Greater capabilities not recognized if one user, one course with two roles

Greater capabilities not recognized if one user, one course with two roles

by Paolo Oprandi -
Number of replies: 13

Hi all,

I have two similar problems with our Moodle install.

1- If a user has two roles on a moodle course - one which does allow view of hidden courses and one which doesn't, the user is prevented access to the course returning notice:

"This course is currently unavailable to students"

http://tracker.moodle.org/browse/MDL-20265

2- If a user has two roles on a moodle course - one which can see unavailable modules and one which doesn't, the user cannot access unavailable forum discussions returning notice:

"You do not have the permission to view discussions in this forum"

http://tracker.moodle.org/browse/MDL-20230

In both cases the greater capabilities are not being used.

Best wishes,
Paolo

(Edited by Helen Foster to fix a tracker issue link - original submission Saturday, 12 September 2009, 06:30 PM)

Average of ratings: -
In reply to Paolo Oprandi

Re: Greater capabilities not recognized if one user, one course with two roles

by Martín Langhoff -

This is an aspect of moodle that is very well tested. In fact, it is used everywhere, all the time. When you are in a course as a teacher, you actually are exercising 3 roles: user, logged-in user, and teacher. They are combined.

So adding an additional role to combine is not likely to be buggy.

Exact v of Moodle? Can you reproduce the problem on a clean install? Have you tweaked the roles at all? In particular, are you using "PROHIBIT"?

Average of ratings: Useful (1)
In reply to Martín Langhoff

Re: Greater capabilities not recognized if one user, one course with two roles

by Paolo Oprandi -
Hi Martín,

Thanks for your reply. Of course the roles do work for my install most of the time. These seem like particular cases.

The version is 1.9.5+ (Build: 20090610).
I haven't used prohibit at all.

I'll make a completely clean install next week and try it, although I am not expecting there to be a difference. I sometimes wonder if my data is somehow corrupted.

Paolo
Average of ratings: -
In reply to Martín Langhoff

Re: Greater capabilities not recognized if one user, one course with two roles

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Although, as Martin says, the code for computing permissions is very likely bug-free, the rules it implements are complex, and what you are seeing may very well be how it is supposed to work.

Gory details on How_permissions_are_calculated. Paolo, can you try to work out of that explains what you are seeing.
Average of ratings: Useful (1)
In reply to Tim Hunt

Re: Greater capabilities not recognized if one user, one course with two roles

by Paolo Oprandi -
Sorry I was on holiday last week, hence my slow reply. I notice now it is my use of the Guest role that is causing the problem.

To explain, some departments have requested access to all Moodle courses in their department. In order to do this I decided to give these "auditors" the Guest role. As a result, sometimes Editing Teachers manually add other users to new roles such as Teacher without removing them from the Guest role, inadvertently creating a user with two roles in the course context.

However, considering MDL-20265, it seems if a user has both a Guest and a Tutor role they are not able to enter the course. Instead they are returned the error message:

This course site is currently unavailable to students

Please note if the user had a Student and a Tutor role they could have entered the site with the correct permissions.

Tim, looking at the link provided if a user at course level has both Guest and Tutor access then to view hidden course s/he has both a Prevent and Allow - neither roles' capabilities will override the other. Is that correct? Authenticated user permissions for view hidden course is "Not set" so I am not sure when we descend the hierarchy of permissions Prevent is being set or why this should be different from user with a Student and Tutor role. I note too that changing the legacy role of the Guest user from Guest to None makes no difference.

I see one of the guidelines reads:

Assign each user at most one role in each context (except, perhaps, in the System context).

.. but there is nothing to stop users from doing this.

Any more help happily received.

Thanks,
Paolo

Average of ratings: -
In reply to Paolo Oprandi

Re: Greater capabilities not recognized if one user, one course with two roles

by Paolo Oprandi -
One solution to both MDL-20265 and MDL-20230 seems be to use the Authenticated User role rather than trying to use the Guest role. This doesn't seem to be creating me the same problems although if anyone knows of any reason why I shouldn't use the Authenticated User for this purpose please let me know. Of course, I could also create a new role type.

I would like to know if the Guest role is acting buggy or if it is by design.

Paolo
Average of ratings: -
In reply to Paolo Oprandi

Re: Greater capabilities not recognized if one user, one course with two roles

by Paolo Oprandi -
Damn! It seems I can't use Authenticated User access unless Guest access is enabled for all courses. Therefore I think I need to

1) find a solution so Guest access works as I imagine it should
2) create a new "Auditor" role
3) enable Guest access as a course default and turn off Guest access to the site and use the Authenticated User role
OR
4) change the permissions of the Authenticated User role

As usual all advice v. welcome.

Paolo
Average of ratings: -
In reply to Paolo Oprandi

Re: Greater capabilities not recognized if one user, one course with two roles

by Heather P -
Hi
I've noticed a minor hiccup with viewing scrom results when a user has two roles. If a teacher also has the role of student they cannot see the results, you have to take off the student role to make the results visible.
We would not deliberately give a person both of these roles, but occaisionally it happens. All the other teacher functions seem to be unaffected.
I know it appears to be nothing to do with your guest role, but it does add to the question how are the roles applied to the account.
Average of ratings: -
In reply to Heather P

Re: Greater capabilities not recognized if one user, one course with two roles

by Paolo Oprandi -
Hi Heather

Yes, it sounds related. I hadn't realised at first it was the guest role that was acting differently.

As you say you wouldn't deliberately give a person two roles but it happens as nothing stops you.
Average of ratings: -
In reply to Heather P

Re: Greater capabilities not recognized if one user, one course with two roles

by Wim Van Borm -

We have a similar problem. A user can have two roles in one course:

he can participate as a student but he also has a poweruser role (kind of administration role which allows him to pull reports etc.).

Because of him having this sutdent role he no longer has the capability to see reports etc; He just has the students capabilities in the course.

Average of ratings: -
In reply to Paolo Oprandi

Re: Greater capabilities not recognized if one user, one course with two roles

by Martín Langhoff -
Creating an Auditor role is the right answer.

The guest and 'authenticated user' roles are automatically assigned by Moodle in specific situations. For example, when a user logs in as guest. And everybody that logs in is 'authenticated user'.

So make an Auditor role and make sure you remove any special rights from the guest and authenticated user roles!
Average of ratings: Useful (1)
In reply to Martín Langhoff

Re: Greater capabilities not recognized if one user, one course with two roles

by Paolo Oprandi -
That is what I have done and things are running a lot smoother. Thanks. Nevertheless I think it should make it clearer for administrators that these aren't appropriate roles to use or enable users to use. I was trying to use the Guest role for a couple of weeks on the production server before I realized it had 'funny' behaviours.

Ciao, Paolo
Average of ratings: -
In reply to Paolo Oprandi

Re: Greater capabilities not recognized if one user, one course with two roles

by Naomi Small -
Hi Paolo,

I think I'm struggling with this same issue.

I want to give a select group of academic staff 'auditor' access to some courses, but without opening up the courses to guests. I've tried creating a new role auditor as a copy of guest but couldn't get this to work. Users get an error message 'this course is not enrollable'.

Could you share how you use your new role and what permissions it has?

Kind regards,

Naomi Small
Average of ratings: -