Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-57027

get_users_by_capability() is broken for CAP_PROHIBIT

XMLWordPrintable

    • MOODLE_31_STABLE, MOODLE_32_STABLE, MOODLE_33_STABLE
    • MOODLE_31_STABLE, MOODLE_32_STABLE
      1. Run accesslib unit tests atleast on PGSQL/MYSQL preferably on all DBs
    • 3.3 sprint 2

      If a user has 2 roles (say 'role1' and 'role2') attributed in the same context, and these roles have the capability 'cap' defined as follows:

      • role1[cap] = allow
      • role2[cap] = prohibit

      The has_capability(cap, context, user) correctly returns false ('prohibit' prevails).

      However, the get_users_by_capability(context, cap) erroneously returns this user!

      It looks like the SQL used by get_users_by_capability() boils down to the following :

      SELECT userid FROM role_assignments WHERE contextid IN (<parentcontexts>, context) AND roleid IN (role1) AND roleid NOT IN (role2);

      The problem is that this will return the user, as it has the role1, even though it also has the role2, which should prevent him from being returned.

      Maybe I'm failing to understand something here, but surely get_users_by_capability() and has_capability() should use the same logic.

            ankit_frenz Ankit Agarwal
            monidu Nicolas Dunand
            Rajesh Taneja Rajesh Taneja
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            CiBoT CiBoT
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.