Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-7513

Not possible to create role with access to view all courses (by default)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.8
    • Fix Version/s: 1.8
    • Component/s: Roles / Access
    • Labels:
      None
    • Affected Branches:
      MOODLE_18_STABLE
    • Fixed Branches:
      MOODLE_18_STABLE

      Description

      1. Set up a moodle site in which the default role has moodle/legacy:guest.

      2. Create a course that doesn't allow guest access.

      3. Try to create a role which has access to view all courses by giving it moodle/course:view.

      4. Create a new user and assign it this role at site level.

      5. Log in as that user and try to view the course. You get asked to enrol in the course (if enrolment is allowed, otherwise it fails with a message).

      The expected result was that, since moodle/course:view was explicitly allowed, this user should be able to view all courses (whether or not they allow guest access) without having to enrol.

      The reason this happens is as follows:

      1. Remember that users can have multiple roles.

      2. All users have the 'default user role' at site level (this is correct - it's so that e.g. making somebody a student on course X doesn't somehow reduce their permissions on course Y below what they would have if they weren't assigned to any course at all).

      3. There is this code in accesslib, load_defaultuser_role:

      // SPECIAL EXCEPTION: If the default user role is actually a guest role, then
      // remove some capabilities so this user doesn't get confused with a REAL guest
      if (isset($USER->capabilities[$sitecontext->id]['moodle/legacy:guest']) and $USER->username != 'guest')

      { unset($USER->capabilities[$sitecontext->id]['moodle/legacy:guest']); unset($USER->capabilities[$sitecontext->id]['moodle/course:view']); // No access to courses by default }

      I agree with unsetting legacy:guest (mostly) but why are we unsetting course:view? 'No access to courses by default' as the comment says, sure, but that will apply anyway unless somebody has intentionally added moodle/course:view to the role.

      The unset applies to capabilities set by the user's 'real' role as well as those included in the default one. I would suggest moving a version of this code into the for loop above so that it only applies to the default role and leaves all capabilities set by the 'real' role alone, but probably still worth removing the bit about course:view as I don't see what that has to do with anything here.

      It could be there is some complicated reason for this though so I didn't want to change anything personally, but here's a patch that seems to work (tested in the above situation to (a) check that my test user can now get into the site, (b) check that clicking the 'login as guest' button still doesn't get you into the site; not tested beyond that):

      Index: lib/accesslib.php
      ===================================================================
      RCS file: /cvsroot/moodle/moodle/lib/accesslib.php,v
      retrieving revision 1.190
      diff -u -r1.190 accesslib.php
      — lib/accesslib.php 12 Nov 2006 08:55:13 -0000 1.190
      +++ lib/accesslib.php 13 Nov 2006 12:45:29 -0000
      @@ -130,17 +130,14 @@
      if ($capabilities = get_records_select('role_capabilities',
      "roleid = $CFG->defaultuserroleid AND contextid = $sitecontext->id AND permission <> 0")) {
      foreach ($capabilities as $capability) {

      • if (!isset($USER->capabilities[$sitecontext->id][$capability->capability]))
        Unknown macro: { // Don't overwrite+ // Don't overwrite capabilities from real role...+ if (!isset($USER->capabilities[$sitecontext->id][$capability->capability]) + // ...and if the default role is a guest role, then don't copy legacy}

        -

      • // SPECIAL EXCEPTION: If the default user role is actually a guest role, then
      • // remove some capabilities so this user doesn't get confused with a REAL guest
      • if (isset($USER->capabilities[$sitecontext->id]['moodle/legacy:guest']) and $USER->username != 'guest') { - unset($USER->capabilities[$sitecontext->id]['moodle/legacy:guest']); - unset($USER->capabilities[$sitecontext->id]['moodle/course:view']); // No access to courses by default - }

        }

      return true;

        Attachments

          Activity

            People

            • Assignee:
              quen Sam Marshall
              Reporter:
              quen Sam Marshall
              Tester:
              Nobody
              Participants:
              Component watchers:
              Amaia Anabitarte, Bas Brands, Carlos Escobedo, Sara Arjona (@sarjona), Víctor Déniz Falcón
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                31/Mar/07