merged fix for MDL-7770, preventing users with no capability to view user profiles

diff --git a/user/view.php b/user/view.php
index 5ec14fd0309b2b9145395d7bfc522cacbe13e1b8..7db80e884cd2693b1fb9daa1e8a6a7df2d699b7a 100644 (file)
--- a/user/view.php
+++ b/user/view.php
@@ -39,7 +39,11 @@
         $coursecontext = get_context_instance(CONTEXT_COURSE, $course->id);   // Course context
     }
     $usercontext   = get_context_instance(CONTEXT_USER, $user->id);       // User context
-
+    
+    // make sure user can view this student's profile
+    if ($USER->id != $user->id && !has_capability('moodle/user:viewdetails', $coursecontext) && !has_capability('moodle/user:viewdetails', $usercontext)) {
+        error('You can not view the profile of this user');
+    }
 
     if (!empty($CFG->forceloginforprofiles)) {
         require_login();