Just found myself in an interesting roles/overrides situation. Scenario
- Administrator whats to show a moodle block on the sitecourse only to staff
- "Staff" is a role assigned sitewide by the auth plugin
- My master plan: go to the block's override, set overrides to "prevent" for autenticated user and other interlopers, and "allow" for staff.
Of course, it doesn't work. Why? The staff user is also a logged in user, so the 2 cancel eachother. Even locality rules won't help:
- sitewide RA as authenticated user with capability moodle/block:view - allow sitewide and prevent override at the block level
- sitewide staff with capability moodle/block:view - allow sitewide
Moodle will resolve each role independently, and so that boils down to
- sitewide authenticated user -- capability moodle/block:view - prevent
- sitewide staff -- capability moodle/block:view - allow
I thought for a while that this had been changed by the locality changes in v1.9 that I made (see http://docs.moodle.org/en/Development:Roles#Capability-locality_changes_in_v1.9 ) but this case always has matching locality on the "authenticated user" role, so deny wins.
This only happens because the capability is normally granted to all users, and we are selectively reversing that and trying to apply an exception to that reversal. The exception has the same weight as the reversal, and it loses.
I am not sure what the right solution is. In the meantime, I've crafted a patch that introduces "Allow+", which has a "permission" value of 2, so it trumps the reversal. It's a curiously strong allow : it can win over a prevents, but a prohibits will still trump it.
Edit: attached the patch