Details
-
Type:
Bug
-
Status:
Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 1.7, 1.7.1, 1.7.2, 1.8
-
Component/s: Calendar
-
Labels:None
-
Environment:any Moodle 1.7+
-
Database:Any
-
Affected Branches:MOODLE_17_STABLE, MOODLE_18_STABLE
-
Fixed Branches:MOODLE_17_STABLE, MOODLE_18_STABLE, MOODLE_19_STABLE
Description
I wanted to allow teachers to edit each others "course" wide calendar events.
I thought the way to do this would be to add the "moodle/calendar:manageentries" capability to the "teacher" role for the course in question, so I did the following:
(1) open a Moodle course page
(2) click Administration block -> Assign Roles link
(3) click Override Roles tab -> Teacher link
(4) locate "Manage any calendar entries (moodle/calendar:manageentries)"
(5) select radio button in second column ("Allow")
(6) click "Save changes" at bottom of page
I thought this would then allow any teacher for the course to edit any calendar "course" events for that course, but this was not the case. In fact, a given teacher could still only edit events which had been created by that teacher.
I looked at the calendar scripts, and found that the decision to allow the current user to edit an event or not is decided by the function "calendar_edit_event_allowed", in "calendar/lib.php" (around line 1180 in the Moodle 1.7 version of the script)
The logic of that function doesn't seem right to me. Here is a summary of lines 1196 - 1214;
======================================
if ($event->userid) {
if ($event->userid == $USER->id) {
return (has_capability('moodle/calendar:manageownentries', $sitecontext));
}
} else if ($event->groupid) {
// check capability for group context
// ...
} else if ($event->courseid) {
// check capability for course context
// ...
}
return false;
======================================
If there is a userid, but it is not the current user, then the function returns false and editing is denied, regardless of the group or course roles. That is not what I expected.
Therefore I would like to suggest that this function be changed to the following function, which has been tested and behaves according my expectation, namely that roles are checked from the most general, "site context", down to the most specific, "user context", and only if all those roles have no editing capability will editing of the current event by the current user be denied.
Here is the candidate function:
======================================
function calendar_edit_event_allowed($event) {
global $USER;
// can not be using guest account
if ($USER->username == "guest") {
return false;
}
// if user has manageentries at site level, return true
$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
if (has_capability('moodle/calendar:manageentries', $sitecontext)) {
return true;
}
// if user has manageentries at course level, return true
if ($event->courseid) {
$coursecontext = get_context_instance(CONTEXT_COURSE, $event->courseid);
if (has_capability('moodle/calendar:manageentries', $coursecontext)) {
return true;
}
}
// if user has manageentries at group level, return true
if ($event->groupid) {
$groupcontext = get_context_instance(CONTEXT_GROUP, $group->id);
if (has_capability('moodle/calendar:manageentries', $groupcontext)) { return true; } }
}
// editting userid account
if ($event->userid && ($event->userid == $USER->id)) {
if (has_capability('moodle/calendar:manageownentries', $sitecontext)) {
return true;
}
}
return false;
}
======================================
thanks in advance for considering this proposal
Gordon
Yu, can you review this and fix?.