Course role which revokes capability granted in a sitewide role

Course role which revokes capability granted in a sitewide role

by Garret Gengler -
Number of replies: 7

Hello all.

I am working on migrating a large 1.9 site to Moodle 2.x.   Our school started with Moodle 1.5, and have a large 1.9 site now a few years later.

Something I noticed on our test upgrade, is that something has changed in the way roles & capabilities combine.

For many years now, we have done the following, and it's worked perfectly:

-- We have student workers (grad students) who help instructors manage their courses.    They are paid employees of the school.   It is their job (20 hrs a week) to support the instructors.

-- The students are given a sitewide role "Graduate Assistant" which has moodle/course:manageactivities-> Allow. 

-- The student role has moodle/course:manageactivites set to Prevent (rather than the default of "Not Set.")

In m1.9, the clever combined effect is that our student workers can modify course materials for any course in which they are not enrolled.    If they are enrolled in a course, their ability to modify the course is revoked by the role math.

In m2.x, it appears that the calculation is not the same.   Students who are given a sitewide Grad Assistant role can modify any course, even the ones they are enrolled in.

Has anyone experienced this problem?  Is this how it's supposed to work now?   course:manageactivities is just one of many capabilities that we grant to Grad Assistants but revoke in the student role. 

Thanks for your help,

-Garret

Average of ratings: -
In reply to Garret Gengler

Re: Course role which revokes capability granted in a sitewide role

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

This is how it is supposed to work.

You can get the effect you want by changing the student role definition for Student, moodle/course:manageactivites to PROHIBIT.

Average of ratings: Useful (1)
In reply to Tim Hunt

Re: Course role which revokes capability granted in a sitewide role

by Garret Gengler -

Hmm.. I probably should have tried that.  and I will now.

But I thought the moodle docs say PROHIBIT affects the current context level and any "child context levels."

I need a capability setting the user aquires from the course context level to revoke something set at a higher level (sitewide).

Average of ratings: -
In reply to Garret Gengler

Re: Course role which revokes capability granted in a sitewide role

by Garret Gengler -

Thanks, Tim.   Setting manageactivities to Prohibit works as you said it would.

Can you explain why?   For my benefit and for the forum history...  Wasn't I doing exactly what the documentation says to do?

Grad Assistant role had course:manageactivities->Allow.
Student role had course:manageactivities->Prevent.

Joe Smith is assigned the Grad Assistant role sitewide.   He also enrols in one class, LIS400.

When he looks another class, say LIS200, his sitewide Grad Assistant role should give him the ability to manage course activities.

When he looks at his class, LIS400, he has two roles in effect:  GA at the sitewide level, and Student at the course level.   The sitewide allow should be reversed by the prevent at the lower (course) level.

I've pasted the docs below...  doesn't the description of Prevent explicitly say it should be able to remove permissions that were set at a higher level?  And the description for Prohibit says it is for the reverse case... when you want at a higher level, to block any lower level from allowing a permission.

Thanks again for your quick help!
-Garret


http://docs.moodle.org/22/en/Override_permissions

Allow
This enables a user to use a capability in a given context. This permission applies for the context that the role gets assigned plus all lower contexts. For example, if a user is assigned the role of student in a course, they will be able to start new discussions in all forums in that course (unless a forum contains an override with a prevent or prohibit value for the capability).
Prevent
By choosing this you are removing permission for this capability, even if the users with this role were allowed that permission in a higher context.
Prohibit
This is rarely needed, but occasionally you might want to completely deny permissions to a role in a way that can NOT be overridden at any lower context. An example of when you might need this is when an admin wants to prohibit one person from starting new discussions in any forum on the whole system. In this case they can create a role with that capability set to "Prohibit" and then assign it to that user in the system context.


Average of ratings: -
In reply to Garret Gengler

Re: Course role which revokes capability granted in a sitewide role

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

Here is the algorithm that Moodel 2.x uses to work out if the user can do something (the has_capability funcition is code).

1. If the user is a site admin, then YES they can do anything. Otherwise ...

2. Get all the role this user has in this context. As well as the explicit role assignments, there may be other special roles like Authenticated user, or Front page ...

3. For each of those roles, work at the permission that applies in this context. That is, look at the role definition, and any overrides in this context or its ancestors. If the definiton, or any of the overrides are PROHIBIT, then the permission for this role is PROHIBIT, otherwise the the permission is the most specific override, or the value from the role definition.

4. Now combind the permissions from all the roles. If any of the permissions are PROHIBIT, then the final answer is NO. Otherwise, if any role allows the capability, then the final answer is YES. Otherwise, if no role allows the capability, the answer is NO.

I will let you work out the consequences of these rules yourself, and hence whether the documentation needs to be updated. Howver, you should find that what you are seeing in 2.x is consistent with these rules.

Average of ratings: Useful (2)
In reply to Tim Hunt

Re: Course role which revokes capability granted in a sitewide role

by Garret Gengler -

That's helpful, Tim.

For #4, are you saying the hierarchy doesn't matter?    Or am I reading too much into this.

Does Moodle 2 combine the permissions from all active roles, and look through for any ALLOW in the set?    If so, that's a major calculation change from 1.9, and the docs are completely wrong.

I can change my approach to use Prohibit.  It seems to work, in my initial testing.

But I want to make sure I understand the new model, since we use it to ensure FERPA-compliance, among other things.

Average of ratings: -
In reply to Garret Gengler

Re: Course role which revokes capability granted in a sitewide role

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

Yes, it is a change from Moodle 1.9. The new way is simpler, which means it is faster for Moodle to compute, and so give better performance in some situation.

Average of ratings: -
In reply to Tim Hunt

Re: Course role which revokes capability granted in a sitewide role

by Bronwen Campbell -

Hi Tim,

I know this is an old thread, but I am hoping you can help. I have tried overriding a system role to view user profiles using Prevent as per the documentation, and also using Prohibit as described in this thread. Neither seem to work.

What I want is for a user to be able to see the participant list and full profiles of other participants in the same course area for one course, but not in any other course they are enrolled in. It seems that viewing the full user profiles is only possible if I apply that permission in a system context. If I override within a course area to try to allow viewing, they still only get a partial view, not the full profile. I have also tried creating a custom role with those capabilities set to prohibit and allocating that role to try to override the system role, but that doesn't seem to work either. The capabilities I have tried to prohibit at the course context (in the other courses) are: 

moodle/user:viewalldetails; moodle/user:viewdetails; moodle/user:viewhiddendetails; moodle/user:readuserblogs; moodle/user:viewuseractivitiesreport

Can you (or anyone else) shed any light on why this may not be working?

 

Regards,

Bronwen

 

 

 

I am using Moodle 2.5.1 (Build: 20130708) on both Firefox and Chrome.

Average of ratings: -