This moring I saw the (role) light

This moring I saw the (role) light

by Ger Tielemans -
Number of replies: 3
This moring I saw the (role) light, I hope..

Working with Moodle for years, I was brainwashed to think in static roles..

Everytime I try to use the new roles, for example for filtering views and rights, I feel trapped in dynamic complexity.

Now my question: Am I right if I approach it more flat, like:

  • I want to give some users a view on a button on the screen but other users should see a "dimmed" button:

    for example teachers versus parents (as guests!) & childs...

  • I look in the list of rights one part of these users have and the others not..
    (like in a course teachers have the right to see hidden sections)

  • I then use this local right to regulate the view on the button ?
Average of ratings: -
In reply to Ger Tielemans

Re: This moring I saw the (role) light

by Taliesin Nuin -
You are correct. The way you would handle this in the code would be to use the get_context_instance(...) and has_capability(...) functions. You can find examples of this all through the Moodle code. For example, in your case, you would probably have something like the following:

$context = get_context_instance(CONTEXT_COURSE, $course->id);
if (has_capability('moodle/site:viewreports', $context)) {
  $buttonenabled = 'enabled';
}
else
{
  $buttonenabled = 'disabled';
}

echo("<input type="submit" value=\"Do Stuff\" disabled=\"$buttonenabled\"/>");

In the above instance, if the user didn't have the "viewreports" capability for whatever course they were in, the button would be disabled. You want to use capabilities rather than base it on a specific role because that way you can manage permissions more easily (this is the Moodle way to do things).

Note that you should probably have some error handling around the get_context_instance(...) function in case it can't get a context.

Perhaps more importantly, note that disabling or hiding a form button is not a secure way of stopping people from doing something. You can not only re-enable a form button in your local browser if you want to, but more importantly you can call the functionality of that button even if you were never sent it! You just have to know what the Moodle server is expecting! So I don't want to burden you with extra complexity, but if you want this to be secure you need to check the role capability when they actually try to use whatever functionality the button calls, not just whether or not to enable / disable the button.

I hope this helps,

Taliesin Nuin.
Average of ratings: -
In reply to Taliesin Nuin

Re: This moring I saw the (role) light

by Ger Tielemans -

Thanks for the good explanation, I will study on this!

..mm, so the first line in the Do Stuff script behind the button wil be checking the context-rights for the script-actions.. 

Average of ratings: -
In reply to Ger Tielemans

Re: This moring I saw the (role) light

by Taliesin Nuin -
Is that a question or a statement? smile

Yes - if your button, for example, called the script dostuff.php, then somewhere in that script you would want a line that checked they had appropriate rights in that course. Your script would need to require(...) all the usual bumf that moodle PHP pages need so that you could reference the current course to pass to the config function, etc. Note that if the button just calls a PHP script in the moodle hierarchy, it would be perfectly possible for someone to type the URL of that script in to their browser's address bar and call it directly! You definitely need some checking of permissions in the script itself to check that they have permission, even just to check that they're actually logged in! Make sure to test it properly when you're done to be sure it's secure.
Average of ratings: -