Transitioning from Moodle v2.4 to v3.2
I've never really grasped the permission system (despite reading the docs and forum for hours on this one topic).
I'm setting up a new site and I want to disable a lot of functionality sitewide for two separate real-life groups of users - staff and children. And by 'a lot' I mean nearly everything. Users should not be able to customise anything on the site or change any preferences; every user must see exactly the same thing as each other when they log-in and browse different areas of the site (at least in the beginning; I might give the adults more options and features later, whilst keeping the children's options completely locked down).
For example, the first couple of things that I need to turn off completely for both groups sitewide are:
· No-one should be able to edit their dashboard. The 'customise this page' button has to disappear.
· No-one should be able to edit their profile - in fact all the preferences under the profile cog icon have to disappear before I take the site live. Hopefully if I turn off all the preferences, the cog itself will disappear too!
The way I did this sort of thing before, on a previous v25 site, was to just massively edit the default authenticated user role, setting everything to 'prevent'. I'm not sure that was the 'best' way though, and this time I would like to be able to give back the staff group some extra sitewide permissions later on.
So I'm thinking the way to start off this time is to create two new sitewide roles ('staff' and 'child') both with the 'authenticated' archetype, then set every preference I can find to 'prevent', and finally assign the users respectively on the 'assign system roles'. Would this be the most correct way of doing it?
Also, the main thing I don't understand is the cascading of roles:
How can I make my two new roles take precedence over the default authenticated user role, and completely override it everywhere on the site?
Similarly, if I made a new 'Limit Course Teachers' role restricting what staff can do inside courses, how would I make those options take precedence over the default teacher role?
Lastly, I don't quite understand how the default authenticated user is a sitewide system role, but it is not listed with 'manager' and 'course creator' system roles?
Thanks for any clarification you can give. Please bear in mind I've already read the docs several times and I've already got them all bookmarked. So just referring me to the docs is not going to be very fruitful, although if you want to refer to them or quote from the docs to further explain their meaning, that would be great.