From 9db6c361fdd9cfd02ee119b88a03b7f85715cea3 Mon Sep 17 00:00:00 2001 From: Adam Olley Date: Thu, 7 May 2020 13:58:23 +0930 Subject: [PATCH] MDL-68632 quizaccess_seb: Limit privacy queriyes to the quiz module Without this, joins are performed against the course_modules table purely on the instance id - other modules can share this ID, resulting in incorrect contexts being pulled in. --- mod/quiz/accessrule/seb/classes/privacy/provider.php | 9 ++++++++- mod/quiz/accessrule/seb/tests/privacy_provider_test.php | 5 +++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/mod/quiz/accessrule/seb/classes/privacy/provider.php b/mod/quiz/accessrule/seb/classes/privacy/provider.php index be9b65c4d378c..266481d2f9d15 100644 --- a/mod/quiz/accessrule/seb/classes/privacy/provider.php +++ b/mod/quiz/accessrule/seb/classes/privacy/provider.php @@ -93,12 +93,14 @@ public static function get_contexts_for_userid(int $userid): contextlist { $sql = "SELECT c.id FROM {quizaccess_seb_quizsettings} qs JOIN {course_modules} cm ON cm.instance = qs.quizid + JOIN {modules} m ON cm.module = m.id AND m.name = :modulename JOIN {context} c ON c.instanceid = cm.id AND c.contextlevel = :context WHERE qs.usermodified = :userid GROUP BY c.id"; $params = [ 'context' => CONTEXT_MODULE, + 'modulename' => 'quiz', 'userid' => $userid ]; @@ -108,6 +110,7 @@ public static function get_contexts_for_userid(int $userid): contextlist { FROM {quizaccess_seb_template} tem JOIN {quizaccess_seb_quizsettings} qs ON qs.templateid = tem.id JOIN {course_modules} cm ON cm.instance = qs.quizid + JOIN {modules} m ON cm.module = m.id AND m.name = :modulename JOIN {context} c ON c.instanceid = cm.id AND c.contextlevel = :context WHERE qs.usermodified = :userid GROUP BY c.id"; @@ -139,6 +142,7 @@ public static function export_user_data(approved_contextlist $contextlist) { } list($insql, $params) = $DB->get_in_or_equal($cmids, SQL_PARAMS_NAMED); + $params['modulename'] = 'quiz'; // SEB quiz settings. $sql = "SELECT qs.id as id, @@ -148,6 +152,7 @@ public static function export_user_data(approved_contextlist $contextlist) { qs.timemodified as timemodified FROM {quizaccess_seb_quizsettings} qs JOIN {course_modules} cm ON cm.instance = qs.quizid + JOIN {modules} m ON cm.module = m.id AND m.name = :modulename WHERE cm.id {$insql}"; $quizsettingslist = $DB->get_records_sql($sql, $params); @@ -180,6 +185,7 @@ public static function export_user_data(approved_contextlist $contextlist) { FROM {quizaccess_seb_template} tem JOIN {quizaccess_seb_quizsettings} qs ON qs.templateid = tem.id JOIN {course_modules} cm ON cm.instance = qs.quizid + JOIN {modules} m ON cm.module = m.id AND m.name = :modulename WHERE cm.id {$insql}"; $templatesettingslist = $DB->get_records_sql($sql, $params); @@ -262,8 +268,9 @@ public static function get_users_in_context(userlist $userlist) { $sql = "SELECT qs.usermodified AS userid FROM {quizaccess_seb_quizsettings} qs JOIN {course_modules} cm ON cm.instance = qs.quizid + JOIN {modules} m ON cm.module = m.id AND m.name = ? WHERE cm.id = ?"; - $params = [$context->instanceid]; + $params = ['quiz', $context->instanceid]; $userlist->add_from_sql('userid', $sql, $params); } diff --git a/mod/quiz/accessrule/seb/tests/privacy_provider_test.php b/mod/quiz/accessrule/seb/tests/privacy_provider_test.php index 4a8aa90528ba8..ed190ca1d620c 100644 --- a/mod/quiz/accessrule/seb/tests/privacy_provider_test.php +++ b/mod/quiz/accessrule/seb/tests/privacy_provider_test.php @@ -99,6 +99,11 @@ public function test_export_user_data() { $context = context_module::instance($this->quiz->cmid); + // Add another course_module of a differenty type - doing this lets us + // test that the data exporter is correctly limiting its selection to + // the quiz and not anything with the same instance id. + $this->getDataGenerator()->create_module('label', array('course' => $this->course->id)); + $contextlist = provider::get_contexts_for_userid($this->user->id); $approvedcontextlist = new approved_contextlist( $this->user,