Moodle selects the role with the lowest permissions?

Moodle selects the role with the lowest permissions?

by Chris Collman -
Number of replies: 8

Moodle Docs says in the Roles FAQs

If a user has two roles assigned for a course the system will default to the lowest level role, in this case the Student Role. The best advice is to hold only one role. If you want to see things from the student perspective use the switch roles to function or create a phantom student.

Is this correct in 2.x?   I would assume if I created a dummy role with permissions to do nothing and assigned someone that and the teacher role within the course, the teacher role would give the user the permissions. 

On the other hand, if I gave someone the system wide role of teacher, then in a course assigned them the role of student (Course administration , Enrolled users), they would not have teacher permissions. 

This is an important point because I want to have a "Lead Teacher" role appear as the Course Contact.   I was not paying attention when I created the role, because I only gave it to one of my 6 teachers in the course.   So if I copied the student role to create the Lead Teacher role , then that teacher would have the student set of permissions for this role !!!

I am missing something?   Those words seem all wrong but I know that only Martin should mess with permissions :O

Average of ratings: -
In reply to Chris Collman

Re: Moodle selects the role with the lowest permissions?

by Mary Cooch (personal account) -
Picture of Documentation writers Picture of Testers

Well- I don't know and I am a bit frustrated anyway as I just spent 45 mins on Moodle docs, thinking I would save at the end,only to accidentally click the wrong tab and lose everything - and it serves me 100% right!!!! (lesson to all students -save as you go along) I'd have thought if you were a teacher AND a student in a course then you would still have the teacher role - I haven't tried it though. And if you assign them as teacher site wide and in a course assign them as a student, I'd have still thought they would have teacher permissions. But I haven't tested it out yet.

Average of ratings: -
In reply to Mary Cooch (personal account)

Re: Moodle selects the role with the lowest permissions?

by ben reynolds -

Mary,

Nope. the lowest level role wins in the lowest level context. So, if you have two roles in a course, the lowest level role controls your capabilities.

Another example, you're a teacher in a course, but a student in that course's forum. You only have student capabilities in the forum.

Average of ratings: -
In reply to Chris Collman

Re: Moodle selects the role with the lowest permissions?

by ben reynolds -

First thing, whoever is in charge of that Doc ought to delete the word "system," which is confusing because of system roles.

Ought to read "...for a course, the lowest level role controls capabilities."

Average of ratings: -
In reply to ben reynolds

Re: Moodle selects the role with the lowest permissions?

by Chris Collman -

Hi Ben and others,

It is my NEW understanding that capabilities have a permission assigned to each one.  There is no such thing as a lowest level role, because roles are a collection of a fixed set of specific capabilities, each paired with 1 of 4 possible permissions. 

I have to focus upon one capability, where a single user has been given two different roles in the course context. ( Just in the context of the course or things will get really confusingsmile   If one role's permission is "Not set" and the other is "Allow", I would say "Allow " wins.   If one role's permission is "Prevent" and the other is "Allow", I would say "Prevent" wins.   In the course context only, "Prohibit" would be the same as "Prevent". 

Thus in my mind if my "Lead Teacher" permissions were all "not set" , then I would never have an issue in it overriding another role's permissions.  The issues really arises with the "Prevent" (or "Prohibit") permission is in one of the roles.   "Allow" is always going to trump "Not set" and obviously when both say "Allow" in the context it is allowed. "Prevent" or "Prohibit" is always going to trump "Allow" or "Not set".

I think this maybe also true when one of the two roles a user has in a course context is assigned on the say the system level.  "Allow" always win, except if there is a "Prevent" in one of the roles. AND a "Prohibit" in a higher context assigned role to the user always wins.

While we like to think a student is has a lower set of permission sets than a teacher, this is in fact a generalization.  What might be more accurate to say is that the student role has more "Prohibits" and "Prevents" and less "Allows" attached to the capabilities than a teacher.   But ultimately what counts in a context when a user has 2 roles, is each set of dualing permissions on a capability by capability basis.

Wow! Thank you Ben for the prod that forced me to try and logic this out (in my own mind at least).  

I did refer to  Manage_roles#Permissions about half way through writing this.   I had forgot about "Prohibit" and when I saw it things seemed to click into a new understanding.

I would appreciate any feed back about this particular post.

Chris

 

 

 

 

 

Average of ratings: -
In reply to Chris Collman

Re: Moodle selects the role with the lowest permissions?

by Chris Collman -

Hi,

In the morning after my 21 September 2011, 06:56 PM post, I realized that I owe an aplogy to at least Mary and perhaps others.  In my thread I deleted a thought.

It sort of came out again when I talked about generalizations.  I like and make generalizations all the time.  They are a critical part of communication.

There is nothing wrong in thinking or saying that the lower role will apply in the example Mary gave.   Especially when talking to a teacher who does not have the time to dive into the bizzard world of permissions, contexts and capabilities. 

I apologize for getting so involved in the minutia, I forgot to say that simplier ways of knowing are valid.  

Chris 

 

 

Average of ratings: -
In reply to Chris Collman

Re: Moodle selects the role with the lowest permissions?

by ben reynolds -

I think I'm the guy who's guilty of using "lower" when, in fact, Chris, your language is more correct.

To my dismay (because I'm an old dog & will have to learn a new trick), all the stuff John Isner taught me 3 years ago about 1.9 won't be nearly as applicable in 2.

Which is what makes Tim's simplification, below, so useful.

Average of ratings: -
In reply to Chris Collman

Re: Moodle selects the role with the lowest permissions?

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

The answer to this question changed between 1.9 and 2.0.

In 1.9, the situation is complicated and described on http://docs.moodle.org/19/en/How_permissions_are_calculated.

In 2.0 the situation is simpler:

  1. If you are an admin, has_capability returns true;
  2. otherwise, if any of the roles you have in this context PROHIBIT the capability, has_capability returns false;
  3. otherwise, if any of the roles you have in this context ALLOW the capability, has_capability returns true;
  4. otherwise, has_capability returns false.
Average of ratings: Useful (1)
In reply to Tim Hunt

Re: Moodle selects the role with the lowest permissions?

by ben reynolds -

That is, indeed, simpler.

I want a badge that says, "I logged in just to call the previous post 'useful.'"

Average of ratings: -