I made a patch from that closes CVE-2010-1617 from upstream
MSA-09-0034:
Topic: Disclosure of full user names
Severity: Minor - privacy
Versions affected: <1.8.12 and <1.9.8
Reported by: Klaus Kirchner
Issue no.: MDL-21830
http://git.moodle.org/gw?p=moodle.git;a=blobdiff;f=user/view.php;h=6b6c048056f5f14988983bad1fe5807c9d2dadcf;hp=c5f2b784df7fe60173138a7db548f2b1610d1a74;hb=4597ce9ca5ca4f13bb75c3d8b117c2bf469745d0;hpb=4bbeff335774ffcc75c99e99e3923626c9445bb3
Index: moodle/user/view.php
===================================================================
--- moodle/user/view.php (revision 4)
+++ moodle/user/view.php (working copy)
@@ -78,7 +78,7 @@
}
} else { // Normal course
if (!has_capability('moodle/course:view', $coursecontext, $user->id, false)) {
- if (has_capability('moodle/course:view', $coursecontext)) {
+ if (has_capability('moodle/role:assign', $coursecontext)) {
print_header("$strpersonalprofile: ", "$strpersonalprofile: ",
"<a href=\"../course/view.php?id=$course->id\">$course->shortname</a> ->
<a href=\"index.php?id=$course->id\">$strparticipants</a> -> $fullname",
