Perhaps this is a bug, perhaps this is working as designed, perhaps it is a local configuration issue.
It appears to me that any student who is enrolled in any course on my Moodle can view the text of all questions in all categories for the entire course, regardless of their availability in quizzes.
To reproduce,
1) login as a student in any course.
2) Notice the course id in the URL ( course/view.php?id=4 )
3) Browse directly to question/edit.php?courseid=4
4) Pick a category from the list
5) Check "Show question text in the question list"
As a workaround, I've copied some code from question/preview.php to lock out users who aren't a teacher of any course, and added it to question/edit.php like so:
*************** *** 14,23 **** --- 14,29 ---- require_once("../config.php"); require_once("editlib.php"); require_login(); + // this might break things in the future + if (!isteacherinanycourse()) { + error('This page is for teachers only'); + } + + $courseid = required_param('courseid', PARAM_INT); // The optional parameter 'clean' allows us to clear module information,I don't know what customizations may have been done to the Moodle.org instance, but it does not suffer from this bug ( I enrolled in course ID 34, and http://moodle.org/question/edit.php?courseid=34 correctly denies me access to the list of questions. )
How about you? Can an enrolled student in your Moodle's course 1 access http://yourmoodle.dom/moodle/question/edit.php?courseid= ?
-Nate