From e5ee0c55749c82fda331fe33397a4f5047ed35e3 Mon Sep 17 00:00:00 2001 From: Neill Magill Date: Thu, 29 Aug 2013 14:09:16 +0100 Subject: [PATCH] Security fix to stop students being able to see the attendance records of other students. --- view.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/view.php b/view.php index 5117605..6fd1794 100644 --- a/view.php +++ b/view.php @@ -63,7 +63,9 @@ $PAGE->navbar->add(get_string('attendancereport', 'attendance')); $output = $PAGE->get_renderer('mod_attendance'); -$userid = isset($pageparams->studentid) ? $pageparams->studentid : $USER->id; +// Only users with proper permissions should be able to see any users individual report. +$userid = (isset($pageparams->studentid) && + ($att->perm->can_manage() || $att->perm->can_take() || $att->perm->can_change())) ? $pageparams->studentid : $USER->id; $userdata = new attendance_user_data($att, $userid); echo $output->header();