Skip to content

Commit

Permalink
MDL-68652 core_grades: Only return allowed fields.
Browse files Browse the repository at this point in the history 
Grade iterator should check user permissions.
  • Loading branch information
@ilyatregubov
ilyatregubov committed Dec 7, 2023
1 parent faae087 commit 7c207dc
Showing 1 changed file with 7 additions and 3 deletions.
10 changes: 7 additions & 3 deletions grade/lib.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,7 +183,12 @@ public function init() {
}
}

$userfields = 'u.*';
$userfieldsapi = \core_user\fields::for_identity($coursecontext, false)->with_userpic();
$userfields = $userfieldsapi->get_sql('u', false, '', '', false)->selects;

// This need to be fixed - webservices in grade/report/user/classes/external/user.php don't check permission properly.
$userfields .= ', u.idnumber, u.institution, u.department';

$customfieldssql = '';
if ($this->allowusercustomfields && !empty($CFG->grade_export_customprofilefields)) {
$customfieldscount = 0;
Expand Down Expand Up @@ -217,8 +222,7 @@ public function init() {
$this->users_rs = $DB->get_recordset_sql($users_sql, $params);

if (!$this->onlyactive) {
$context = context_course::instance($this->course->id);
$this->suspendedusers = get_suspended_userids($context);
$this->suspendedusers = get_suspended_userids($coursecontext);
} else {
$this->suspendedusers = array();
}
Expand Down

0 comments on commit 7c207dc

Please sign in to comment.