Commit 01a2ce80 authored by Petr Skoda's avatar Petr Skoda
Browse files

MDL-21710, MDL-21711 new permissions evaluation and overriding UI

parent f42e7f78
<?php
///////////////////////////////////////////////////////////////////////////
// //
// NOTICE OF COPYRIGHT //
// //
// Moodle - Modular Object-Oriented Dynamic Learning Environment //
// http://moodle.org //
// //
// Copyright (C) 1999 onwards Martin Dougiamas http://dougiamas.com //
// //
// This program is free software; you can redistribute it and/or modify //
// it under the terms of the GNU General Public License as published by //
// the Free Software Foundation; either version 2 of the License, or //
// (at your option) any later version. //
// //
// This program is distributed in the hope that it will be useful, //
// but WITHOUT ANY WARRANTY; without even the implied warranty of //
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the //
// GNU General Public License for more details: //
// //
// http://www.gnu.org/copyleft/gpl.html //
// //
///////////////////////////////////////////////////////////////////////////
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* this page defines what roles can do things with other roles. For example
* which roles can assign which other roles, or which roles can switch to
* which other roles.
* Allow overriding of roles by other roles
*
* @license http://www.gnu.org/copyleft/gpl.html GNU Public License
* @package roles
*//** */
* @package moodlecore
* @subpackage role
* @copyright 1999 onwards Martin Dougiamas (http://dougiamas.com)
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
require_once(dirname(__FILE__) . '/../../config.php');
require_once($CFG->libdir . '/adminlib.php');
require_once($CFG->dirroot . '/' . $CFG->admin . '/roles/lib.php');
require_once(dirname(__FILE__) . '/../../config.php');
require_once($CFG->libdir . '/adminlib.php');
require_once($CFG->dirroot . '/' . $CFG->admin . '/roles/lib.php');
$mode = required_param('mode', PARAM_ACTION);
$classformode = array(
'assign' => 'role_allow_assign_page',
'override' => 'role_allow_override_page',
'switch' => 'role_allow_switch_page'
);
if (!isset($classformode[$mode])) {
print_error('invalidmode', '', '', $mode);
}
$mode = required_param('mode', PARAM_ACTION);
$classformode = array(
'assign' => 'role_allow_assign_page',
'override' => 'role_allow_override_page',
'switch' => 'role_allow_switch_page'
);
if (!isset($classformode[$mode])) {
print_error('invalidmode', '', '', $mode);
}
$baseurl = $CFG->wwwroot . '/' . $CFG->admin . '/roles/allow.php?mode=' . $mode;
admin_externalpage_setup('defineroles', '', array(), $baseurl);
require_login();
$baseurl = new moodle_url('/admin/roles/allow.php', array('mode'=>$mode));
admin_externalpage_setup('defineroles', '', array(), $baseurl);
$syscontext = get_context_instance(CONTEXT_SYSTEM);
require_capability('moodle/role:manage', $syscontext);
$syscontext = get_context_instance(CONTEXT_SYSTEM);
require_capability('moodle/role:manage', $syscontext);
$controller = new $classformode[$mode]();
$controller = new $classformode[$mode]();
if (optional_param('submit', false, PARAM_BOOL) && data_submitted() && confirm_sesskey()) {
$controller->process_submission();
mark_context_dirty($syscontext->path);
add_to_log(SITEID, 'role', 'edit allow ' . $mode, str_replace($CFG->wwwroot . '/', '', $baseurl), '', '', $USER->id);
redirect($baseurl);
}
if (optional_param('submit', false, PARAM_BOOL) && data_submitted() && confirm_sesskey()) {
$controller->process_submission();
mark_context_dirty($syscontext->path);
add_to_log(SITEID, 'role', 'edit allow ' . $mode, str_replace($CFG->wwwroot . '/', '', $baseurl), '', '', $USER->id);
redirect($baseurl);
}
$controller->load_current_settings();
$controller->load_current_settings();
/// Display the editing form.
admin_externalpage_print_header();
// Display the editing form.
echo $OUTPUT->header();
$currenttab = $mode;
require_once('managetabs.php');
$currenttab = $mode;
require('managetabs.php');
$table = $controller->get_table();
$table = $controller->get_table();
echo $OUTPUT->box($controller->get_intro_text());
echo $OUTPUT->box($controller->get_intro_text());
echo '<form action="' . $baseurl . '" method="post">';
echo '<input type="hidden" name="sesskey" value="' . sesskey() . '" />';
echo $OUTPUT->table($table);
echo '<div class="buttons"><input type="submit" name="submit" value="'.get_string('savechanges').'"/>';
echo '</div></form>';
echo '<form action="' . $baseurl . '" method="post">';
echo '<input type="hidden" name="sesskey" value="' . sesskey() . '" />';
echo $OUTPUT->table($table);
echo '<div class="buttons"><input type="submit" name="submit" value="'.get_string('savechanges').'"/>';
echo '</div></form>';
echo $OUTPUT->footer();
echo $OUTPUT->footer();
<?php
///////////////////////////////////////////////////////////////////////////
// //
// NOTICE OF COPYRIGHT //
// //
// Moodle - Modular Object-Oriented Dynamic Learning Environment //
// http://moodle.org //
// //
// Copyright (C) 1999 onwards Martin Dougiamas http://dougiamas.com //
// //
// This program is free software; you can redistribute it and/or modify //
// it under the terms of the GNU General Public License as published by //
// the Free Software Foundation; either version 2 of the License, or //
// (at your option) any later version. //
// //
// This program is distributed in the hope that it will be useful, //
// but WITHOUT ANY WARRANTY; without even the implied warranty of //
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the //
// GNU General Public License for more details: //
// //
// http://www.gnu.org/copyleft/gpl.html //
// //
///////////////////////////////////////////////////////////////////////////
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Lets you assign roles to users in a particular context.
*
* @license http://www.gnu.org/copyleft/gpl.html GNU Public License
* @package roles
*//** */
* @package moodlecore
* @subpackage role
* @copyright 1999 onwards Martin Dougiamas (http://dougiamas.com)
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
require_once(dirname(__FILE__) . '/../../config.php');
require_once($CFG->dirroot . '/' . $CFG->admin . '/roles/lib.php');
......@@ -42,7 +36,6 @@
$hidden = optional_param('hidden', 0, PARAM_BOOL); // whether this assignment is hidden
$extendperiod = optional_param('extendperiod', 0, PARAM_INT);
$extendbase = optional_param('extendbase', 3, PARAM_INT);
$returnurl = optional_param('returnurl', null, PARAM_LOCALURL);
$urlparams = array('contextid' => $contextid);
if (!empty($userid)) {
......@@ -51,9 +44,6 @@
if ($courseid && $courseid != SITEID) {
$urlparams['courseid'] = $courseid;
}
if ($returnurl) {
$urlparams['returnurl'] = $returnurl;
}
$PAGE->set_url('/admin/roles/assign.php', $urlparams);
$baseurl = $PAGE->url->out();
......@@ -65,26 +55,27 @@
$contextname = print_context_name($context);
$inmeta = 0;
$cm = null;
if ($context->contextlevel == CONTEXT_COURSE) {
$courseid = $context->instanceid;
if ($course = $DB->get_record('course', array('id'=>$courseid))) {
$inmeta = $course->metacourse;
} else {
print_error('invalidcourse', 'error');
}
} else if (!empty($courseid)){ // we need this for user tabs in user context
if (!$course = $DB->get_record('course', array('id'=>$courseid))) {
print_error('invalidcourse', 'error');
}
} else if ($context->contextlevel == CONTEXT_MODULE) {
$cm = get_coursemodule_from_id('', $context->instanceid, 0, false, MUST_EXIST);
$courseid = $cm->course;
} else if (!empty($courseid)) { // we need this for user tabs in user context
// pass it
} else {
$courseid = SITEID;
$course = clone($SITE);
}
$course = $DB->get_record('course', array('id'=>$courseid), '*', MUST_EXIST);
$inmeta = $course->metacourse;
/// Check login and permissions.
require_login($course);
require_login($course, false, $cm);
require_capability('moodle/role:assign', $context);
/// These are needed early because of tabs.php
......@@ -276,19 +267,21 @@
$showroles = 1;
$currenttab = 'assign';
echo $OUTPUT->header();
include($CFG->dirroot.'/user/tabs.php');
} else if ($context->contextlevel == CONTEXT_SYSTEM) {
admin_externalpage_setup('assignroles', '', array('contextid' => $contextid, 'roleid' => $roleid));
admin_externalpage_print_header();
echo $OUTPUT->header();
} else if ($isfrontpage) {
admin_externalpage_setup('frontpageroles', '', array('contextid' => $contextid, 'roleid' => $roleid));
admin_externalpage_print_header();
echo $OUTPUT->header();
$currenttab = 'assign';
include('tabs.php');
} else {
echo $OUTPUT->header();
$currenttab = 'assign';
include('tabs.php');
}
......@@ -364,7 +357,7 @@
/// Print a form to swap roles, and a link back to the all roles list.
echo '<div class="backlink">';
$select = new single_select(new moodle_url($baseurl), 'roleid', $nameswithcounts, $roleid, null);
$select->label = get_string('assignanotherrole', 'role');
echo $OUTPUT->render($select);
......@@ -440,12 +433,8 @@
echo $OUTPUT->table($table);
if (!$isfrontpage && ($url = get_context_url($context))) {
echo '<div class="backlink"><a href="' . $url . '">' .
get_string('backto', '', $contextname) . '</a></div>';
} else if ($returnurl) {
echo '<div class="backlink"><a href="' . $CFG->wwwroot . '/' . $returnurl . '">' .
get_string('backtopageyouwereon') . '</a></div>';
if ($context->contextlevel > CONTEXT_USER) {
echo '<div class="backlink"><a href="' . get_context_url($context) . '">' . get_string('backto', '', $contextname) . '</a></div>';
}
}
......
<?php
///////////////////////////////////////////////////////////////////////////
// //
// NOTICE OF COPYRIGHT //
// //
// Moodle - Modular Object-Oriented Dynamic Learning Environment //
// http://moodle.org //
// //
// Copyright (C) 1999 onwards Martin Dougiamas http://dougiamas.com //
// //
// This program is free software; you can redistribute it and/or modify //
// it under the terms of the GNU General Public License as published by //
// the Free Software Foundation; either version 2 of the License, or //
// (at your option) any later version. //
// //
// This program is distributed in the hope that it will be useful, //
// but WITHOUT ANY WARRANTY; without even the implied warranty of //
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the //
// GNU General Public License for more details: //
// //
// http://www.gnu.org/copyleft/gpl.html //
// //
///////////////////////////////////////////////////////////////////////////
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Shows the result of has_capability for every capability for a user in a context.
*
* @license http://www.gnu.org/copyleft/gpl.html GNU Public License
* @package roles
*//** */
* @package moodlecore
* @subpackage role
* @copyright 1999 onwards Martin Dougiamas (http://dougiamas.com)
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
require_once(dirname(__FILE__) . '/../../config.php');
require_once($CFG->dirroot . '/' . $CFG->admin . '/roles/lib.php');
......@@ -36,7 +30,6 @@
$contextid = required_param('contextid',PARAM_INT);
$userid = optional_param('userid', 0, PARAM_INT); // needed for user tabs
$courseid = optional_param('courseid', 0, PARAM_INT); // needed for user tabs
$returnurl = optional_param('returnurl', null, PARAM_LOCALURL);
$urlparams = array('contextid' => $contextid);
if (!empty($userid)) {
......@@ -45,9 +38,6 @@
if ($courseid && $courseid != SITEID) {
$urlparams['courseid'] = $courseid;
}
if ($returnurl) {
$urlparams['returnurl'] = $returnurl;
}
$PAGE->set_url('/admin/roles/check.php', $urlparams);
if (! $context = get_context_instance_by_id($contextid)) {
......@@ -120,21 +110,22 @@
$showroles = 1;
$currenttab = 'check';
include_once($CFG->dirroot.'/user/tabs.php');
include($CFG->dirroot.'/user/tabs.php');
} else if ($context->contextlevel == CONTEXT_SYSTEM) {
admin_externalpage_setup('checkpermissions', '', array('contextid' => $contextid));
admin_externalpage_print_header();
echo $OUTPUT->header();
} else if ($context->contextlevel == CONTEXT_COURSE and $context->instanceid == SITEID) {
admin_externalpage_setup('frontpageroles', '', array('contextid' => $contextid), $CFG->wwwroot . '/' . $CFG->admin . '/roles/check.php');
admin_externalpage_print_header();
echo $OUTPUT->header();
$currenttab = 'check';
include_once('tabs.php');
include('tabs.php');
} else {
echo $OUTPUT->header();
$currenttab = 'check';
include_once('tabs.php');
include('tabs.php');
}
/// Print heading.
......@@ -146,7 +137,7 @@
echo $OUTPUT->box_start('generalbox boxaligncenter boxwidthwide');
echo $OUTPUT->heading(get_string('permissionsforuser', 'role', fullname($reportuser)), 3);
$table = new explain_capability_table($context, $reportuser, $contextname);
$table = new check_capability_table($context, $reportuser, $contextname);
$table->display();
echo $OUTPUT->box_end();
......@@ -178,12 +169,8 @@
echo $OUTPUT->box_end();
/// Appropriate back link.
if (!$isfrontpage && ($url = get_context_url($context))) {
echo '<div class="backlink"><a href="' . $url . '">' .
get_string('backto', '', $contextname) . '</a></div>';
} else if ($returnurl) {
echo '<div class="backlink"><a href="' . $CFG->wwwroot . '/' . $returnurl . '">' .
get_string('backtopageyouwereon') . '</a></div>';
if ($context->contextlevel > CONTEXT_USER) {
echo '<div class="backlink"><a href="' . get_context_url($context) . '">' . get_string('backto', '', $contextname) . '</a></div>';
}
echo $OUTPUT->footer();
......
<?php
///////////////////////////////////////////////////////////////////////////
// //
// NOTICE OF COPYRIGHT //
// //
// Moodle - Modular Object-Oriented Dynamic Learning Environment //
// http://moodle.org //
// //
// Copyright (C) 1999 onwards Martin Dougiamas http://dougiamas.com //
// //
// This program is free software; you can redistribute it and/or modify //
// it under the terms of the GNU General Public License as published by //
// the Free Software Foundation; either version 2 of the License, or //
// (at your option) any later version. //
// //
// This program is distributed in the hope that it will be useful, //
// but WITHOUT ANY WARRANTY; without even the implied warranty of //
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the //
// GNU General Public License for more details: //
// //
// http://www.gnu.org/copyleft/gpl.html //
// //
///////////////////////////////////////////////////////////////////////////
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Lets the user edit role definitions.
......@@ -32,9 +24,11 @@
* edit - edit the definition of a role
* view - view the definition of a role
*
* @license http://www.gnu.org/copyleft/gpl.html GNU Public License
* @package roles
*//** */
* @package moodlecore
* @subpackage role
* @copyright 1999 onwards Martin Dougiamas (http://dougiamas.com)
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
require_once(dirname(__FILE__) . '/../../config.php');
require_once($CFG->dirroot . '/' . $CFG->admin . '/roles/lib.php');
......
<?php
///////////////////////////////////////////////////////////////////////////
// //
// NOTICE OF COPYRIGHT //
// //
// Moodle - Modular Object-Oriented Dynamic Learning Environment //
// http://moodle.org //
// //
// Copyright (C) 1999 onwards Martin Dougiamas http://dougiamas.com //
// //
// This program is free software; you can redistribute it and/or modify //
// it under the terms of the GNU General Public License as published by //
// the Free Software Foundation; either version 2 of the License, or //
// (at your option) any later version. //
// //
// This program is distributed in the hope that it will be useful, //
// but WITHOUT ANY WARRANTY; without even the implied warranty of //
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the //
// GNU General Public License for more details: //
// //
// http://www.gnu.org/copyleft/gpl.html //
// //
///////////////////////////////////////////////////////////////////////////
/**
* Elucidates what has_capability does for a particular capability/user/context.
*
* @license http://www.gnu.org/copyleft/gpl.html GNU Public License
* @package roles
*//** */
require(dirname(__FILE__) . '/../../config.php');
// Get parameters.
$userid = required_param('user', PARAM_INTEGER); // We use 0 here to mean not-logged-in.
$contextid = required_param('contextid', PARAM_INTEGER);
$capability = required_param('capability', PARAM_CAPABILITY);
$PAGE->set_url('/admin/roles/explain.php', array('user'=>$userid, 'contextid'=>$contextid, 'capability'=>$capability));
// Get the context and its parents.
$context = get_context_instance_by_id($contextid);
if (!$context) {
print_error('unknowncontext');
}
$contextids = get_parent_contexts($context);
array_unshift($contextids, $context->id);
$contexts = array();
$number = count($contextids);
foreach ($contextids as $contextid) {
$contexts[$contextid] = get_context_instance_by_id($contextid);
$contexts[$contextid]->name = print_context_name($contexts[$contextid], true, true);
$contexts[$contextid]->number = $number--;
}
// Validate the user id.
if ($userid) {
$user = $DB->get_record('user', array('id' => $userid));
if (!$user) {
print_error('nosuchuser');
}
} else {
$frontpagecontext = get_context_instance(CONTEXT_COURSE, SITEID);
if (!empty($CFG->forcelogin) ||
($context->contextlevel >= CONTEXT_COURSE && !in_array($frontpagecontext->id, $contextids))) {
print_error('cannotgetherewithoutloggingin', 'role');
}
}
// Check access permissions.
require_login();
if (!has_any_capability(array('moodle/role:assign', 'moodle/role:safeoverride',
'moodle/role:override', 'moodle/role:assign'), $context)) {
print_error('nopermissions', '', get_string('explainpermissions'));
}
// This duplicates code in load_all_capabilities and has_capability.
$systempath = '/' . SYSCONTEXTID;
if ($userid == 0) {
if (!empty($CFG->notloggedinroleid)) {
$accessdata = get_role_access($CFG->notloggedinroleid);
$accessdata['ra'][$systempath] = array($CFG->notloggedinroleid);
} else {
$accessdata = array();
$accessdata['ra'] = array();
$accessdata['rdef'] = array();
$accessdata['loaded'] = array();
}
} else if (isguestuser($user)) {
$guestrole = get_guest_role();
$accessdata = get_role_access($guestrole->id);
$accessdata['ra'][$systempath] = array($guestrole->id);
} else {
$accessdata = load_user_accessdata($userid);
}
if ($context->contextlevel > CONTEXT_COURSE && !path_inaccessdata($context->path, $accessdata)) {
load_subcontext($userid, $context, $accessdata);
}
// Load the roles we need.
$roleids = array();
foreach ($accessdata['ra'] as $roleassignments) {
$roleids = array_merge($roleassignments, $roleids);
}
$roles = $DB->get_records_list('role', 'id', $roleids);
$rolenames = array();
foreach ($roles as $role) {
$rolenames[$role->id] = $role->name;
}
$rolenames = role_fix_names($rolenames, $context);
// Pass over the data once, to find the cell that determines the result.
$userhascapability = has_capability($capability, $context, $userid, false);
$areprohibits = false;
$decisiveassigncon = 0;
$decisiveoverridecon = 0;
foreach ($contexts as $con) {
if (!empty($accessdata['ra'][$con->path])) {
// The array_unique here is to work around bug MDL-14817. Once that bug is
// fixed, it can be removed
$ras = array_unique($accessdata['ra'][$con->path]);
} else {
$ras = array();
}
$con->firstoverride = 0;
foreach ($contexts as $ocon) {
$summedpermission = 0;
$gotsomething = false;
foreach ($ras as $roleid) {
if (isset($accessdata['rdef'][$ocon->path . ':' . $roleid][$capability])) {
$perm = $accessdata['rdef'][$ocon->path . ':' . $roleid][$capability];
} else {
$perm = CAP_INHERIT;
}
if ($perm && !$gotsomething) {
$gotsomething = true;
$con->firstoverride = $ocon->id;
}
if ($perm == CAP_PROHIBIT) {
$areprohibits = true;
$decisiveassigncon = 0;
$decisiveoverridecon = 0;
break;
}
$summedpermission += $perm;
}
if (!$areprohibits && !$decisiveassigncon && $summedpermission) {