My programs block
block_muprog_my
A minimal Moodle block plugin that provides a "My programs" overview on the Dashboard. Part of the MuTMS plugin suite, it delegates all rendering to `tool_muprog`'s renderer and acts as a thin UI wrapper. The block checks login status and feature availability before displaying content, and defines standard capabilities for adding the block to the Dashboard and other pages.
This is an exemplary, minimal block plugin with no security vulnerabilities and no code quality issues. The plugin follows all Moodle coding standards and best practices:
- Access control: The
get_content()method properly checksisloggedin()andisguestuser()before rendering any content, and verifies the muprog feature is active via\tool_mulib\local\mulib::is_muprog_active(). - Privacy API: Correctly implements
null_providersince the block stores no user data. - Capabilities: Defines standard
myaddinstanceandaddinstancecapabilities with appropriate role archetypes and cloned permissions. - Rendering: Delegates all output to
tool_muprog's renderer, avoiding any direct HTML generation or user input handling. - Language strings: All user-facing text uses
get_string()from the language file. - Testing: Includes PHPUnit tests for block functionality.
- No direct database access, no user input processing, no file operations, no HTTP requests, no third-party libraries — the attack surface is effectively zero.
Review Summary
block_muprog_my is a clean, well-structured Moodle block plugin that serves as a thin wrapper for displaying a "My programs" overview. The plugin is part of the MuTMS suite and depends on tool_mulib.
Architecture
The plugin consists of only 6 PHP files:
block_muprog_my.php— Main block class extendingblock_baseversion.php— Plugin metadata declaring Moodle 5.0–5.2 supportdb/access.php— Two standard capabilities (myaddinstance,addinstance)lang/en/block_muprog_my.php— Language stringsclasses/privacy/provider.php— Null privacy providertests/phpunit/block_test.php— PHPUnit test
Security Posture
The plugin has an effectively zero attack surface. It does not:
- Handle any user input
- Make any database queries
- Perform any file operations
- Make any HTTP requests
- Generate any HTML directly
All rendering is delegated to tool_muprog's renderer via $this->page->get_renderer('tool_muprog', 'my'). Access is properly gated behind isloggedin() / isguestuser() checks and a feature availability check.
Conclusion
No findings were identified. The plugin follows Moodle security and coding standards throughout.
Findings
The plugin declares a dependency on tool_mulib in version.php but uses classes from both tool_mulib and tool_muprog. This is intentional — \tool_mulib\local\mulib::is_muprog_active() acts as a feature gate, returning false when tool_muprog is not available, ensuring the renderer call is never reached if the dependency is absent.
The composer.json specifies compatibility with Moodle 5.1 and 5.2 ("moodle/moodle": "5.1.*||5.2.*"), while version.php declares $plugin->supported = [500, 502] (Moodle 5.0–5.2). This slight discrepancy between Composer and plugin metadata is cosmetic and does not affect functionality.
The test file at tests/phpunit/block_test.php uses require_once(__DIR__ . '/../../../moodleblock.class.php') which correctly resolves to blocks/moodleblock.class.php when the plugin is installed in a Moodle instance. This was verified against the Moodle 5.1 core source.