Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-57027

get_users_by_capability() is broken for CAP_PROHIBIT

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.1.2, 3.2.1, 3.3
    • Fix Version/s: 3.1.5, 3.2.2
    • Component/s: Roles / Access
    • Labels:
    • Testing Instructions:
      1. Run accesslib unit tests atleast on PGSQL/MYSQL preferably on all DBs
    • Affected Branches:
      MOODLE_31_STABLE, MOODLE_32_STABLE, MOODLE_33_STABLE
    • Fixed Branches:
      MOODLE_31_STABLE, MOODLE_32_STABLE
    • Sprint:
      3.3 sprint 2

      Description

      If a user has 2 roles (say 'role1' and 'role2') attributed in the same context, and these roles have the capability 'cap' defined as follows:

      • role1[cap] = allow
      • role2[cap] = prohibit

      The has_capability(cap, context, user) correctly returns false ('prohibit' prevails).

      However, the get_users_by_capability(context, cap) erroneously returns this user!

      It looks like the SQL used by get_users_by_capability() boils down to the following :

      SELECT userid FROM role_assignments WHERE contextid IN (<parentcontexts>, context) AND roleid IN (role1) AND roleid NOT IN (role2);

      The problem is that this will return the user, as it has the role1, even though it also has the role2, which should prevent him from being returned.

      Maybe I'm failing to understand something here, but surely get_users_by_capability() and has_capability() should use the same logic.

        Attachments

          Activity

            People

            Assignee:
            ankit_frenz Ankit Agarwal
            Reporter:
            monidu Nicolas Dunand
            Peer reviewer:
            Rajesh Taneja
            Integrator:
            Eloy Lafuente (stronk7)
            Tester:
            CiBoT
            Participants:
            Component watchers:
            Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              13/Mar/17