Moodle
  1. Moodle
  2. MDL-18094

viewhiddenactivities capabiltity should be checked, overrideable at module context

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.9.4
    • Fix Version/s: 1.9.5
    • Component/s: Roles / Access
    • Labels:
      None
    • Affected Branches:
      MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_19_STABLE
    • Rank:
      36692

      Description

      It should be possible to use the role system to hide individual activities from the course home page (and some other places).

      The aim is so that there are two roles, e.g. 'student' and 'frog', neither of which have special permissions on the course in general. However we want the 'frog' role to be able to see an activity which the 'student' role cannot. It is possible to do this with groupings, but we don't want to use groupings because we don't have user data in that format at present and we already have the 'frog' role.

      This procedure should work:

      • Mark the activity as hidden.
      • Override the 'viewhiddenactivities' capability, on that single activity, for the 'frog' role so that it can access the activity.

      Unfortunately this is not possible for two reasons:

      1) viewhiddenactivities seems to be checked in course context, not activity context
      2) The UI does not allow you to override viewhiddenactivities in activity context

      This should be fixed (imo). Hopefully I will get a chance to look at it at some point over the next few months.

        Issue Links

          Activity

          Hide
          Sam Marshall added a comment -

          Fixed, the changes were not very extensive (although it was a pain doing it twice for 1.9 and 2.0).

          Changes required were:

          1) Changed accesslib to include viewhiddenactivities in the list of displayed options for override at module level, for all modules.

          2) Changed moodlelib require_login so that it checks this permission at course-module context instead of using course context. [The permission is only ever used when a course-module is provided.]

          It was not necessary to change the course display (print_section in course/lib.php) as this already checked the permission against the correct [module] context.

          I checked this by giving student access to view one hidden activity, seems to work!

          Show
          Sam Marshall added a comment - Fixed, the changes were not very extensive (although it was a pain doing it twice for 1.9 and 2.0). Changes required were: 1) Changed accesslib to include viewhiddenactivities in the list of displayed options for override at module level, for all modules. 2) Changed moodlelib require_login so that it checks this permission at course-module context instead of using course context. [The permission is only ever used when a course-module is provided.] It was not necessary to change the course display (print_section in course/lib.php) as this already checked the permission against the correct [module] context. I checked this by giving student access to view one hidden activity, seems to work!
          Hide
          Gary Anderson added a comment -

          Sam:

          I will reopen this because I think it is a very helpful capability, but does not quite work in the way that would probably be best.

          It does allow one to override the ability and only see an activity (or what I think is more important, a resource module like a web page or directory). But when you open that resource, you still get the error message for that use that the activity is hidden, so you can't view the content.

          But, if you change line 2083 of moodlelib.php to allow the module to be viewed, this could give the capability, for example, for a teacher to let students (or selected students) see web pages and directories within their course, but not let guests see them. That would be very powerful and let teachers open up their courses while leaving privileged material protected.

          Show
          Gary Anderson added a comment - Sam: I will reopen this because I think it is a very helpful capability, but does not quite work in the way that would probably be best. It does allow one to override the ability and only see an activity (or what I think is more important, a resource module like a web page or directory). But when you open that resource, you still get the error message for that use that the activity is hidden, so you can't view the content. But, if you change line 2083 of moodlelib.php to allow the module to be viewed, this could give the capability, for example, for a teacher to let students (or selected students) see web pages and directories within their course, but not let guests see them. That would be very powerful and let teachers open up their courses while leaving privileged material protected.
          Hide
          Gary Anderson added a comment -

          Sam:

          I will reclose this. I must have had only a partial cvs update when I first tested this as you had in fact change moodlelib.php.

          My only minor suggestion is that I think && should be used rather than and on line 2152 of moodlelib.php because you don't want to do the checks if the module is empty to keep a notice from being produced.

          Also, my testing suggests that it does exactly what one would want and I see this as one of the best reason for roles yet.

          --Gary

          Show
          Gary Anderson added a comment - Sam: I will reclose this. I must have had only a partial cvs update when I first tested this as you had in fact change moodlelib.php. My only minor suggestion is that I think && should be used rather than and on line 2152 of moodlelib.php because you don't want to do the checks if the module is empty to keep a notice from being produced. Also, my testing suggests that it does exactly what one would want and I see this as one of the best reason for roles yet. --Gary
          Hide
          Sam Marshall added a comment -

          I changed it to consistently use && (just on these lines I mean - obviously I didn't change anything else in the file).

          Having actually already made the change, I looked it up - yes that is the wrong order - and I don't think the 'and' operator would cause it to fail as described. As I understand the manual, 'and' doesn't disable short-circuit feature, just changes precedence. But because I personally came to the conclusion some time ago that the correct way to deal with the issue was just to always use &&, my understanding of 'and' is a bit limited, so I may well be wrong...

          Show
          Sam Marshall added a comment - I changed it to consistently use && (just on these lines I mean - obviously I didn't change anything else in the file). Having actually already made the change, I looked it up - yes that is the wrong order - and I don't think the 'and' operator would cause it to fail as described. As I understand the manual, 'and' doesn't disable short-circuit feature, just changes precedence. But because I personally came to the conclusion some time ago that the correct way to deal with the issue was just to always use &&, my understanding of 'and' is a bit limited, so I may well be wrong...

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: