From: moodler <moodler>
Date: Thu, 12 Aug 2004 06:57:53 +0000 (+0000)
Subject: When displaying users at site level:
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=f5ecf2e91a40b2a56097adb8180565a93adae14e;p=moodle.git

When displaying users at site level:

  - teachers can see everyone
  - everyone can see teachers

but everyone else is prevented from seeing users.  This is regardless
of the forceloginforprofiles setting and is designed to stop mass collection
of user names by browsing through all user names.
---

diff --git a/lang/en/error.php b/lang/en/error.php
index 2daf7401db..3f0c9ba33d 100755
--- a/lang/en/error.php
+++ b/lang/en/error.php
@@ -14,5 +14,6 @@ $string['restricteduser'] = 'Sorry, but your current account \"$a\" is restricte
 $string['unknowncourse'] = 'Unknown course named \"$a\"';
 $string['usernotaddederror'] = 'User \"$a\" not added - unknown error';
 $string['usernotaddedregistered'] = 'User \"$a\" not added - already registered';
+$string['usernotavailable'] = 'The details of this user are not available to you.';
 
 ?>
diff --git a/user/view.php b/user/view.php
index ace9affef4..dee695e2ff 100644
--- a/user/view.php
+++ b/user/view.php
@@ -52,6 +52,18 @@
         }
     }
 
+    if (!$course->category) {  // To reduce possibility of "browsing" userbase at site level
+        if (!isteacher() and !isteacher(0, $user->id) ) {  // Teachers can browse and be browsed at site level
+            print_header("$personalprofile: ", "$personalprofile: ",
+                          "<a href=\"index.php?id=$course->id\">$participants</a>",
+                          "", "", true, "&nbsp;", navmenu($course));
+            print_heading(get_string('usernotavailable', 'error'));
+            print_footer($course);
+            die;
+        }
+    }
+
+
     if ($course->category) {
         print_header("$personalprofile: $fullname", "$personalprofile: $fullname",
                      "<a href=\"../course/view.php?id=$course->id\">$course->shortname</a> ->
@@ -63,7 +75,7 @@
     }
 
 
-    if ($course->category and ! isguest() ) {
+    if ($course->category and ! isguest() ) {   // Need to have access to a course to see that info
         if (!isstudent($course->id, $user->id) && !isteacher($course->id, $user->id)) {
             print_heading(get_string("notenrolled", "", $fullname));
             print_footer($course);