From 7afca3b34ae8fc1984b95d66e30afa6011c433db Mon Sep 17 00:00:00 2001 From: Paul Holden Date: Mon, 1 Mar 2021 14:20:02 +0000 Subject: [PATCH] MDL-65552 user: escape idnumber field on output. This commit also corrects parameter definition of the field to match core_user. --- admin/tool/uploaduser/user_form.php | 2 +- blocks/activity_results/block_activity_results.php | 15 +++++++++++++-- lib/myprofilelib.php | 2 +- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/admin/tool/uploaduser/user_form.php b/admin/tool/uploaduser/user_form.php index 552ea4c06d8..c94ca8d539d 100644 --- a/admin/tool/uploaduser/user_form.php +++ b/admin/tool/uploaduser/user_form.php @@ -293,7 +293,7 @@ class admin_uploaduser_form2 extends moodleform { $mform->setAdvanced('url'); $mform->addElement('text', 'idnumber', get_string('idnumber'), 'maxlength="255" size="25"'); - $mform->setType('idnumber', PARAM_NOTAGS); + $mform->setType('idnumber', core_user::get_property_type('idnumber')); $mform->setForceLtr('idnumber'); $mform->addElement('text', 'institution', get_string('institution'), 'maxlength="255" size="25"'); diff --git a/blocks/activity_results/block_activity_results.php b/blocks/activity_results/block_activity_results.php index d60e5838e79..fd33925156d 100644 --- a/blocks/activity_results/block_activity_results.php +++ b/blocks/activity_results/block_activity_results.php @@ -512,6 +512,10 @@ class block_activity_results extends block_base { $fields = implode(',', $fields); $users = $DB->get_records_list('user', 'id', $userids, '', $fields); + // If configured to view user idnumber, ensure current user can see it. + $extrafields = get_extra_user_fields($this->context); + $canviewidnumber = (array_search('idnumber', $extrafields) !== false); + // Ready for output! if ($activity->gradetype == GRADE_TYPE_SCALE) { // We must display the results using scales. @@ -537,10 +541,14 @@ class block_activity_results extends block_base { } $this->content->text .= ''; $this->content->text .= ''; + foreach ($best as $userid => $gradeid) { switch ($nameformat) { case B_ACTIVITYRESULTS_NAME_FORMAT_ID: - $thisname = get_string('user').' '.$users[$userid]->idnumber; + $thisname = get_string('user'); + if ($canviewidnumber) { + $thisname .= ' ' . s($users[$userid]->idnumber); + } break; case B_ACTIVITYRESULTS_NAME_FORMAT_ANON: $thisname = get_string('user'); @@ -603,7 +611,10 @@ class block_activity_results extends block_base { foreach ($worst as $userid => $gradeid) { switch ($nameformat) { case B_ACTIVITYRESULTS_NAME_FORMAT_ID: - $thisname = get_string('user').' '.$users[$userid]->idnumber; + $thisname = get_string('user'); + if ($canviewidnumber) { + $thisname .= ' ' . s($users[$userid]->idnumber); + }; break; case B_ACTIVITYRESULTS_NAME_FORMAT_ANON: $thisname = get_string('user'); diff --git a/lib/myprofilelib.php b/lib/myprofilelib.php index 044d5595dcd..0c9e2dd92f4 100644 --- a/lib/myprofilelib.php +++ b/lib/myprofilelib.php @@ -209,7 +209,7 @@ function core_myprofile_navigation(core_user\output\myprofile\tree $tree, $user, if (isset($identityfields['idnumber']) && $user->idnumber) { $node = new core_user\output\myprofile\node('contact', 'idnumber', get_string('idnumber'), null, null, - $user->idnumber); + s($user->idnumber)); $tree->add_node($node); } -- 2.11.4.GIT