The Roles and Capabilities system needs greater transparency. It's too much like a black box. The set of permissions that a user has in a given context is the result of a complex algorithm based on role assignments and overrides. I would like to see exactly what a user's current permissions are, and I would like to be able to walk up the context stack and see the permissions at each level. It would be a great way to explore, learn, and debug the system. Currently, we can only guess a user's permissions, or perform tedious experiments in an attempt to deduce them.
The following proposal only applies to users who have permission to Assign roles to users in a given context
On roles-related pages (e.g., Course administration -> Assign roles or modedit pages), add a "View permissions" tab
Clicking the View permissions tab displays a list of users (for simplicity, show all users on the site).
In context Y, clicking on user X displays a page "Permissions for User X in context Y" (the complete list of permissions for the selected user in this context).
This gives complete transparency to the roles system. It lets us see the permissions the algorithm has computed from all assignments and overrides.
Two possible enhancements to the "Permissions for User X in context Y" page:
- Highlight the value of each capability in the parent context (as it's done when displaying overrides)
- Add an Up button, allowing you to change the page view to the parent context. For example, if the parent context of Y is Z, clicking the Up button will display the page "Permissions for User X in context Z." On the parent page, there would be two buttons, Up and Down, allowing you to either go up another level or return to the previous level. Using these buttons, you can "animate" the display of permissions. You should be able to walk all the way up to the System context.
See discussion http://moodle.org/mod/forum/discuss.php?d=86452