| 1441 |
ariadna |
1 |
@core @_file_upload
|
|
|
2 |
Feature: Profile picture access
|
|
|
3 |
In order to enable precise security control and meet legal requirements
|
|
|
4 |
As site administrators
|
|
|
5 |
We should be able to prevent certain users from viewing profile pictures
|
|
|
6 |
|
|
|
7 |
Background:
|
|
|
8 |
Given the following "users" exist:
|
|
|
9 |
| username | firstname | lastname |
|
|
|
10 |
| student1 | Alice | in Wonderland |
|
|
|
11 |
| student2 | Bob | a Job Week |
|
|
|
12 |
And the following "courses" exist:
|
|
|
13 |
| shortname |
|
|
|
14 |
| C1 |
|
|
|
15 |
And the following "course enrolments" exist:
|
|
|
16 |
| user | course | role |
|
|
|
17 |
| student1 | C1 | student |
|
|
|
18 |
| student2 | C1 | student |
|
|
|
19 |
And the following "activity" exists:
|
|
|
20 |
| course | C1 |
|
|
|
21 |
| activity | forum |
|
|
|
22 |
| name | TestForum |
|
|
|
23 |
| idnumber | forum1 |
|
|
|
24 |
And the following "mod_forum > discussions" exist:
|
|
|
25 |
| user | forum | name | message | timemodified |
|
|
|
26 |
| student1 | forum1 | Post1 | This is the first post | ##now -1 second## |
|
|
|
27 |
And the following "roles" exist:
|
|
|
28 |
| shortname |
|
|
|
29 |
| dangerous |
|
|
|
30 |
And the following "role capability" exists:
|
|
|
31 |
| role | dangerous |
|
|
|
32 |
| moodle/user:viewprofilepictures | prohibit |
|
|
|
33 |
And I am on the "Profile editing" page logged in as "student1"
|
|
|
34 |
And I upload "/course/tests/fixtures/image.jpg" file to "New picture" filemanager
|
|
|
35 |
And I set the field "Picture description" to "MyPic"
|
|
|
36 |
And I press "Update profile"
|
|
|
37 |
|
|
|
38 |
@javascript
|
|
|
39 |
Scenario: Users can view pictures on forum page when permitted
|
|
|
40 |
When I am on the "forum1" "forum activity" page logged in as "student2"
|
|
|
41 |
# By default you can see user pics.
|
|
|
42 |
And ".discussion-list img.userpicture[src*='user/icon']" "css_element" should be visible
|
|
|
43 |
# Even if you don't have the capability, you can still see them...
|
|
|
44 |
And the following "system role assigns" exist:
|
|
|
45 |
| user | role | contextlevel |
|
|
|
46 |
| student2 | dangerous | System |
|
|
|
47 |
And I reload the page
|
|
|
48 |
And ".discussion-list img.userpicture[src*='user/icon']" "css_element" should be visible
|
|
|
49 |
# ...unless forcelogin is on, when the system kicks in and hides it.
|
|
|
50 |
And the following config values are set as admin:
|
|
|
51 |
| forcelogin | 1 |
|
|
|
52 |
And I reload the page
|
|
|
53 |
Then ".discussion-list img.userpicture[src*='user/icon']" "css_element" should not exist
|
|
|
54 |
|
|
|
55 |
@javascript
|
|
|
56 |
Scenario: Users can view pictures on profile page when permitted
|
|
|
57 |
When I am on the "forum1" "forum activity" page logged in as "student2"
|
|
|
58 |
And I follow "Post1"
|
|
|
59 |
And I follow "Alice in Wonderland"
|
|
|
60 |
# By default you can see user pics.
|
|
|
61 |
And ".page-header-image img.userpicture[src*='user/icon']" "css_element" should be visible
|
|
|
62 |
# Even if you don't have the capability, you can still see them...
|
|
|
63 |
And the following "system role assigns" exist:
|
|
|
64 |
| user | role | contextlevel |
|
|
|
65 |
| student2 | dangerous | System |
|
|
|
66 |
And I reload the page
|
|
|
67 |
And ".page-header-image img.userpicture[src*='user/icon']" "css_element" should be visible
|
|
|
68 |
# ...unless forcelogin is on, when the system kicks in and hides it.
|
|
|
69 |
And the following config values are set as admin:
|
|
|
70 |
| forcelogin | 1 |
|
|
|
71 |
And I reload the page
|
|
|
72 |
Then ".page-header-image img.userpicture[src*='user/icon']" "css_element" should not exist
|