Details
-
Type:
Improvement
-
Status:
Closed
-
Priority:
Minor
-
Resolution: Not a bug
-
Affects Version/s: 1.9.6
-
Fix Version/s: None
-
Component/s: Roles / Access
-
Labels:None
-
Environment:php, sql
-
Affected Branches:MOODLE_19_STABLE
Description
I come across a situation yesterday eve where in one of the course a participant has three roles assigned. I know, this should not happen but it did SO I am posting a blog here for note purpose.
So, in the situation above, the participant in that course has the role: students, editing ta, and head ta. Now, in most authorization code I've written or experience, the resulting permission is the most restrictive (or less access permission set) gets applied to the login user. In this case, it should have been the student roll permission that should have applied. BUT that's not the case. The user actually has all the permission set of the head ta and the two other permission set were simply ignored it seems.
Question 1: Is there a sum total permission that gets calculated when users has different roles in a given course?
For security purpose, the participant should have gotten the most restrictive (student) permissioin applied just in case the instructor or administrator "acidentally" added the student to a more privileged role (ie editing ta, and/or head ta).
Activity
- All
- Comments
- History
- Activity
- Source
- Test Sessions
I most systems I know the permissions are a sum with optional prohibit option that cancels any other permission.
Moodle permissions are very "unique" - see http://docs.moodle.org/en/How_permissions_are_calculated , some people say this is a bit over engineered.
Please note this evaluation of permissions may change (be simplified) once more in 2.0.