moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-05 00:46:50 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-60983 get_user_capability_course: fix buggy edge cases

Browse source 
There were basically two problems, which are demostrated by
the new test users u7 and u8 in the unit test.

1. There was a problem if a role was overridden in a context above the
one where it was assigned. E.g. User has teacher role in a course, and
there is a role override in the course-category context. That was being
ignored.

2. Problems with the handling of PROHIBITs. It should be the case that
if there is a PROHIBIT in force, then it cannot be overridden by another
role, or by a role override. However, this was not working in all cases.

Also, I had to add comments to the unit test so that I could understand
it. Hopefully these will be hepful to other developers too.
This commit is contained in:
Tim Hunt 2017-12-06 19:40:38 +00:00
parent 5f54a8760f
commit 91c8d8b130
2 changed files with 111 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

38
lib/tests/accesslib_test.php
View file

@ -1707,6 +1707,25 @@ class core_accesslib_testcase extends advanced_testcase {
$generator = $this->getDataGenerator();
$cap = 'moodle/course:view';
// The structure being created here is this:
//
// All tests work with the single capability 'moodle/course:view'.
//
// ROLE DEF/OVERRIDE ROLE ASSIGNS
// Role: Allow Prohib Empty Def user u1 u2 u3 u4 u5 u6 u7 u8
// System ALLOW PROHIBIT A E A+E
// cat1 ALLOW
// C1 (ALLOW) P
// C2 ALLOW E P
// cat2 PREVENT
// C3 ALLOW E
// C4
// Misc. A
// C5 PREVENT A
// C6 PROHIBIT
//
// Front-page and guest role stuff from the end of this test not included in the diagram.
// Create a role which allows course:view and one that prohibits it, and one neither.
$allowroleid = $generator->create_role();
$prohibitroleid = $generator->create_role();
@ -1720,6 +1739,7 @@ class core_accesslib_testcase extends advanced_testcase {
$cat2 = $generator->create_category(['parent' => $cat1->id]);
// Create six courses - two in cat1, two in cat2, and two in default category.
// Shortnames are used for a sorting test. Otherwise they are not significant.
$c1 = $generator->create_course(['category' => $cat1->id, 'shortname' => 'Z']);
$c2 = $generator->create_course(['category' => $cat1->id, 'shortname' => 'Y']);
$c3 = $generator->create_course(['category' => $cat2->id, 'shortname' => 'X']);
@ -1741,6 +1761,8 @@ class core_accesslib_testcase extends advanced_testcase {
context_course::instance($c6->id)->id);
assign_capability($cap, CAP_ALLOW, $emptyroleid,
context_course::instance($c3->id)->id);
assign_capability($cap, CAP_ALLOW, $prohibitroleid,
context_course::instance($c2->id)->id);
// User 1 has no roles except default user role.
$u1 = $generator->create_user();
@ -1800,6 +1822,22 @@ class core_accesslib_testcase extends advanced_testcase {
$courses = get_user_capability_course($cap, $u6->id, true, '', 'id');
$this->assert_course_ids([$c3->id], $courses);
// User 7 has empty role in C2.
$u7 = $generator->create_user();
role_assign($emptyroleid, $u7->id, context_course::instance($c2->id)->id);
// Should get C1 by the default user role override, and C2 by the cat1 level override.
$courses = get_user_capability_course($cap, $u7->id, true, '', 'id');
$this->assert_course_ids([$c1->id, $c2->id], $courses);
// User 8 has prohibit role as system context, to verify that prohibits can't be overridden.
$u8 = $generator->create_user();
role_assign($prohibitroleid, $u8->id, context_course::instance($c2->id)->id);
// Should get C1 by the default user role override, no other courses because the prohibit cannot be overridden.
$courses = get_user_capability_course($cap, $u8->id, true, '', 'id');
$this->assert_course_ids([$c1->id], $courses);
// Admin user gets everything....
$courses = get_user_capability_course($cap, get_admin()->id, true, '', 'id');
$this->assert_course_ids([SITEID, $c1->id, $c2->id, $c3->id, $c4->id, $c5->id, $c6->id],