moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-07 18:06:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-60983 get_user_capability_course: fix buggy edge cases

Browse source 
There were basically two problems, which are demostrated by
the new test users u7 and u8 in the unit test.

1. There was a problem if a role was overridden in a context above the
one where it was assigned. E.g. User has teacher role in a course, and
there is a role override in the course-category context. That was being
ignored.

2. Problems with the handling of PROHIBITs. It should be the case that
if there is a PROHIBIT in force, then it cannot be overridden by another
role, or by a role override. However, this was not working in all cases.

Also, I had to add comments to the unit test so that I could understand
it. Hopefully these will be hepful to other developers too.
This commit is contained in:
Tim Hunt 2017-12-06 19:40:38 +00:00
parent 5f54a8760f
commit 91c8d8b130
2 changed files with 111 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

84
lib/classes/access/get_user_capability_course_helper.php
View file

@ -39,7 +39,10 @@ class get_user_capability_course_helper {
* an array of capability values at each relevant context for the given user and capability.
*
* This is organised by the effective context path (the one at which the capability takes
* effect) and then by role id.
* effect) and then by role id. Note, however, that the resulting array only has
* the information that will be needed later. If there are Prohibits present in some
* roles, then they cannot be overridden by other roles or role overrides in lower contexts,
* therefore, such information, if any, is absent from the results.
*
* @param int $userid User id
* @param string $capability Capability e.g. 'moodle/course:view'
@ -58,42 +61,101 @@ class get_user_capability_course_helper {
}
$rdefs = get_role_definitions(array_keys($roleids));
// A prohibit in any relevant role prevents the capability
// in that context and all subcontexts. We need to track that.
// Here, the array keys are the paths where there is a prohibit the values are the role id.
$prohibitpaths = [];
// Get data for required capability at each context path where the user has a role that can
// affect it.
$systemcontext = \context_system::instance();
$pathroleperms = [];
foreach ($accessdata['ra'] as $userpath => $roles) {
foreach ($accessdata['ra'] as $rapath => $roles) {
foreach ($roles as $roleid) {
// Get role definition for that role.
foreach ($rdefs[$roleid] as $rolepath => $caps) {
foreach ($rdefs[$roleid] as $rdefpath => $caps) {
// Ignore if this override/definition doesn't refer to the relevant cap.
if (!array_key_exists($capability, $caps)) {
continue;
}
// Check path is /1 or matches a path the user has.
if ($rolepath === '/' . $systemcontext->id) {
// Note /1 is listed first in the array so this entry will be overridden
// if there is an override for the role on this actual level.
$effectivepath = $userpath;
} else if (preg_match('~^' . $userpath . '($|/)~', $rolepath)) {
$effectivepath = $rolepath;
// Check a role definition or override above ra.
if (self::path_is_above($rdefpath, $rapath)) {
// Note that $rdefs is sorted by path, so if a more specific override
// exists, it will be processed later and override this one.
$effectivepath = $rapath;
} else if (self::path_is_above($rapath, $rdefpath)) {
$effectivepath = $rdefpath;
} else {
// Not inside an area where the user has the role, so ignore.
continue;
}
// Check for already seen prohibits in higher context. Overrides can't change that.
if (self::any_path_is_above($prohibitpaths, $effectivepath)) {
continue;
}
// This is a releavant role assignment / permission combination. Save it.
if (!array_key_exists($effectivepath, $pathroleperms)) {
$pathroleperms[$effectivepath] = [];
}
$pathroleperms[$effectivepath][$roleid] = $caps[$capability];
// Update $prohibitpaths if necessary.
if ($caps[$capability] == CAP_PROHIBIT) {
// First remove any lower-context prohibits that might have come from other roles.
foreach ($prohibitpaths as $otherprohibitpath => $notused) {
if (self::path_is_above($effectivepath, $otherprohibitpath)) {
unset($prohibitpaths[$otherprohibitpath]);
}
}
$prohibitpaths[$effectivepath] = $roleid;
}
}
}
}
// Finally, if a later role had a higher-level prohibit that an earlier role,
// there may be more bits we can prune - but don't prune the prohibits!
foreach ($pathroleperms as $effectivepath => $roleperms) {
if ($roleid = self::any_path_is_above($prohibitpaths, $effectivepath)) {
unset($pathroleperms[$effectivepath]);
$pathroleperms[$effectivepath][$roleid] = CAP_PROHIBIT;
}
}
return $pathroleperms;
}
/**
* Test if a context path $otherpath is the same as, or underneath, $parentpath.
*
* @param string $parentpath the path of the parent context.
* @param string $otherpath the path of another context.
* @return bool true if $otherpath is underneath (or equal to) $parentpath.
*/
protected static function path_is_above($parentpath, $otherpath) {
return preg_match('~^' . $parentpath . '($|/)~', $otherpath);
}
/**
* Test if a context path $otherpath is the same as, or underneath, any of $prohibitpaths.
*
* @param array $prohibitpaths array keys are context paths.
* @param string $otherpath the path of another context.
* @return int releavant $roleid if $otherpath is underneath (or equal to)
* any of the $prohibitpaths, 0 otherwise (so, can be used as a bool).
*/
protected static function any_path_is_above($prohibitpaths, $otherpath) {
foreach ($prohibitpaths as $prohibitpath => $roleid) {
if (self::path_is_above($prohibitpath, $otherpath)) {
return $roleid;
}
}
return 0;
}
/**
* Calculates a permission tree based on an array of information about role permissions.
*