From 66a43cd543f6693974fd2f7bed66f9830df5c023 Mon Sep 17 00:00:00 2001
From: Adrian Greeve <adrian@moodle.com>
Date: Wed, 10 Jun 2015 14:40:26 +0800
Subject: [PATCH] MDL-27177 roles: Allow students to see co-students profiles.

If the student shares a course with another student then let them
see the same detail on the full profile page as they do on the
course profile page.
---
 user/lib.php     | 58 ++++++++++++++++++++++++++++++++++++++++++++++++
 user/profile.php |  6 ++---
 user/view.php    | 25 +++++----------------
 3 files changed, 66 insertions(+), 23 deletions(-)

diff --git a/user/lib.php b/user/lib.php
index 080c2ab6e1ee1..7f0f47c07947a 100644
--- a/user/lib.php
+++ b/user/lib.php
@@ -1067,3 +1067,61 @@ function user_mygrades_url($userid = null, $courseid = SITEID) {
     }
     return $url;
 }
+
+/**
+ * Check if a user has the permission to viewdetails in a shared course's context.
+ *
+ * @param object $user The other user's details.
+ * @param object $course Use this course to see if we have permission to see this user's profile.
+ * @param context $usercontext The user context if available.
+ * @return bool true for ability to view this user, else false.
+ */
+function user_can_view_profile($user, $course = null, $usercontext = null) {
+    global $USER, $CFG;
+
+    if ($user->deleted) {
+        return false;
+    }
+
+    // If any of these four things, return true.
+    // Number 1.
+    if ($USER->id == $user->id) {
+        return true;
+    }
+
+    // Number 2.
+    if (empty($CFG->forceloginforprofiles)) {
+        return true;
+    }
+
+    if (empty($usercontext)) {
+        $usercontext = context_user::instance($user->id);
+    }
+    // Number 3.
+    if (has_capability('moodle/user:viewdetails', $usercontext)) {
+        return true;
+    }
+
+    // Number 4.
+    if (has_coursecontact_role($user->id)) {
+        return true;
+    }
+
+    if (isset($course)) {
+        $sharedcourses = array($course);
+    } else {
+        $sharedcourses = enrol_get_shared_courses($USER->id, $user->id, true);
+    }
+    foreach ($sharedcourses as $sharedcourse) {
+        $coursecontext = context_course::instance($sharedcourse->id);
+        if (has_capability('moodle/user:viewdetails', $coursecontext)) {
+            if (!groups_user_groups_visible($sharedcourse, $user->id)) {
+                // Not a member of the same group.
+                continue;
+            }
+            return true;
+        }
+    }
+    return false;
+}
+
diff --git a/user/profile.php b/user/profile.php
index 247f2bb744788..cb7f7fe5db992 100644
--- a/user/profile.php
+++ b/user/profile.php
@@ -36,6 +36,7 @@
 require_once($CFG->dirroot . '/my/lib.php');
 require_once($CFG->dirroot . '/tag/lib.php');
 require_once($CFG->dirroot . '/user/profile/lib.php');
+require_once($CFG->dirroot . '/user/lib.php');
 require_once($CFG->libdir.'/filelib.php');
 
 $userid         = optional_param('id', 0, PARAM_INT);
@@ -75,10 +76,7 @@
 $currentuser = ($user->id == $USER->id);
 $context = $usercontext = context_user::instance($userid, MUST_EXIST);
 
-if (!$currentuser &&
-    !empty($CFG->forceloginforprofiles) &&
-    !has_capability('moodle/user:viewdetails', $context) &&
-    !has_coursecontact_role($userid)) {
+if (!user_can_view_profile($user, null, $context)) {
 
     // Course managers can be browsed at site level. If not forceloginforprofiles, allow access (bug #4366).
     $struser = get_string('user');
diff --git a/user/view.php b/user/view.php
index f2cdcd669ee16..5040d088d4f9f 100644
--- a/user/view.php
+++ b/user/view.php
@@ -24,6 +24,7 @@
 
 require_once("../config.php");
 require_once($CFG->dirroot.'/user/profile/lib.php');
+require_once($CFG->dirroot.'/user/lib.php');
 require_once($CFG->dirroot.'/tag/lib.php');
 require_once($CFG->libdir . '/filelib.php');
 require_once($CFG->libdir . '/badgeslib.php');
@@ -125,9 +126,8 @@
     $PAGE->set_title("$strpersonalprofile: ");
     $PAGE->set_heading("$strpersonalprofile: ");
 
-    // Check course level capabilities.
-    if (!has_capability('moodle/user:viewdetails', $coursecontext) && // Normal enrolled user or mnager.
-        ($user->deleted or !has_capability('moodle/user:viewdetails', $usercontext))) {   // Usually parent.
+    // Check to see if the user can see this user's profile.
+    if (!user_can_view_profile($user, $course, $usercontext) && !$isparent) {
         print_error('cannotviewprofile');
     }
 
@@ -152,22 +152,9 @@
         exit;
     }
 
-    // If groups are in use and enforced throughout the course, then make sure we can meet in at least one course level group.
-    // Except when we are a parent, in which case we would not be in any group.
-    if (groups_get_course_groupmode($course) == SEPARATEGROUPS
-            and $course->groupmodeforce
-            and !has_capability('moodle/site:accessallgroups', $coursecontext)
-            and !has_capability('moodle/site:accessallgroups', $coursecontext, $user->id)
-            and !$isparent) {
-        if (!isloggedin() or isguestuser()) {
-            // Do not use require_login() here because we might have already used require_login($course).
-            redirect(get_login_url());
-        }
-        $mygroups = array_keys(groups_get_all_groups($course->id, $USER->id, $course->defaultgroupingid, 'g.id, g.name'));
-        $usergroups = array_keys(groups_get_all_groups($course->id, $user->id, $course->defaultgroupingid, 'g.id, g.name'));
-        if (!array_intersect($mygroups, $usergroups)) {
-            print_error("groupnotamember", '', "../course/view.php?id=$course->id");
-        }
+    if (!isloggedin() or isguestuser()) {
+        // Do not use require_login() here because we might have already used require_login($course).
+        redirect(get_login_url());
     }
 }