Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-67300

Calendar: Inconsistent behaviour of managegroupentries capability

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. In the role settings (site administration / Users / Permissions / Define roles):
        • Change the 'non-editing teacher' role to remove the moodle/calendar:manageentries capability, so that out of the calendar: capabilities, it only has moodle/calendar:managegroupentries.
        • Change the 'authenticated user' role to remove the moodle/calendar:manageownentries capability. (This represents a site configuration where the personal Moodle calendar is not used.)
      2. Give a test account the non-editing teacher role in a course.
      3. Create a group in that course and assign the test account to it.
      4. Log in as the test user and go to the calendar page (/calendar/).
      5. Select the test course from the 'Course' dropdown. You might need to press Return after this.
      6. Click 'New event' button to add a new calendar event, using arbitrary name and future date.
        • EXPECTED (no change): This should work OK. It should be pre-set as a group event (assuming the user doesn't have other capabilities elsewhere).
      7. Now try to edit the calendar event that you just created, for example changing the name.
        • EXPECTED: It should let you edit the event.
        • BEFORE FIX: This used to give a 'nopermissiontoupdatecalendar' error popup.
      Show
      In the role settings (site administration / Users / Permissions / Define roles): Change the 'non-editing teacher' role to remove the moodle/calendar:manageentries capability, so that out of the calendar: capabilities, it only has moodle/calendar:managegroupentries . Change the 'authenticated user' role to remove the moodle/calendar:manageownentries capability. (This represents a site configuration where the personal Moodle calendar is not used.) Give a test account the non-editing teacher role in a course. Create a group in that course and assign the test account to it. Log in as the test user and go to the calendar page (/calendar/). Select the test course from the 'Course' dropdown. You might need to press Return after this. Click 'New event' button to add a new calendar event, using arbitrary name and future date. EXPECTED (no change): This should work OK. It should be pre-set as a group event (assuming the user doesn't have other capabilities elsewhere). Now try to edit the calendar event that you just created, for example changing the name. EXPECTED: It should let you edit the event. BEFORE FIX: This used to give a 'nopermissiontoupdatecalendar' error popup.
    • Affected Branches:
      MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE
    • Fixed Branches:
      MOODLE_37_STABLE, MOODLE_38_STABLE
    • Pull 3.7 Branch:
      MDL-67300-m37
    • Pull 3.8 Branch:
      MDL-67300-m38
    • Pull Master Branch:
      MDL-67300-master

      Description

      1. When creating a new calendar event in a specific course, which calls calendar_get_allowed_event_types with a passed-on course id, you need one of the following capabilities:

      moodle/calendar:manageentries (to create a course event)
      or
      moodle/calendar:managegroupentries, and a group membership or accessallgroups (to create a group event).

      The manageentries capability also gives you the same permissions as managegroupentries, i.e. if you can manage course entries, you can also manage group entries (for groups you belong to, or if you have accessallgroups).

      Overall, this behaviour seems fairly logical, so I'm assuming it is correct/intended.

      2. When editing a calendar event, calendar_get_allowed_event_types without passing in a courseid, you need

      moodle/calendar:manageentries on any course (for a course event)
      If you additionally have moodle/calendar:managegroupentries on that course, and a group membership or accessallgroups then you can also do group events.

      Notice that this is different: editing (with course id not passed) requires both manageentries AND managegroupentries in order to edit a group event, whereas creating (with course id passed) requires either manageentries OR managegroupentries.

      This strikes me as wrong. It also means you cannot correctly configure it so that some people can create tutor group events but not course ones (which is what we would like it do do). If you try to make that configuration, then it does indeed work so that these users can create tutor group events, but they then may be unable to edit the event they just created, which is obviously wrong.

      See test script for an example of how to reproduce this.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              quen Sam Marshall
              Reporter:
              quen Sam Marshall
              Peer reviewer:
              Simey Lameze
              Integrator:
              Eloy Lafuente (stronk7)
              Tester:
              Gladys Basiana
              Participants:
              Component watchers:
              Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                13/Jan/20

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 7 hours, 21 minutes
                  7h 21m