- Moodle
- MDL-18342 Skodak's plan of enrolment and roles ...
- MDL-18475
Permission evaluation revisited
- Agile Board
- More Actions
-
Views
- XML
- Word
- Printable
Details
-
Type: Sub-task
-
Status: Closed
-
Priority: Critical
-
Resolution: Fixed
-
Affects Version/s: 2.0
-
Fix Version/s: 2.0
-
Component/s: Roles / Access
-
Labels:None
-
Affected Branches:MOODLE_20_STABLE
-
Fixed Branches:MOODLE_20_STABLE
Description
see docs.moodle.org/en/Development:Role_overrides_revisited
and skodak.org/blog/?p=22
- Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All
Attachments
-
- newpermissions.patch
- 25/Mar/09 4:20 PM
- 44 kB
- Petr Škoda
Activity
Ascending order - Click to sort in descending order
-
All
Comments
History
Activity
Commits
sample code:
function has_capability_in_accessdata($capability, $context, $accessdata, $doanything) {
global $CFG;
/// build $paths as a list of current + all parent "paths" with order bottom-to-top
{ array_pop($contextids); $paths[] = implode('/', $contextids); }$contextids = explode('/', $context->path);
$paths = array($context->path);
while (count($contextids) > 2)
$roles = array();
$switchedrole = false;
/// Find out if role switched
{ unset($accessdata['rsw']); // keep things fast and unambiguous break; }if (isset($accessdata['rsw'])) {
// check for isset() is fast
// empty() is slow...
if (empty($accessdata['rsw']))
// From the bottom up...
foreach ($paths as $path) {
{ // Found a switchrole assignment // check for that role _plus_ the default user role $roles = array($accessdata['rsw'][$ctxp]=>null, $CFG->defaultuserroleid=>null); $switchedrole = true; break; }if (isset($accessdata['rsw'][$ctxp]))
}
}
if (!$switchedrole) {
{ $roles[$roleid] = null; }// get all users roles in this context and above
foreach ($paths as $path) {
if (isset($accessdata['ra'][$path])) {
foreach ($accessdata['ra'][$path] as $roleid)
}
}
// Find out if user is admin - do anything is allowed in system context only since 2.0
{ return true; }// do anything is ignored when switching roles - it is not allowed to switch to admin role anyway
if ($doanything) {
$systempath = '/'.SYSCONTEXTID;
foreach ($roles as $roleid=>$ignored) {
if (isset($accessdata['rdef']["{$systempath}:$roleid"]['moodle/site:doanything'])
and $accessdata['rdef']["{$systempath}:$roleid"]['moodle/site:doanything'] == CAP_ALLOW)
}
}
}
/// Now find out what access is given to each role
{ $roles[$roleid] = $perm; }/// going from bottom-->up - the lowes override wins unless there is a CAP_PROHIBIT somewhere above tested context
foreach ($roles as $roleid=>$ignored) {
$access = null;
foreach ($paths as $path) {
if (isset($accessdata['rdef']["{$path}:$roleid"][$capability])) {
$perm = (int)$accessdata['rdef']["{$path}:$roleid"][$capability];
if ($perm === CAP_PROHIBIT or is_null($roles[$roleid]))
}
}
}
// any CAP_PROHIBIT found means no access
{ return false; }if (array_search(CAP_PROHIBIT, $roles) !== false)
// at least one CAP_ALLOW means user has access
return (array_search(CAP_ALLOW, $roles) !== false);
}