-
Bug
-
Resolution: Fixed
-
Minor
-
3.1.2, 3.2.1, 3.3
-
MOODLE_31_STABLE, MOODLE_32_STABLE, MOODLE_33_STABLE
-
MOODLE_31_STABLE, MOODLE_32_STABLE
-
- Run accesslib unit tests atleast on PGSQL/MYSQL preferably on all DBs
-
3.3 sprint 2
If a user has 2 roles (say 'role1' and 'role2') attributed in the same context, and these roles have the capability 'cap' defined as follows:
- role1[cap] = allow
- role2[cap] = prohibit
The has_capability(cap, context, user) correctly returns false ('prohibit' prevails).
However, the get_users_by_capability(context, cap) erroneously returns this user!
It looks like the SQL used by get_users_by_capability() boils down to the following :
SELECT userid FROM role_assignments WHERE contextid IN (<parentcontexts>, context) AND roleid IN (role1) AND roleid NOT IN (role2);
The problem is that this will return the user, as it has the role1, even though it also has the role2, which should prevent him from being returned.
Maybe I'm failing to understand something here, but surely get_users_by_capability() and has_capability() should use the same logic.