Moodle

IMO it hasn't any sense to select "guest" role there. That's the expected behaviour if "none" is selected.

In any case, to fix this I would:

1) Add inline help to that setting (currently there isn't anything there).
2) Hide "guests" from that list.
3) Switch current sites with "guests" there back to "none".
4) Make "doanything" capability to have precedence over any prohibit. This will save this an a lot of others "admin locked" situations.

Note that 4) can make 2 & 3 unnecesary (but only for admins, not for teachers and other roles not having the "doanything" capability), so all the points should be addressed.

Please comment... adding some watchers... ciao

Increasing priority and adding fix version following chat with Eloy.

Oki, there was one horrible 'moodle/legacy:guest' capability check that, with $CFG->defaultfrontpageroleid set to 'guest' prevented everybody to add news discussions in front page.

It's out now, so admins should be able to add discussions no matter of the value of $CFG->defaultfrontpageroleid

So we could consider this (from a functionality point of view) resolved.

But there are some points to discuss:

1) Add inline help to that setting.
2) Hide some roles from that setting. Guest, for sure, authenticated user too?
3) Upgrade current sites having one of those wrong roles back to none.
4) examine all uses of the 'moodle/legacy:guest' capability. Sounds that we don't need it really, more if we have the isguestuser() and nobody can now (1.9) change his role to guest.

Please, comment about 1-4

2 & 3) Certainly remove guest from that list, and set sites with that back to None.

If it makes sense to assign Student in the front page course, then it must make sense to assign logged in user too, since that as a weaker role. Or am I confused?

1 & 4) Good idea.

Tim, I think that allowing "authenticated user" role hasn't too much sense, because any authenticated user will get that role so, why should we allow to give the same role again?

The $CFG->defaultfrontpageroleid is the role granted in front page once logged AFAIK, so I can see the use of granting "student" or so (to be able to participate in frontpage activities without assigning roles manually), but cannot imagine any reason to grant the "authenticated" nor the "guest" one.

Unless I'm missing something, that is possible, btw. Ciao

In order to have site visitors see the Calendar without logging in... I had to set the front page settings to auto login as "guest" ... which breaks the Forum as per the above bug.

http://moodle.org/mod/forum/discuss.php?d=94027

Is there another way to see the calendar without auto login as guest?

Sorry Dean, but the calendar is available in front page (showing site events only) for everybody, you don't need to change any setting/permission. I've tested that here with my site "defaultfrontpageroleid" set to "none".

The new Security overview report indicates this problem now and suggests a solution, closing for now.
I hope the guest related code (especially the negative guest capability) gets fully rewritten in 2.0