MDL-68676 mod_assign: check accessallgroups in can_edit_submission()

In can_edit_submission() when the assign group mode is SEPARATEGROUPS
check if the user has the moodle/site:accessallgroups capability before
checking if they are a shared groupmember. Due to the teamsubmission
setting students might not be in a group but can still submit, which
means they are not returned in get_shared_group_members().

mod/assign/locallib.php

@@ -6327,7 +6327,8 @@ public function can_edit_submission($userid, $graderid = 0) {
         }
 
         $cm = $this->get_course_module();
-        if (groups_get_activity_groupmode($cm) == SEPARATEGROUPS) {
+        if (groups_get_activity_groupmode($cm) == SEPARATEGROUPS &&
+                !has_capability('moodle/site:accessallgroups', $this->context, $graderid)) {
             $sharedgroupmembers = $this->get_shared_group_members($cm, $graderid);
             return in_array($userid, $sharedgroupmembers);
         }

mod/assign/tests/locallib_test.php

@@ -3437,6 +3437,7 @@ public function test_can_edit_submission_separategroups_with_editothersubmission
         $student2 = $this->getDataGenerator()->create_and_enrol($course, 'student');
         $student3 = $this->getDataGenerator()->create_and_enrol($course, 'student');
         $student4 = $this->getDataGenerator()->create_and_enrol($course, 'student');
+        $student5 = $this->getDataGenerator()->create_and_enrol($course, 'student');
 
         $grouping = $this->getDataGenerator()->create_grouping(array('courseid' => $course->id));
         $group1 = $this->getDataGenerator()->create_group(['courseid' => $course->id]);
@@ -3454,6 +3455,7 @@ public function test_can_edit_submission_separategroups_with_editothersubmission
             'submissiondrafts' => 1,
             'groupingid' => $grouping->id,
             'groupmode' => SEPARATEGROUPS,
+            'preventsubmissionnotingroup' => 0,
         ]);
 
         // Add the capability to the new \assignment for student 1.
@@ -3467,12 +3469,27 @@ public function test_can_edit_submission_separategroups_with_editothersubmission
         $this->assertTrue($assign->can_edit_submission($student2->id, $student1->id));
         $this->assertFalse($assign->can_edit_submission($student3->id, $student1->id));
         $this->assertFalse($assign->can_edit_submission($student4->id, $student1->id));
+        $this->assertFalse($assign->can_edit_submission($student5->id, $student1->id));
 
         // Verify other students do not have the ability to edit submissions for other users.
         $this->assertTrue($assign->can_edit_submission($student2->id, $student2->id));
         $this->assertFalse($assign->can_edit_submission($student1->id, $student2->id));
         $this->assertFalse($assign->can_edit_submission($student3->id, $student2->id));
         $this->assertFalse($assign->can_edit_submission($student4->id, $student2->id));
+        $this->assertFalse($assign->can_edit_submission($student5->id, $student2->id));
+
+        // Add the required capability to edit other submissions and to view all groups to the teacher.
+        $roleid = create_role('Dummy role 2', 'dummyrole2', 'dummy role description');
+        assign_capability('mod/assign:editothersubmission', CAP_ALLOW, $roleid, $assign->get_context()->id);
+        assign_capability('moodle/site:accessallgroups', CAP_ALLOW, $roleid, $assign->get_context()->id);
+        role_assign($roleid, $teacher->id, $assign->get_context()->id);
+
+        // Verify the teacher has the ability to edit submissions for other users including users not in a group.
+        $this->assertTrue($assign->can_edit_submission($student1->id, $teacher->id));
+        $this->assertTrue($assign->can_edit_submission($student2->id, $teacher->id));
+        $this->assertTrue($assign->can_edit_submission($student3->id, $teacher->id));
+        $this->assertTrue($assign->can_edit_submission($student4->id, $teacher->id));
+        $this->assertTrue($assign->can_edit_submission($student5->id, $teacher->id));
     }
 
     /**