Possibility to hide the existence of roles from users

Possibility to hide the existence of roles from users

by Alexander Bias -
Number of replies: 1
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

Hi all,

this is a spin-off of https://tracker.moodle.org/browse/MDL-50666 to start a discussion about creating the possibility to hide the existence of roles from users. 

I'd like to start with a real-world example:
We have a role which can be applied at system level and which gives teachers the moodle/user:ignoreuserquota capability. And we have other system roles like that for giving support staff the necessary rights in all courses. Nobody at course level should know that a user has such a role at system level.

However, the fact that these role exists and a user has one of them is leaked (at least) on /enrol/otherusers.php?id=<COURSE-ID> and on /enrol/users.php?id=<COURSE-ID> in the role filter and in the enrolments table.
On the first page, I can prevent the leakage by withdrawing moodle/course:reviewotherusers from all users, the leakage on the second page can't be prevented at the moment.

I hesitate to accept the status quo and thought about a solution for the problem.

I think we could build a quick solution and populate the filter and the enrolled user list on /enrol/users.php?id=<COURSE-ID> only with the roles which can be applied at course level together with the roles which are applied at upper levels if the user has the moodle/course:reviewotherusers capability. This might be feasible and hopefully not too performance hungry.

But thinking more about that, I came to the conclusion that this quick solution is no perfect solution. It would only solve the symptoms on one page, but not the underlying problem that there are roles in the system which only admins should know that they exist, but which might be leaked somewhere sometime.

How do you think about adding a new option "hide this role within the system" on /admin/roles/define.php?action=edit&roleid=<ROLE-ID>, introduce a new capability "can view hidden roles" and patch all role-fetching API functions to respect this new option and capability? Would this be a sufficient solution and would it, if we created a pull request, accepted for Moodle core?

As I said before, I hesitate to accept the status quo, therefore I am looking forward for your feedback.

Thanks,
Alex

Average of ratings: Useful (2)
In reply to Alexander Bias

Re: Possibility to hide the existence of roles from users

by Michael Aherne -
Picture of Core developers Picture of Peer reviewers Picture of Plugin developers

Hi Alex, we would really welcome some work on this. Our scenario is that we have an "unlimited time" role which we assign at a system level to students with disabilities where they require adjustments to the amount of time they are given to complete a quiz (as recommended in https://docs.moodle.org/29/en/Quiz_user_with_unlimited_time_role). We are legally obliged to restrict knowledge of student disabilities to only specific staff who need to know, and because of this have had to completely remove the "other users" functionality as it leaks this information, for example.

I think your proposal sounds as if it would work pretty well, but you'd need to make sure it didn't lead to any admin craziness. I'm thinking in particular of the role setup for assigning, switching or overriding roles, where you could end up in the situation where, for example, someone was able to assign a role, but could only see it in some contexts and not in others. The logic of it would probably work OK, but I can imagine as a sysadmin trying to troubleshoot issues could be difficult.

I guess it's also worth considering the alternative implementation based on the role assignment / overrides / switches model, where the ability to see a role would be granted to other roles via a matrix interface, and not capability-driven. This could be complicated too, though, as you'd want some kind of indication if you were to try to allow some role to assign another role which it couldn't see.

I've no idea whether HQ would go for this idea or not, but it certainly seems better than trying to do things like MDL-50666 individually. If you get a patch together I'd be happy to peer review it for you.

Cheers, Michael

Average of ratings: -