From e5ee0c55749c82fda331fe33397a4f5047ed35e3 Mon Sep 17 00:00:00 2001
From: Neill Magill <neill.magill@nottingham.ac.uk>
Date: Thu, 29 Aug 2013 14:09:16 +0100
Subject: [PATCH 1/3] Security fix to stop students being able to see the
 attendance records of other students.

---
 view.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/view.php b/view.php
index 5117605..6fd1794 100644
--- a/view.php
+++ b/view.php
@@ -63,7 +63,9 @@ $PAGE->navbar->add(get_string('attendancereport', 'attendance'));
 
 $output = $PAGE->get_renderer('mod_attendance');
 
-$userid = isset($pageparams->studentid) ? $pageparams->studentid : $USER->id;
+// Only users with proper permissions should be able to see any users individual report.
+$userid = (isset($pageparams->studentid) &&
+        ($att->perm->can_manage() || $att->perm->can_take() || $att->perm->can_change())) ? $pageparams->studentid : $USER->id;
 $userdata = new attendance_user_data($att, $userid);
 
 echo $output->header();

From 9aaf4d69d6fbd6f1d9696f9ee51f63cfd209a839 Mon Sep 17 00:00:00 2001
From: NeillM <neill.magill@nottingham.ac.uk>
Date: Fri, 30 Aug 2013 09:31:04 +0100
Subject: [PATCH 2/3] Security fix changed to use mod/attendance:viewreports
 capability.

Refactored the code.
---
 view.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/view.php b/view.php
index 6fd1794..5bd155c 100644
--- a/view.php
+++ b/view.php
@@ -63,9 +63,14 @@ $PAGE->navbar->add(get_string('attendancereport', 'attendance'));
 
 $output = $PAGE->get_renderer('mod_attendance');
 
-// Only users with proper permissions should be able to see any users individual report.
-$userid = (isset($pageparams->studentid) &&
-        ($att->perm->can_manage() || $att->perm->can_take() || $att->perm->can_change())) ? $pageparams->studentid : $USER->id;
+if (isset($pageparams->studentid) && has_capability('mod/attendance:viewreports', $PAGE->context)) {
+    // Only users with proper permissions should be able to see any user's individual report.
+    $userid = $pageparams->studentid;
+} else {
+    // A valid request to see another users report has not been sent, show the user's own.
+    $userid = $USER->id;
+}
+
 $userdata = new attendance_user_data($att, $userid);
 
 echo $output->header();

From 3c04dc5fd59740337882238116ea40249a4a79b5 Mon Sep 17 00:00:00 2001
From: NeillM <neill.magill@nottingham.ac.uk>
Date: Fri, 30 Aug 2013 10:00:14 +0100
Subject: [PATCH 3/3] changed to use require

---
 view.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/view.php b/view.php
index 5bd155c..51e7eb4 100644
--- a/view.php
+++ b/view.php
@@ -63,8 +63,9 @@ $PAGE->navbar->add(get_string('attendancereport', 'attendance'));
 
 $output = $PAGE->get_renderer('mod_attendance');
 
-if (isset($pageparams->studentid) && has_capability('mod/attendance:viewreports', $PAGE->context)) {
+if (isset($pageparams->studentid) && $USER->id != $pageparams->studentid) {
     // Only users with proper permissions should be able to see any user's individual report.
+    require_capability('mod/attendance:viewreports', $PAGE->context);
     $userid = $pageparams->studentid;
 } else {
     // A valid request to see another users report has not been sent, show the user's own.