Restrict URL to only logged in users with manager and admin roles.

Restrict URL to only logged in users with manager and admin roles.

by Saran S -
Number of replies: 2

I have created a local plugin called local_interview for which I would like to to give access to only logged in user with manager or admin roles. I have added access.php and settings.php, however the link (http://localhost/moodle/local/interview/manage.php  and also http://localhost/moodle/local/interview/edit.php) is accessible to anyone including the guest.

settings.php

<?php
/**
 * @package     local_interview
*/
defined('MOODLE_INTERNAL') || die();

if (has_capability('local/interview:view', context_system::instance())) {
    $ADMIN->add('root', new admin_category('local_interview', new lang_string('pluginname', 'local_interview')));
    $ADMIN->add(
        'local_interview',
        new admin_externalpage(
            'local_interview_index',
            new lang_string('pluginname', 'local_interview'),
            new moodle_url('/local/interview/manage.php'),
            'local/interview:view'
        )
    );
    $ADMIN->add(
        'local_interview',
        new admin_externalpage(
            'local_interview_admin',
            new lang_string('edit', 'local_interview'),
            new moodle_url('/local/interview/edit.php'),
            'local/interview:view'
        )
    );
}
access.php
<?php
/**
 * @package     local_interview
 */
defined('MOODLE_INTERNAL') || die();
$capabilities = array(
    'local/interview:edit' => array(
        'captype' => 'write',
        'contextlevel' => CONTEXT_SYSTEM,
        'archetypes' => array(
            'manager' => CAP_ALLOW,
            'student' => CAP_PROHIBIT,
            'guest' => CAP_PROHIBIT,
        ),
    ),
    'local/interview:view' => array(
        'captype' => 'read',
        'contextlevel' => CONTEXT_SYSTEM,
        'archetypes' => array(
            'manager' => CAP_ALLOW,
            'student' => CAP_PROHIBIT,
            'guest' => CAP_PROHIBIT,
        ),
    ),
);
Kindly help me with any pointers on how to fix this issue.


Average of ratings: -
In reply to Saran S

Re: Restrict URL to only logged in users with manager and admin roles.

by Davo Smith -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

You've shared some code, but not that from the scripts where you want to restrict access.

Have you remembered to include a require_capability() check in the scripts that you do not want users to access without permission?

As those scripts appear to be external admin pages, calling admin_externalpage_setup() will do the require_capability() check on your behalf - you need to do this at the top of those scripts.

I'm also wondering why you have a 'has_capability()' check at the top of your settings.php file - the individual pages you define immediately below this check already specify that they are only available to users with that capability, wrapping them both in an extra check is unnecessary.


Average of ratings: Useful (3)
In reply to Davo Smith

Re: Restrict URL to only logged in users with manager and admin roles.

by Saran S -
Thank you Davo. I was able to resolve the issue by adding require_capability('local/interview:view', context_system::instance()); to the top of the scripts page. And also as you pointed out I have removed has_capability() in the settings.php.
Thank You very much.
Average of ratings: Useful (2)