Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-9186

adding "moodle/calendar:manageentries" does not allow a teacher to edit calendar events created by other users

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 1.7.3, 1.8.1, 1.9
    • 1.7, 1.7.1, 1.7.2, 1.8
    • Calendar
    • None
    • any Moodle 1.7+
    • Any
    • MOODLE_17_STABLE, MOODLE_18_STABLE
    • MOODLE_17_STABLE, MOODLE_18_STABLE, MOODLE_19_STABLE

    Description

      I wanted to allow teachers to edit each others "course" wide calendar events.

      I thought the way to do this would be to add the "moodle/calendar:manageentries" capability to the "teacher" role for the course in question, so I did the following:
      (1) open a Moodle course page
      (2) click Administration block -> Assign Roles link
      (3) click Override Roles tab -> Teacher link
      (4) locate "Manage any calendar entries (moodle/calendar:manageentries)"
      (5) select radio button in second column ("Allow")
      (6) click "Save changes" at bottom of page

      I thought this would then allow any teacher for the course to edit any calendar "course" events for that course, but this was not the case. In fact, a given teacher could still only edit events which had been created by that teacher.

      I looked at the calendar scripts, and found that the decision to allow the current user to edit an event or not is decided by the function "calendar_edit_event_allowed", in "calendar/lib.php" (around line 1180 in the Moodle 1.7 version of the script)

      The logic of that function doesn't seem right to me. Here is a summary of lines 1196 - 1214;

      ======================================
      if ($event->userid) {
      if ($event->userid == $USER->id)

      { return (has_capability('moodle/calendar:manageownentries', $sitecontext)); }

      } else if ($event->groupid) {
      // check capability for group context
      // ...
      } else if ($event->courseid) {
      // check capability for course context
      // ...
      }
      return false;
      ======================================

      If there is a userid, but it is not the current user, then the function returns false and editing is denied, regardless of the group or course roles. That is not what I expected.

      Therefore I would like to suggest that this function be changed to the following function, which has been tested and behaves according my expectation, namely that roles are checked from the most general, "site context", down to the most specific, "user context", and only if all those roles have no editing capability will editing of the current event by the current user be denied.

      Here is the candidate function:
      ======================================

      function calendar_edit_event_allowed($event) {

      global $USER;

      // can not be using guest account
      if ($USER->username == "guest")

      { return false; }

      // if user has manageentries at site level, return true
      $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
      if (has_capability('moodle/calendar:manageentries', $sitecontext))

      { return true; }

      // if user has manageentries at course level, return true
      if ($event->courseid) {
      $coursecontext = get_context_instance(CONTEXT_COURSE, $event->courseid);
      if (has_capability('moodle/calendar:manageentries', $coursecontext))

      { return true; }
      }

      // if user has manageentries at group level, return true
      if ($event->groupid) {
      $groupcontext = get_context_instance(CONTEXT_GROUP, $group->id);
      if (has_capability('moodle/calendar:manageentries', $groupcontext)) { return true; }

      }

      // editting userid account
      if ($event->userid && ($event->userid == $USER->id)) {
      if (has_capability('moodle/calendar:manageownentries', $sitecontext))

      { return true; }

      }

      return false;
      }
      ======================================

      thanks in advance for considering this proposal
      Gordon

      Attachments

        Issue Links

          Activity

            People

              lazyfish Yu Zhang
              xxxxxxx Gordon Bateson
              Nobody Nobody
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Clockify

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.