local plugin access permissions/cabilities question

local plugin access permissions/cabilities question

by A Guy -
Number of replies: 6

I created a local plugin in the local directory of course. I created a db/access.php file and I created a settings.php in the plugin as I want  to control who accesses the plugin but also where it shows up on the site admin tree as this is a system context plugin. It shows up in the site admin tree where I want it for site admins only. But not for site admins and the role that I specifically created to allow to use this plugin in addition to site admins. However, the urls are accessible to anyone even students when you know them and put them in the URL directly. So access.php doesn't appear to work either. So I'm confused. I've looked at other plugins but most of them are course local plugins which is a different context and don't really help. I've read and searched the documentation. Nothing appears to speak to this. Thanks for your help, in advance.


settings.php

$context = context_system::instance();
$roles = get_user_roles($context, $USER->id, true);
$has_mytestrole_role = FALSE;

if(in_array('mytestrole',$roles)){
   $has_mytestrole_role = TRUE;
}


if (($hassiteconfig)||($has_mytestrole_role==TRUE)) {
   $ADMIN->add('root', new admin_category('local_myplugin', get_string('pluginname', 'local_myplugin')));

    $index_page = new admin_externalpage('local_myplugin_index',get_string('pluginname', 'local_myplugin'),new moodle_url('/local/myplugin/index.php'));
    $ADMIN->add('local_myplugin',$index_page);

    $admin_page = new admin_externalpage( 'local_myplugin_admin', get_string('settings','local_myplugin'),new moodle_url('/local/myplugin/mypluginsettings.php'));
    $ADMIN->add('local_myplugin',$admin_page);

}


db/access.php
<?php
defined('MOODLE_INTERNAL') || die();

$capabilities = array(
    'local/myplugin:myplugin' => array(
        'captype' => 'write',
        'contextlevel' => CONTEXT_SYSTEM,
        'archetypes' => array(
            'mytestrole'=> CAP_ALLOW,
        ),
    ),

    'local/myplugin:view' => array(
        'captype' => 'read',
        'contextlevel' => CONTEXT_SYSTEM,
        'archetypes' => array(
            'mytestrole'=> CAP_ALLOW,
        ),


    ),


);

Average of ratings: -
In reply to A Guy

Re: local plugin access permissions/cabilities question

by A Guy -

any pearls of wisdom anyone can share would be helpful. I have truly researched this before posting. I'm stuck.

Average of ratings: -
In reply to A Guy

Re: local plugin access permissions/cabilities question

by Andreas Grabs -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Translators

Hi,

I'd recommend you not using roles to check the permissions for access. Roles are used to organize capabilities. You should rather use the capabilities defined in your access.php.

Example:

$context = context_system::instance();
if ($hassiteconfig || has_capability('local/myplugin:view', $context)) {
....
}

Then you can either create a new role or modify an existing one and switch the capability "local/myplugin:view" to "Allow". After that you have to assign your users which should be able to see your plugin, to this role.

I hope this works for you.

Best regards
Andreas

Average of ratings: -
In reply to Andreas Grabs

Re: local plugin access permissions/cabilities question

by A Guy -

Thanks, Andreas. I saw the documentation about using capabilities instead of roles. To me a role is based upon capabilities so it is pretty much the same thing. However, per your suggestion I did change things so I use require_capability on the pages themselves. And I did try using has_capability as well in settings.php to help with the menu/nav tree issue. While I can lock down the pages via has_capability easily (and require_login()). I am still stuck on how to show and not show the site admin menu/tree with my local plugin links. If you are a site admin the links show as desired. If you are not nothing shows even when people have roles that allow them to see parts of the site admin menu/tree. I just cannot expose my local plugin links to these folks. So I cannot figure it out. If they h ave the capability and/or role associated wit htheir login it seems they, too, should see the local plugin links in the site admin menu/tree just like they can for certain reports, user functions,e tc. I just cannot figure it out. So I guess I will have to create a button somewhere for them to click and disable/enable it. Just seems odd that no one has had this problem before. But like I said I looked at all the local plugins I could find and they have their nav under the Course Admin so there are not examples to learn from.

Average of ratings: -
In reply to A Guy

Re: local plugin access permissions/cabilities question

by A Guy -

Also I reviewed the documentation again from here:https://docs.moodle.org/dev/Admin_settings It says "As an optimisation, before building each bit of the tree, some capability checks are performed, and bits of the tree are skipped if the current user does not have permission to access them." But then the next sentence provides a link to another page that is blank: https://docs.moodle.org/dev/Main_Page#Make_a_new_plugin

So again I'm pretty stuck on how to expose local plugin in the site admin menu for some users and not for others. sad

Average of ratings: -
In reply to A Guy

Re: local plugin access permissions/cabilities question

by Darko Miletić -

This is how your settings page code should look like:

if (has_capability('local/myplugin:view', context_system::instance())) {

    $ADMIN->add('root', new admin_category('local_myplugin', new lang_string('pluginname', 'local_myplugin')));

    $ADMIN->add(
        'local_myplugin',
        new admin_externalpage(
            'local_myplugin_index',
            new lang_string('pluginname', 'local_myplugin'),
            new moodle_url('/local/myplugin/index.php'),
            'local/myplugin:view'
        )
    );

    $ADMIN->add(
        'local_myplugin',
        new admin_externalpage(
            'local_myplugin_admin',
            new lang_string('settings', 'local_myplugin'),
            new moodle_url('/local/myplugin/mypluginsettings.php'),
            'local/myplugin:view'
        )
    );

}


This is how your db/access.php should look like (archetypes can only accept archetype roles, not custom roles):

$capabilities = array(

    'local/myplugin:myplugin' => array(
        'captype' => 'write',
        'contextlevel' => CONTEXT_SYSTEM,
        'archetypes' => array(
            'manager' => CAP_ALLOW,
        ),
    ),

    'local/myplugin:view' => array(
        'captype' => 'read',
        'contextlevel' => CONTEXT_SYSTEM,
        'archetypes' => array(
            'manager' => CAP_ALLOW,
        ),

    ),

);


And any user not being administrator MUST have a role on the SYSTEM level that has your capability enabled. That means that if you have user Steve that is not admin when logged in and on dashboard page that user has role of "Authenticated user". If you do not enable your capability for that role than it will not work.

In short ensure that all non-admin users you wish to be able to see your settings have role on a system level that does have this capability enabled.









Average of ratings: Useful (1)
In reply to Darko Miletić

Re: local plugin access permissions/cabilities question

by A Guy -

Darko, you are a genius! The Devil sure does lurk in the details. And I miss him every time!!!


The problem was my omission in bold italics below in case anyone else is head scratching over this too!!!


Thanks again.

    $ADMIN->add(
        'local_myplugin',
        new admin_externalpage(
            'local_myplugin_index',
            new lang_string('pluginname', 'local_myplugin'),
            new moodle_url('/local/myplugin/index.php'),
            'local/myplugin:view'
        )
    );

    $ADMIN->add(
        'local_myplugin',
        new admin_externalpage(
            'local_myplugin_admin',
            new lang_string('settings', 'local_myplugin'),
            new moodle_url('/local/myplugin/mypluginsettings.php'),
            'local/myplugin:view'
        )
    );

Average of ratings: Useful (1)