35 class userselector_test extends \advanced_testcase { 36 37 /** 38 * Setup the environment for the tests. 39 */ 40 protected function setup_hidden_siteidentity() { 41 global $CFG, $DB; 42 43 $CFG->showuseridentity = 'idnumber,country,city'; 44 $CFG->hiddenuserfields = 'country,city'; 45 46 $env = new \stdClass(); 47 48 $env->student = $this->getDataGenerator()->create_user(); 49 $env->teacher = $this->getDataGenerator()->create_user(); 50 $env->manager = $this->getDataGenerator()->create_user(); 51 52 $env->course = $this->getDataGenerator()->create_course(); 53 $env->coursecontext = \context_course::instance($env->course->id); 54 55 $env->teacherrole = $DB->get_record('role', array('shortname' => 'teacher')); 56 $env->studentrole = $DB->get_record('role', array('shortname' => 'student')); 57 $env->managerrole = $DB->get_record('role', array('shortname' => 'manager')); 58 59 role_assign($env->studentrole->id, $env->student->id, $env->coursecontext->id); 60 role_assign($env->teacherrole->id, $env->teacher->id, $env->coursecontext->id); 61 role_assign($env->managerrole->id, $env->manager->id, SYSCONTEXTID); 62 63 return $env; 64 } 65 66 /** 67 * No identity fields are not shown to student user (no permission to view identity fields). 68 */ 69 public function test_hidden_siteidentity_fields_no_access() { 70 $this->resetAfterTest(); 71 $env = $this->setup_hidden_siteidentity(); 72 $this->setUser($env->student); 73 74 $selector = new testable_user_selector('test'); 75 76 foreach ($selector->find_users('') as $found) { 77 foreach ($found as $user) { 78 $this->assertObjectNotHasAttribute('idnumber', $user); 79 $this->assertObjectNotHasAttribute('country', $user); 80 $this->assertObjectNotHasAttribute('city', $user); 81 } 82 } 83 } 84 85 /** 86 * Teacher can see students' identity fields only within the course. 87 */ 88 public function test_hidden_siteidentity_fields_course_only_access() { 89 $this->resetAfterTest(); 90 $env = $this->setup_hidden_siteidentity(); 91 $this->setUser($env->teacher); 92 93 $systemselector = new testable_user_selector('test'); 94 $courseselector = new testable_user_selector('test', ['accesscontext' => $env->coursecontext]); 95 96 foreach ($systemselector->find_users('') as $found) { 97 foreach ($found as $user) { 98 $this->assertObjectNotHasAttribute('idnumber', $user); 99 $this->assertObjectNotHasAttribute('country', $user); 100 $this->assertObjectNotHasAttribute('city', $user); 101 } 102 } 103 104 foreach ($courseselector->find_users('') as $found) { 105 foreach ($found as $user) { 106 $this->assertObjectHasAttribute('idnumber', $user); 107 $this->assertObjectHasAttribute('country', $user); 108 $this->assertObjectHasAttribute('city', $user); 109 } 110 } 111 } 112 113 /** 114 * Teacher can be prevented from seeing students' identity fields even within the course. 115 */ 116 public function test_hidden_siteidentity_fields_course_prevented_access() { 117 $this->resetAfterTest(); 118 $env = $this->setup_hidden_siteidentity(); 119 $this->setUser($env->teacher); 120 121 assign_capability('moodle/course:viewhiddenuserfields', CAP_PREVENT, $env->teacherrole->id, $env->coursecontext->id); 122 123 $courseselector = new testable_user_selector('test', ['accesscontext' => $env->coursecontext]); 124 125 foreach ($courseselector->find_users('') as $found) { 126 foreach ($found as $user) { 127 $this->assertObjectHasAttribute('idnumber', $user); 128 $this->assertObjectNotHasAttribute('country', $user); 129 $this->assertObjectNotHasAttribute('city', $user); 130 } 131 } 132 } 133 134 /** 135 * Manager can see students' identity fields anywhere. 136 */ 137 public function test_hidden_siteidentity_fields_anywhere_access() { 138 $this->resetAfterTest(); 139 $env = $this->setup_hidden_siteidentity(); 140 $this->setUser($env->manager); 141 142 $systemselector = new testable_user_selector('test'); 143 $courseselector = new testable_user_selector('test', ['accesscontext' => $env->coursecontext]); 144 145 foreach ($systemselector->find_users('') as $found) { 146 foreach ($found as $user) { 147 $this->assertObjectHasAttribute('idnumber', $user); 148 $this->assertObjectHasAttribute('country', $user); 149 $this->assertObjectHasAttribute('city', $user); 150 } 151 } 152 153 foreach ($courseselector->find_users('') as $found) { 154 foreach ($found as $user) { 155 $this->assertObjectHasAttribute('idnumber', $user); 156 $this->assertObjectHasAttribute('country', $user); 157 $this->assertObjectHasAttribute('city', $user); 158 } 159 } 160 } 161 162 /** 163 * Manager can be prevented from seeing hidden fields outside the course. 164 */ 165 public function test_hidden_siteidentity_fields_schismatic_access() { 166 $this->resetAfterTest(); 167 $env = $this->setup_hidden_siteidentity(); 168 $this->setUser($env->manager); 169 170 // Revoke the capability to see hidden user fields outside the course. 171 // Note that inside the course, the manager can still see the hidden identifiers as this is currently 172 // controlled by a separate capability for legacy reasons. This is counter-intuitive behaviour and is 173 // likely to be fixed in MDL-51630. 174 assign_capability('moodle/user:viewhiddendetails', CAP_PREVENT, $env->managerrole->id, SYSCONTEXTID, true); 175 176 $systemselector = new testable_user_selector('test'); 177 $courseselector = new testable_user_selector('test', ['accesscontext' => $env->coursecontext]); 178 179 foreach ($systemselector->find_users('') as $found) { 180 foreach ($found as $user) { 181 $this->assertObjectHasAttribute('idnumber', $user); 182 $this->assertObjectNotHasAttribute('country', $user); 183 $this->assertObjectNotHasAttribute('city', $user); 184 } 185 } 186 187 foreach ($courseselector->find_users('') as $found) { 188 foreach ($found as $user) { 189 $this->assertObjectHasAttribute('idnumber', $user); 190 $this->assertObjectHasAttribute('country', $user); 191 $this->assertObjectHasAttribute('city', $user); 192 } 193 } 194 } 195 196 /** 197 * Two capabilities must be currently set to prevent manager from seeing hidden fields. 198 */ 199 public function test_hidden_siteidentity_fields_hard_to_prevent_access() { 200 $this->resetAfterTest(); 201 $env = $this->setup_hidden_siteidentity(); 202 $this->setUser($env->manager); 203 204 assign_capability('moodle/user:viewhiddendetails', CAP_PREVENT, $env->managerrole->id, SYSCONTEXTID, true); 205 assign_capability('moodle/course:viewhiddenuserfields', CAP_PREVENT, $env->managerrole->id, SYSCONTEXTID, true); 206 207 $systemselector = new testable_user_selector('test'); 208 $courseselector = new testable_user_selector('test', ['accesscontext' => $env->coursecontext]); 209 210 foreach ($systemselector->find_users('') as $found) { 211 foreach ($found as $user) { 212 $this->assertObjectHasAttribute('idnumber', $user); 213 $this->assertObjectNotHasAttribute('country', $user); 214 $this->assertObjectNotHasAttribute('city', $user); 215 } 216 } 217 218 foreach ($courseselector->find_users('') as $found) { 219 foreach ($found as $user) { 220 $this->assertObjectHasAttribute('idnumber', $user); 221 $this->assertObjectNotHasAttribute('country', $user); 222 $this->assertObjectNotHasAttribute('city', $user); 223 } 224 } 225 } 226 227 /** 228 * For legacy reasons, user selectors supported ability to override $CFG->showuseridentity. 229 * 230 * However, this was found as violating the principle of respecting site privacy settings. So the feature has been 231 * dropped in Moodle 3.6. 232 */ 233 public function test_hidden_siteidentity_fields_explicit_extrafields() { 234 $this->resetAfterTest(); 235 $env = $this->setup_hidden_siteidentity(); 236 $this->setUser($env->manager); 237 238 $implicitselector = new testable_user_selector('test'); 239 $explicitselector = new testable_user_selector('test', ['extrafields' => ['email', 'department']]); 240 241 $this->assertDebuggingCalled(); 242 243 foreach ($implicitselector->find_users('') as $found) { 244 foreach ($found as $user) { 245 $this->assertObjectHasAttribute('idnumber', $user); 246 $this->assertObjectHasAttribute('country', $user); 247 $this->assertObjectHasAttribute('city', $user); 248 $this->assertObjectNotHasAttribute('email', $user); 249 $this->assertObjectNotHasAttribute('department', $user); 250 } 251 } 252 253 foreach ($explicitselector->find_users('') as $found) { 254 foreach ($found as $user) { 255 $this->assertObjectHasAttribute('idnumber', $user); 256 $this->assertObjectHasAttribute('country', $user); 257 $this->assertObjectHasAttribute('city', $user); 258 $this->assertObjectNotHasAttribute('email', $user); 259 $this->assertObjectNotHasAttribute('department', $user); 260 } 261 } 262 } 263 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body