Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-37118

Capability 'mod/forum:allowforcesubscribe' does not work with prevent, only prohibit

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a bug
    • Icon: Minor Minor
    • None
    • 2.3.3, 2.4
    • Forum
    • None
    • MOODLE_23_STABLE, MOODLE_24_STABLE
    • Hide

      Set role A with "mod/forum:allowforcesubscribe" set to "Prohibit"

      Show
      Set role A with "mod/forum:allowforcesubscribe" set to "Prohibit"
    • Hide

      Steps to reproduce:

      1. Create role A with "mod/forum:allowforcesubscribe" set to "Prevent"
      2. Create role B with "mod/forum:allowforcesubscribe" set to "Allow"
      3. Assign user to a course with role A
      4. Assign user to category that course belongs to with role B
      5. Go to course and create a forum with forced subscription
      6. Go to forum's "Show/edit current subscribers"
      7. Expected: User does not show up in list
      8. Actual: User does show up in list
      Show
      Steps to reproduce: Create role A with "mod/forum:allowforcesubscribe" set to "Prevent" Create role B with "mod/forum:allowforcesubscribe" set to "Allow" Assign user to a course with role A Assign user to category that course belongs to with role B Go to course and create a forum with forced subscription Go to forum's "Show/edit current subscribers" Expected: User does not show up in list Actual: User does show up in list

      If a user has role A with "mod/forum:allowforcesubscribe" set to "Prevent" in a course and role B in a parent category that user will still be forced subscribed to forums.

      According to the way capabilities are calculated there is an even number of Allow and Prevent, so the capability check should fail: http://docs.moodle.org/20/en/How_permissions_are_calculated

      Looking at the code, the problem seems to be mod/forum/lib.php: forum_get_potential_subscribers and the call to get_enrolled_sql. The get_enrolled_sql function doesn't seem to take into account "Prevent" in filtering out users.

      The code for get_enrolled_sql is very complex, so I am not sure I can provide a patch. If that is the expected behavior of get_enrolled_sql, then it should be documented that the $withcapability only restricts capabilities with "Prohibit". Also, the forum checks should maybe use some other method of obtaining forced subscribers with a more rigorous capability check.

            skodak Petr Skoda
            rex Rex Lorenzo
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.