MDL-57027 fix get_users_by_capability()

Change-Id: I98dc88784dfa0293f88a19c3d36e7a46a3f52672

MDL-57027 fix get_users_by_capability()
Change-Id: I98dc88784dfa0293f88a19c3d36e7a46a3f52672
a6210651 · Petr Skoda · Andrew Nicols · 326cd6f6 · a6210651 · a6210651
Commit a6210651 authored Dec 07, 2016 by Petr Skoda Committed by Andrew Nicols Feb 01, 2017
--- a/lib/accesslib.php
+++ b/lib/accesslib.php
@@ -3647,11 +3647,11 @@ function get_users_by_capability(context $context, $capability, $fields = '', $s
                                                          AND roleid IN (".implode(',', array_keys($prohibited[$cap])) ."))";

                } else {
-                    $unions[] = "SELECT userid
-                                   FROM {role_assignments}
-                                  WHERE contextid IN ($ctxids)
-                                        AND roleid IN (".implode(',', array_keys($needed[$cap])) .")
-                                        AND roleid NOT IN (".implode(',', array_keys($prohibited[$cap])) .")";
+                    $unions[] = "SELECT ra.userid
+                                   FROM {role_assignments} ra
+                              LEFT JOIN {role_assignments} rap ON (rap.userid = ra.userid AND rap.contextid IN ($ctxids) AND rap.roleid IN (".implode(',', array_keys($prohibited[$cap])) ."))
+                                  WHERE ra.contextid IN ($ctxids) AND ra.roleid IN (".implode(',', array_keys($needed[$cap])) .")
+                                        AND rap.id IS NULL";
                }
            }
        }

--- a/lib/tests/accesslib_test.php
+++ b/lib/tests/accesslib_test.php
@@ -2504,6 +2504,12 @@ class core_accesslib_testcase extends advanced_testcase {

        assign_capability('mod/page:view', CAP_PREVENT, $allroles['guest'], $systemcontext, true);

+        // Prepare for prohibit test.
+        role_assign($allroles['editingteacher'], $testusers[19], context_system::instance());
+        role_assign($allroles['teacher'], $testusers[19], context_course::instance($testcourses[17]));
+        role_assign($allroles['editingteacher'], $testusers[19], context_course::instance($testcourses[17]));
+        assign_capability('moodle/course:update', CAP_PROHIBIT, $allroles['teacher'], context_course::instance($testcourses[17]), true);
+
        accesslib_clear_all_caches_for_unit_testing(); /// Must be done after assign_capability().

        // Extra tests for guests and not-logged-in users because they can not be verified by cross checking
@@ -2527,6 +2533,14 @@ class core_accesslib_testcase extends advanced_testcase {
        $this->assertFalse(has_capability('moodle/course:update', context_course::instance($testcourses[19]), $testusers[9]));
        $this->assertFalse(has_capability('moodle/course:update', $systemcontext, $testusers[9]));

+        // Test prohibits.
+        $this->assertTrue(has_capability('moodle/course:update', context_system::instance(), $testusers[19]));
+        $ids = get_users_by_capability(context_system::instance(), 'moodle/course:update', 'u.id');
+        $this->assertArrayHasKey($testusers[19], $ids);
+        $this->assertFalse(has_capability('moodle/course:update', context_course::instance($testcourses[17]), $testusers[19]));
+        $ids = get_users_by_capability(context_course::instance($testcourses[17]), 'moodle/course:update', 'u.id');
+        $this->assertArrayNotHasKey($testusers[19], $ids);
+
        // Test the list of enrolled users.
        $coursecontext = context_course::instance($course1->id);
        $enrolled = get_enrolled_users($coursecontext);