Moodle

Authenticated User role has fewer rights that Guest user

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 1.8.2
  • Fix Version/s: 1.9, 2.0
  • Component/s: Roles / Access
  • Labels:
    None
  • Affected Branches:
    MOODLE_18_STABLE
  • Fixed Branches:
    MOODLE_19_STABLE, MOODLE_20_STABLE

Description

The authenticated user role seems to have fewer rights than the guest role, which can't be right surely?

Example: mod/forum:viewdiscussion is allowed in the guest role but not in the authenticated user role.

Issue Links

This issue will help resolve:
MDL-8724 "Site New" items don't appear on the front page when logged in as a student or teacher. Major Closed
MDL-9915 authenticated user has less privileges than a not logged in user Minor Closed
This issue will be resolved by:
MDL-11143 Add a new setting "defaultfrontpageroleid" where you choose a role for all users on the front page course Major Closed
This issue has been marked as being related by:
MDL-11143 Add a new setting "defaultfrontpageroleid" where you choose a role for all users on the front page course Major Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Yu Zhang added a comment -

Hi Howard,

I think this is correct. Giving mod/forum:viewdiscussion to guests only lets them view the site course forums, and whatever course that's open to public. Guests needed this to see open forums posts. Actions guests can perform are actually very much restricted by require_login().

If this is applied to authenticated user, logged in users can see all posts in courses that they can access, unless it's set as prevent or prohibit explicitly (which might or might not be what you want), as this applies to the system context. Users normally do have a secondary role in relevant contexts which should specify whether mod/forum:viewdiscussion is allowed.

Cheers,

Yu

Show
Yu Zhang added a comment - Hi Howard, I think this is correct. Giving mod/forum:viewdiscussion to guests only lets them view the site course forums, and whatever course that's open to public. Guests needed this to see open forums posts. Actions guests can perform are actually very much restricted by require_login(). If this is applied to authenticated user, logged in users can see all posts in courses that they can access, unless it's set as prevent or prohibit explicitly (which might or might not be what you want), as this applies to the system context. Users normally do have a secondary role in relevant contexts which should specify whether mod/forum:viewdiscussion is allowed. Cheers, Yu
Hide
Permalink
Howard Miller added a comment -

Ok, but the perception from a user point of view (see MDL-8724) is that you have news on the front page when not logged in that vanishes when you log in. Whatever the reasoning behind it that's just wrong. Incidentally, the latest news block does not exhibit the same effect so their is clearly some inconsistent application of this capability.

Show
Howard Miller added a comment - Ok, but the perception from a user point of view (see MDL-8724) is that you have news on the front page when not logged in that vanishes when you log in. Whatever the reasoning behind it that's just wrong. Incidentally, the latest news block does not exhibit the same effect so their is clearly some inconsistent application of this capability.
Hide
Permalink
Yu Zhang added a comment -

Hi Howard,

We are working on MDL11143 and that should help fix this problem too.

Cheers

Yu

Show
Yu Zhang added a comment - Hi Howard, We are working on MDL11143 and that should help fix this problem too. Cheers Yu
Hide
Permalink
Yu Zhang added a comment -

Authenticated user is actually for system context, not the front page course context. MDL-11143 should deal with that properly.

Show
Yu Zhang added a comment - Authenticated user is actually for system context, not the front page course context. MDL-11143 should deal with that properly.
Hide
Permalink
Yu Zhang added a comment -

Closing this as the new front page role setting is implemented (default to student). That should be used instead of authenticated user role.

Show
Yu Zhang added a comment - Closing this as the new front page role setting is implemented (default to student). That should be used instead of authenticated user role.

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.