Why is it possible to allow actions for sub-roles, even if one didn't has the permission himself?

Why is it possible to allow actions for sub-roles, even if one didn't has the permission himself?

by Jan Eberhardt -
Number of replies: 1

I'm struggeling with the Moodle capability system and some arrangements I don't understand.

If I (Admin) prohibit an action for a editing teacher (i.e. "moodle/course:viewparticipants") he can still assign this capability to a non-editing teacher and therefore give permission for an action to a sub role. Then it would be also possible, that he assigns himself to that sub-role and unassigns his current role - which gives treachers access to all actions, which are only "not set", "allowed" or "prevented" for all sub-roles.

The only way to prohibit an action entirly is to prohibit it for the role and all sub-roles... which is annoying.

Why is it implemented that way? Is it a feature or a bug?

Average of ratings: -
In reply to Jan Eberhardt

Re: Why is it possible to allow actions for sub-roles, even if one didn't has the permission himself?

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

Note that, if a use has one role which PROHIBIT's a capability, that that user can never have that capability themselves.

An example of why you need to be able to assign a role that has a capability you don't have:

  • Student has mod/quiz:attempt.
  • Teacher does not have mod/quiz:attempt (but does have mod/quiz:preview).
  • Teacher needs to be able to assign Student.

There is control of which roles can assign which other roles built into the roles system. When you go to the define roles page, look at the tabs across the top.

Average of ratings: Useful (1)