Merge pull request #8 from NeillM/view-security-fix

Security fix for unprivileged access to attendance records

view.php

@@ -63,7 +63,15 @@ $PAGE->navbar->add(get_string('attendancereport', 'attendance'));
 
 $output = $PAGE->get_renderer('mod_attendance');
 
-$userid = isset($pageparams->studentid) ? $pageparams->studentid : $USER->id;
+if (isset($pageparams->studentid) && $USER->id != $pageparams->studentid) {
+    // Only users with proper permissions should be able to see any user's individual report.
+    require_capability('mod/attendance:viewreports', $PAGE->context);
+    $userid = $pageparams->studentid;
+} else {
+    // A valid request to see another users report has not been sent, show the user's own.
+    $userid = $USER->id;
+}
+
 $userdata = new attendance_user_data($att, $userid);
 
 echo $output->header();