I'm trying to set up a site admin role but with restricted permissions. I don't want them to be able to change overall site configuration, but I do want them to be able to view reports.
I've created a new role, but as soon as you prevent site configuration they lose the ability to view reports (regardless of how that permission is set further down the page).
Any ideas gratefully received.
I've no answer to the question above yet. But another, closely related, problem...
I've created an administrator role (duplicated from the main Site Admin role). The only things I've switched to prevent are:
- Allowed to do everything
- Change site configuration
Yet, when I use that role I am prevented from viewing logs, assigning roles and from switching to other roles. I thought these were all covered by separate capabilities.
I've used the role debugger (http://docs.moodle.org/en/The_rolesdebug.php_roles_debugging_script) and it says my permission on moodle/role:switchroles (for example) is true.
So what's going on?
Rolesdebug lets you test one permission at a time, and it reports accurately. I suspect that for the action you are attempting, you need multiple permissions. So while you have the obvious permission, you may lack the other (like config or doanything).
For admin actions, you could to read the code to find out what permissions are needed. IMO the admin code is particularly hard to follow (I'm not a php programmer), but with some effort, you can track it down.
Or post another discussion topic and ask the question, hoping a developer who knows the answer may reply.
Or, I would be happy to work with you offline (I wrote rolesdebug). Just send me an e-mail. I'm sure we can get to the bottom of the mystery. When we solve the problem, we will report back to this discussion for the benefit of future generations
Regarding not being able to assign roles or switch to other roles, please note that, in addition to allowing the moodle/role:assign and moodle/role:switchroles capabilities, you also need to select which roles your lower permissioned site admin is allowed to assign via the "Allow role assignments" tab in Administration > Users > Permissions > Define roles.
Regarding not being able to view logs, I've checked things out and found that a lower permissioned site admin can view course logs but not site logs. I think this is a bug and so have reported it in the tracker: MDL-14261.
I've put a Word doc online which shows the current admin permissions (just the top section - I've not done anything to other sections). The legacy role is set to None.
As you'll see, almost everything is set to Allow. Yet, still, a user with this role cannot switch roles within a course.
When I run a rolesdebug on that user, within a course context, it returns:
capability = moodle/role:switchroles
context type = 50
context id = 5
user = *******(Mark Berthelemy)
context = Course: Administrator Practice Area 1
R8 = dorset_admin
R7 = user
System Learning Portal Training | Practice areas | Administrator Practice Area 1
R8(A), R7(N)| - | - | -
- | - | - | -
- | - | - | -
- | - | - | -
calculated permission = true
For the moment, particularly with the bug in not being able to see logs & reports, I'm going to have to forget the idea of a reduced permission admin. It's just not going to work.
Thanks for your help.
What happened when you selected some roles, such as student, that your lower permissioned site admin could assign? I found that this resulted in the "Switch role to" dropdown menu appearing on each course page.
That was it. I'd not realised there was a link between the ability to assign a role and the ability to view what things looked like from that role's perspective.
It's not a particularly intuitive connection
Thanks for your help, and thanks for adding the logs issue to the tracker.
I read as far as the second sentence in your first paragraph "The legacy role is set to None." May I ask why you did this? If you remove the Legacy Role Type from any predefined role, all bets are off. The problem is that certain logic still depends on the old isadmin(), isguest(), isstudent(), ... tests from pre-1.7, and these tests will fail if the LRT is not present in the role. This is particularly severe problem with the Guest role (remove it from Guest and guests will start behaving like space aliens). Fortunately in your case, I do not believe it is causing the problem (there are only 13 references to isadmin() in 1.9). Still, you can't be sure. So unless you have strong justification, put the LRT back to legacy admin.
The output from rolesdebug is best pasted into an e-mail, since the Moodle HTML editor sqeezes out extra whitespace. You could also post a screenshot, or temporarily change "When editing text" (on your profile page) to "Use standard Web forms." Anyway, this one is easy to read.
Rolesdebug is telling you that the Dorset Admin role has permission to switch roles. The table shows that the Dorset Admin inherits the permission directly from the System context, where you assigned the role, and should have that permission in every context from System on down. The "calculated permission" under the table is the result of asking Moodle what it thinks.
The switchroles dropdown won't appear unless the Dorset Admin can assign at least one role. The list of assignable roles was not inherited from Admin when the role was copied. Go to Site administration -> Users -> Permissions -> Define roles and click the Allow role assignments tab. Check boxes that you want Dorset Admin to be able to assign. Then DA should see the Switchroles menu on course pages.
Between you & Helen, it all seems to be working now (except for the front page reports & logs - which is a bug).
I'd set Legacy Type to none just as an experiment. It doesn't seem to be affecting anything, but I'll set it back now.
Thanks for all your help.
Are you saying that we would have to have a separate "student admininstrator" role? Thank you for your help.
I was just trying to get a clarification of your requirements.
You said [re the course for teachers] "can I prevent student admins from viewing it?" I assumed you had a role called "student admin". That was presumptuous of me. I should have said "tell me more about these student admins. Who are they? What permissions do they have, and how do they get them?"
Also, what version of Moodle are you running?
Sorry for the limited information; I was multi-tasking.
We are running Moodle 1.9 and currently have several students (and 2 adults)who are "administrators." They have powers for site management (including create/edit/delete courses, assigning roles and the like), but do not have (much to their chagrine) access to edit code or access our server directly.
I'm one of the student administrators of the site Mr. Mackin is discussing about. The permissions we have, as far as I know, are the ones only pertaining to the actual site and not the server. So any permissions that would change something in the actual server we do not have. If you want specific permissions that we dont have, I would not have a clue about.
We have an "IT section" of our group which is just a parent of one of our student administrators (He doesn't really work with our technology, he passes on our requests) and also network programmer (or something of that sort). The network programmer does this as his job and he's built our site and set up everything regarding the server. He's the one who set's our permissions.
As a little background, our site was built by two students who graduated at the end of the last school year, the team that they passed it on to were given all powers, server permissions, and was taught a bit on how to create roles as well as change them. But then our site had a major issue and ended up being down for 180 some hours and our server host had to reinstall the OS on the server and we had to rebuild our entire site. Our "IT section" built our site and chose not to give the student team all permissions. So in order for me to get you a list of permissions that we do and do not have would require asking our "IT section"
I kind of understand what you're talking about with regards to setting up another role. But do you know whether or not Moodle 1.8.4+ has that ability? If it does, than that would definitely be one way to fix this issue. If you could possibly lay out the steps that would be required to do this, we can pass it on to the "IT section" and they can fix it for us.
Thanks for the help and sorry for making this so long.
Roles work just fine in Moodle 1.8.4 (Moodle 1.9 has some performance improvements), so it should be possible to define the new role I suggested and assign it to the student admins to see if it blocks them from the teacher course.
This experiment is harmless, but if your administrator is going to be doing other things with roles, it is really important that he knows what he's doing, and not just experimenting. Otherwise, your site could be down for another 180 hours -- or longer.