Avoid showing user popup to non authenticated users if user is not a course teacher #security

ywarnier · ywarnier · commit e46377515fb3 · 2019-02-22T19:33:20.000-05:00
diff --git a/main/inc/ajax/user_manager.ajax.php b/main/inc/ajax/user_manager.ajax.php
@@ -60,7 +60,13 @@
 
         $userData = '<h3>'.$user_info['complete_name'].'</h3>'.$user_info['mail'].$user_info['official_code'];
         if ($isAnonymous) {
-            echo $userData;
+            // Only allow anonymous users to see user popup if the popup user
+            // is a teacher (which might be necessary to illustrate a course)
+            if ($user_info['status'] === COURSEMANAGER) {
+                echo $userData;
+            } else {
+                echo '<h3>-</h3>';
+            }
         } else {
             echo Display::url(
                 $userData,
