From f5ecf2e91a40b2a56097adb8180565a93adae14e Mon Sep 17 00:00:00 2001
From: moodler <moodler>
Date: Thu, 12 Aug 2004 06:57:53 +0000
Subject: [PATCH] When displaying users at site level:

  - teachers can see everyone
  - everyone can see teachers

but everyone else is prevented from seeing users.  This is regardless
of the forceloginforprofiles setting and is designed to stop mass collection
of user names by browsing through all user names.
---
 lang/en/error.php |  1 +
 user/view.php     | 14 +++++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/lang/en/error.php b/lang/en/error.php
index 2daf7401db..3f0c9ba33d 100755
--- a/lang/en/error.php
+++ b/lang/en/error.php
@@ -14,5 +14,6 @@ $string['restricteduser'] = 'Sorry, but your current account \"$a\" is restricte
 $string['unknowncourse'] = 'Unknown course named \"$a\"';
 $string['usernotaddederror'] = 'User \"$a\" not added - unknown error';
 $string['usernotaddedregistered'] = 'User \"$a\" not added - already registered';
+$string['usernotavailable'] = 'The details of this user are not available to you.';
 
 ?>
diff --git a/user/view.php b/user/view.php
index ace9affef4..dee695e2ff 100644
--- a/user/view.php
+++ b/user/view.php
@@ -52,6 +52,18 @@
         }
     }
 
+    if (!$course->category) {  // To reduce possibility of "browsing" userbase at site level
+        if (!isteacher() and !isteacher(0, $user->id) ) {  // Teachers can browse and be browsed at site level
+            print_header("$personalprofile: ", "$personalprofile: ",
+                          "<a href=\"index.php?id=$course->id\">$participants</a>",
+                          "", "", true, "&nbsp;", navmenu($course));
+            print_heading(get_string('usernotavailable', 'error'));
+            print_footer($course);
+            die;
+        }
+    }
+
+
     if ($course->category) {
         print_header("$personalprofile: $fullname", "$personalprofile: $fullname",
                      "<a href=\"../course/view.php?id=$course->id\">$course->shortname</a> ->
@@ -63,7 +75,7 @@
     }
 
 
-    if ($course->category and ! isguest() ) {
+    if ($course->category and ! isguest() ) {   // Need to have access to a course to see that info
         if (!isstudent($course->id, $user->id) && !isteacher($course->id, $user->id)) {
             print_heading(get_string("notenrolled", "", $fullname));
             print_footer($course);
-- 
2.39.5