Index: accesslib.php =================================================================== RCS file: /cvsroot/moodle/moodle/lib/accesslib.php,v retrieving revision 1.421.2.80 diff -u -r1.421.2.80 accesslib.php --- accesslib.php 11 Nov 2008 07:23:36 -0000 1.421.2.80 +++ accesslib.php 12 Nov 2008 19:32:16 -0000 @@ -622,6 +622,9 @@ $path = $context->path; + error_log("looking for: $capability"); + error_log("debug:path: $path"); + // build $contexts as a list of "paths" of the current // contexts and parents with the order top-to-bottom $contexts = array($path); @@ -630,6 +633,8 @@ array_unshift($contexts, $path); } + error_log("debug:contexts: " . implode($contexts, ', ')); + $ignoreguest = false; if (isset($accessdata['dr']) && ($capability == 'moodle/course:view' @@ -709,21 +714,26 @@ // for ($n=$cc-1;$n>=0;$n--) { $ctxp = $contexts[$n]; + error_log("debug:loop context: $ctxp"); if (isset($accessdata['ra'][$ctxp])) { // Found role assignments on this leaf $ras = $accessdata['ra'][$ctxp]; $rc = count($ras); + error_log("debug: $rc role assignments found"); + error_log("debug: resetting ctxcan"); $ctxcan = 0; $ctxcapdepth = 0; for ($rn=0;$rn<$rc;$rn++) { $roleid = (int)$ras[$rn]; + error_log("debug: loop role $roleid"); $rolecan = 0; $rolecapdepth = 0; // Walk the path for capabilities // from the bottom up... for ($m=$cc-1;$m>=0;$m--) { $capctxp = $contexts[$m]; + error_log("debug: loop inner context: $capctxp"); // ignore some guest caps // at base ra and rdef if ($ignoreguest == $roleid @@ -737,13 +747,17 @@ $perm = (int)$accessdata['rdef']["{$capctxp}:$roleid"][$capability]; // The most local permission (first to set) wins // the only exception is CAP_PROHIBIT - if ($rolecan === 0) { - $rolecan = $perm; - $rolecapdepth = $m; - } elseif ($perm === $CAP_PROHIBIT) { + if ($perm === $CAP_PROHIBIT) { $rolecan = $perm; $rolecapdepth = $m; + error_log("debug: found " . $accessdata['rdef']["{$capctxp}:$roleid"][$capability] . " valued as " . $perm . " (PROHIBIT)"); break; + } else { + if ($rolecan === 0) { /// Only set $rolecapdepth for deeper found + $rolecapdepth = $m; + } + $rolecan += $perm * pow(2,$m); /// Because deeper (inner) caps must sum > all upper together + error_log("debug: found " . $accessdata['rdef']["{$capctxp}:$roleid"][$capability] . " valued as " . $perm * pow(2,$m)); } } } @@ -762,6 +776,7 @@ } else { // ctxcaptdepth is deeper // rolecap ignored } + error_log("debug: accum ctxcan after inner context iteration = $ctxcan"); } // The most local RAs with a defined // permission ($ctxcan) win, except @@ -772,10 +787,14 @@ // ($can === 0 || $capdepth < $ctxcapdepth) { if ($ctxcan === $CAP_PROHIBIT) { $can = $ctxcan; + error_log("debug: setting can to $can (PROHIBIT)"); break; } elseif ($can === 0) { // see note above $can = $ctxcan; $capdepth = $ctxcapdepth; + error_log("debug: setting can to $can"); + error_log("debug: Sadly we cannot we stop here and need to continue iterating"); + error_log("debug: looking for potential PROHIBITs in upper contexts/roles?"); } } }