[#MDL-18475] Permission evaluation revisited - Moodle Tracker

Details

Type: Sub-task
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.0
Fix Version/s: 2.0
Component/s: Roles / Access
Labels:
None

Affected Branches:
MOODLE_20_STABLE
Fixed Branches:
MOODLE_20_STABLE

Description

see http://docs.moodle.org/en/Development:Role_overrides_revisited
and http://skodak.org/blog/?p=22

More Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

newpermissions.patch

25/Mar/09 4:20 PM

44 kB

Petr Škoda (skodak)

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Petr Škoda (skodak) added a comment - 08/Mar/09 9:49 AM

sample code:

function has_capability_in_accessdata($capability, $context, $accessdata, $doanything) {
global $CFG;

/// build $paths as a list of current + all parent "paths" with order bottom-to-top
$contextids = explode('/', $context->path);
$paths = array($context->path);
while (count($contextids) > 2) { array_pop($contextids); $paths[] = implode('/', $contextids); }

$roles = array();
$switchedrole = false;

/// Find out if role switched
if (isset($accessdata['rsw'])) {
// check for isset() is fast
// empty() is slow...
if (empty($accessdata['rsw'])) { unset($accessdata['rsw']); // keep things fast and unambiguous break; }

// From the bottom up...

foreach ($paths as $path) {
if (isset($accessdata['rsw'][$ctxp])) { // Found a switchrole assignment // check for that role _plus_ the default user role $roles = array($accessdata['rsw'][$ctxp]=>null, $CFG->defaultuserroleid=>null); $switchedrole = true; break; }
}
}

if (!$switchedrole) {
// get all users roles in this context and above
foreach ($paths as $path) {
if (isset($accessdata['ra'][$path])) {
foreach ($accessdata['ra'][$path] as $roleid) { $roles[$roleid] = null; }
}
}

// Find out if user is admin - do anything is allowed in system context only since 2.0
// do anything is ignored when switching roles - it is not allowed to switch to admin role anyway
if ($doanything) {
$systempath = '/'.SYSCONTEXTID;
foreach ($roles as $roleid=>$ignored) {
if (isset($accessdata['rdef']["{$systempath}:$roleid"]['moodle/site:doanything'])
and $accessdata['rdef']["{$systempath}:$roleid"]['moodle/site:doanything'] == CAP_ALLOW) { return true; }
}
}
}

/// Now find out what access is given to each role
/// going from bottom-->up - the lowes override wins unless there is a CAP_PROHIBIT somewhere above tested context
foreach ($roles as $roleid=>$ignored) {
$access = null;
foreach ($paths as $path) {
if (isset($accessdata['rdef']["{$path}:$roleid"][$capability])) {
$perm = (int)$accessdata['rdef']["{$path}:$roleid"][$capability];
if ($perm === CAP_PROHIBIT or is_null($roles[$roleid])) { $roles[$roleid] = $perm; }
}
}
}

// any CAP_PROHIBIT found means no access
if (array_search(CAP_PROHIBIT, $roles) !== false) { return false; }

// at least one CAP_ALLOW means user has access
return (array_search(CAP_ALLOW, $roles) !== false);
}

Show

Petr Škoda (skodak) added a comment - 08/Mar/09 9:49 AM sample code: function has_capability_in_accessdata($capability, $context, $accessdata, $doanything) { global $CFG; /// build $paths as a list of current + all parent "paths" with order bottom-to-top $contextids = explode('/', $context->path); $paths = array($context->path); while (count($contextids) > 2) { array_pop($contextids); $paths[] = implode('/', $contextids); } $roles = array(); $switchedrole = false; /// Find out if role switched if (isset($accessdata['rsw'])) { // check for isset() is fast // empty() is slow... if (empty($accessdata['rsw'])) { unset($accessdata['rsw']); // keep things fast and unambiguous break; } // From the bottom up... foreach ($paths as $path) { if (isset($accessdata['rsw'][$ctxp])) { // Found a switchrole assignment // check for that role _plus_ the default user role $roles = array($accessdata['rsw'][$ctxp]=>null, $CFG->defaultuserroleid=>null); $switchedrole = true; break; } } } if (!$switchedrole) { // get all users roles in this context and above foreach ($paths as $path) { if (isset($accessdata['ra'][$path])) { foreach ($accessdata['ra'][$path] as $roleid) { $roles[$roleid] = null; } } } // Find out if user is admin - do anything is allowed in system context only since 2.0 // do anything is ignored when switching roles - it is not allowed to switch to admin role anyway

if ($doanything) { $systempath = '/'.SYSCONTEXTID; foreach ($roles as $roleid=>$ignored) { if (isset($accessdata['rdef']["{$systempath}:$roleid"]['moodle/site:doanything']) and $accessdata['rdef']["{$systempath}:$roleid"]['moodle/site:doanything'] == CAP_ALLOW) { return true; } } } } /// Now find out what access is given to each role /// going from bottom-->up - the lowes override wins unless there is a CAP_PROHIBIT somewhere above tested context foreach ($roles as $roleid=>$ignored) { $access = null; foreach ($paths as $path) { if (isset($accessdata['rdef']["{$path}:$roleid"][$capability])) { $perm = (int)$accessdata['rdef']["{$path}:$roleid"][$capability]; if ($perm === CAP_PROHIBIT or is_null($roles[$roleid])) { $roles[$roleid] = $perm; } } } } // any CAP_PROHIBIT found means no access if (array_search(CAP_PROHIBIT, $roles) !== false) { return false; } // at least one CAP_ALLOW means user has access return (array_search(CAP_ALLOW, $roles) !== false); }

Hide

Permalink

Petr Škoda (skodak) added a comment - 25/Mar/09 4:20 PM

sending an experimental patch for 1.9, it is missing a lot of strings and has some problems, but should clearly illustrate how it could work

Show

Petr Škoda (skodak) added a comment - 25/Mar/09 4:20 PM sending an experimental patch for 1.9, it is missing a lot of strings and has some problems, but should clearly illustrate how it could work

Hide

Permalink

Petr Škoda (skodak) added a comment - 11/Jul/10 4:11 AM

done

Show

Petr Škoda (skodak) added a comment - 11/Jul/10 4:11 AM done

Moodle

Permission evaluation revisited

Details

Description

Attachments

Activity

People

Dates