Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-9186

adding "moodle/calendar:manageentries" does not allow a teacher to edit calendar events created by other users

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.7, 1.7.1, 1.7.2, 1.8
    • Fix Version/s: 1.7.3, 1.8.1, 1.9
    • Component/s: Calendar
    • Labels:
      None
    • Environment:
      any Moodle 1.7+
    • Database:
      Any
    • Affected Branches:
      MOODLE_17_STABLE, MOODLE_18_STABLE
    • Fixed Branches:
      MOODLE_17_STABLE, MOODLE_18_STABLE, MOODLE_19_STABLE

      Description

      I wanted to allow teachers to edit each others "course" wide calendar events.

      I thought the way to do this would be to add the "moodle/calendar:manageentries" capability to the "teacher" role for the course in question, so I did the following:
      (1) open a Moodle course page
      (2) click Administration block -> Assign Roles link
      (3) click Override Roles tab -> Teacher link
      (4) locate "Manage any calendar entries (moodle/calendar:manageentries)"
      (5) select radio button in second column ("Allow")
      (6) click "Save changes" at bottom of page

      I thought this would then allow any teacher for the course to edit any calendar "course" events for that course, but this was not the case. In fact, a given teacher could still only edit events which had been created by that teacher.

      I looked at the calendar scripts, and found that the decision to allow the current user to edit an event or not is decided by the function "calendar_edit_event_allowed", in "calendar/lib.php" (around line 1180 in the Moodle 1.7 version of the script)

      The logic of that function doesn't seem right to me. Here is a summary of lines 1196 - 1214;

      ======================================
      if ($event->userid) {
      if ($event->userid == $USER->id)

      { return (has_capability('moodle/calendar:manageownentries', $sitecontext)); }

      } else if ($event->groupid) {
      // check capability for group context
      // ...
      } else if ($event->courseid) {
      // check capability for course context
      // ...
      }
      return false;
      ======================================

      If there is a userid, but it is not the current user, then the function returns false and editing is denied, regardless of the group or course roles. That is not what I expected.

      Therefore I would like to suggest that this function be changed to the following function, which has been tested and behaves according my expectation, namely that roles are checked from the most general, "site context", down to the most specific, "user context", and only if all those roles have no editing capability will editing of the current event by the current user be denied.

      Here is the candidate function:
      ======================================

      function calendar_edit_event_allowed($event) {

      global $USER;

      // can not be using guest account
      if ($USER->username == "guest")

      { return false; }

      // if user has manageentries at site level, return true
      $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
      if (has_capability('moodle/calendar:manageentries', $sitecontext))

      { return true; }

      // if user has manageentries at course level, return true
      if ($event->courseid) {
      $coursecontext = get_context_instance(CONTEXT_COURSE, $event->courseid);
      if (has_capability('moodle/calendar:manageentries', $coursecontext))

      { return true; }
      }

      // if user has manageentries at group level, return true
      if ($event->groupid) {
      $groupcontext = get_context_instance(CONTEXT_GROUP, $group->id);
      if (has_capability('moodle/calendar:manageentries', $groupcontext)) { return true; }

      }

      // editting userid account
      if ($event->userid && ($event->userid == $USER->id)) {
      if (has_capability('moodle/calendar:manageownentries', $sitecontext))

      { return true; }

      }

      return false;
      }
      ======================================

      thanks in advance for considering this proposal
      Gordon

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lazyfish Yu Zhang
                Reporter:
                xxxxxxx Gordon Bateson
                Tester:
                Nobody
                Participants:
                Component watchers:
                Andrew Nicols, Mathew May, Michael Hawkins, Shamim Rezaie, Simey Lameze
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  11/Jun/07