I'm trying to create a very limited role "Export-only Instructor" that's meant to only be able to "import" the features of a course to another course, but not edit the original course. That is working fine, actually. But now I've been asked to add the ability for this user role to enroll users...but only in the "Export-only Instructor" role itself.
This is easy, right? You add a few permissions so the role can see the Participants page and enroll users manually. Per https://docs.moodle.org/38/en/Capabilities/moodle/role:assign "Note that to assign a role A to another user, the user doing the assignment has to hold a role B so that role B is permitted to assign role A. This is controlled in 'Allow role assignments' in Settings > Site administration > Users > Permissions > Define roles." OK, so I set this role's "Allow role assignments" to be only itself (the checkbox in the very lower right cell, since it's the last role we've defined).
Except it doesn't work. The role can still enroll users as student, teacher, non-editing teacher, manager, and itself. Why? How do I limit this list of options?
It's hard for me to tell what permissions I want to give this role but these are basically the ones I've given that I think affect this:
- moodle/role:assign
- moodle/course:viewparticipants (course level)
- enrol/manual:enrol
I did have "enrol/manual:manage" originally too but I removed it. That seemed to have no effect on the user's capability to enroll users in any particular role. I feel like the problem is fundamentally that the "Allow role assignments" matrix isn't doing what I expect. I am testing by using the "Switch role to..." feature, is it perhaps a limitation of this feature that it still recognizes me as a Manager and thus allows me to assign all these different roles even though I shouldn't be able to?