Security fix to stop students being able to see the attendance records of other students.

author Neill Magill <neill.magill@nottingham.ac.uk>

Thu, 29 Aug 2013 13:09:16 +0000 (14:09 +0100)

committer Neill Magill <neill.magill@nottingham.ac.uk>

Thu, 29 Aug 2013 13:09:16 +0000 (14:09 +0100)
author Neill Magill <neill.magill@nottingham.ac.uk>
Thu, 29 Aug 2013 13:09:16 +0000 (14:09 +0100)
committer Neill Magill <neill.magill@nottingham.ac.uk>
Thu, 29 Aug 2013 13:09:16 +0000 (14:09 +0100)
diff --git a/view.php b/view.php

index 5117605..6fd1794 100644 (file)
--- a/view.php
+++ b/view.php
@@ -63,7 +63,9 @@ $PAGE->navbar->add(get_string('attendancereport', 'attendance'));
  
  $output = $PAGE->get_renderer('mod_attendance');
  
-$userid = isset($pageparams->studentid) ? $pageparams->studentid : $USER->id;
+// Only users with proper permissions should be able to see any users individual report.
+$userid = (isset($pageparams->studentid) &&
+        ($att->perm->can_manage() || $att->perm->can_take() || $att->perm->can_change())) ? $pageparams->studentid : $USER->id;
  $userdata = new attendance_user_data($att, $userid);
  
  echo $output->header();
author	Neill Magill <neill.magill@nottingham.ac.uk>
	Thu, 29 Aug 2013 13:09:16 +0000 (14:09 +0100)
committer	Neill Magill <neill.magill@nottingham.ac.uk>
	Thu, 29 Aug 2013 13:09:16 +0000 (14:09 +0100)