/**
* Constructor.
*
* This method loads loads all the information about the current state of
* the overrides, then updates that based on any submitted data. It also
* works out which capabilities should be locked for this user.
*
* @param object $context the context this table relates to.
* @param integer $roleid the role being overridden.
* @param boolean $safeoverridesonly If true, the user is only allowed to override
* capabilities with no risks.
*/
public function __construct($context, $roleid, $safeoverridesonly)
{
parent::__construct($context, 'overriderolestable', $roleid);
$this->displaypermissions = $this->allpermissions;
$this->strnotset = get_string('notset', 'core_role');
// Determine which capabilities should be locked.
if ($safeoverridesonly) {
foreach ($this->capabilities as $capid => $cap) {
if (!is_safe_capability($cap)) {
$this->capabilities[$capid]->locked = true;
$this->haslockedcapabilities = true;
}
}
}
}
$PAGE->set_heading(get_string('frontpage', 'admin'));
} else {
$PAGE->set_heading($course->fullname);
}
break;
case CONTEXT_MODULE:
$PAGE->set_heading($context->get_context_name(false));
$PAGE->set_cacheable(false);
break;
case CONTEXT_BLOCK:
$PAGE->set_heading($PAGE->course->fullname);
break;
}
// Handle confirmations and actions.
// We have a capability and overrides are allowed or safe overrides are allowed and this is safe.
if ($capability && ($allowoverrides || $allowsafeoverrides && is_safe_capability($capability))) {
// If we already know the the role ID, it is overrideable, and we are setting prevent or unprohibit.
if (isset($overridableroles[$roleid]) && ($prevent || $unprohibit)) {
// We are preventing.
if ($prevent) {
if ($confirm && data_submitted() && confirm_sesskey()) {
role_change_permission($roleid, $context, $capability->name, CAP_PREVENT);
redirect($PAGE->url);
} else {
$a = (object) array('cap' => get_capability_docs_link($capability) . " ({$capability->name})", 'role' => $overridableroles[$roleid], 'context' => $contextname);
$message = get_string('confirmroleprevent', 'core_role', $a);
$continueurl = new moodle_url($PAGE->url, array('contextid' => $context->id, 'roleid' => $roleid, 'capability' => $capability->name, 'prevent' => 1, 'sesskey' => sesskey(), 'confirm' => 1));
}
}
// We are unprohibiting.
if ($unprohibit) {
require_sesskey();
$OUTPUT->header();
list($overridableroles, $overridecounts, $nameswithcounts) = get_overridable_roles($context, ROLENAME_BOTH, true);
if ($getroles) {
echo json_encode($overridableroles);
die;
}
$capability = required_param('capability', PARAM_CAPABILITY);
$roleid = required_param('roleid', PARAM_INT);
$action = required_param('action', PARAM_ALPHA);
$capability = $DB->get_record('capabilities', array('name' => $capability), '*', MUST_EXIST);
if (!isset($overridableroles[$roleid])) {
throw new moodle_exception('invalidarguments');
}
if (!has_capability('moodle/role:override', $context)) {
if (!has_capability('moodle/role:safeoverride', $context) || !is_safe_capability($capability)) {
require_capability('moodle/role:override', $context);
}
}
switch ($action) {
case 'allow':
role_change_permission($roleid, $context, $capability->name, CAP_ALLOW);
break;
case 'prevent':
role_change_permission($roleid, $context, $capability->name, CAP_PREVENT);
break;
case 'prohibit':
role_change_permission($roleid, $context, $capability->name, CAP_PROHIBIT);
break;
case 'unprohibit':
role_change_permission($roleid, $context, $capability->name, CAP_INHERIT);
/**
* Test capability riskiness.
*/
public function test_is_safe_capability()
{
global $DB;
// Note: there is not much to test, just make sure no notices are throw for the most dangerous cap.
$capability = $DB->get_record('capabilities', array('name' => 'moodle/site:config'), '*', MUST_EXIST);
$this->assertFalse(is_safe_capability($capability));
}
protected function add_row_cells($capability)
{
global $OUTPUT, $PAGE;
$context = $this->context;
$contextid = $this->context->id;
$allowoverrides = $this->allowoverrides;
$allowsafeoverrides = $this->allowsafeoverrides;
$overridableroles = $this->overridableroles;
$roles = $this->roles;
list($needed, $forbidden) = get_roles_with_cap_in_context($context, $capability->name);
$neededroles = array();
$forbiddenroles = array();
$allowable = $overridableroles;
$forbitable = $overridableroles;
foreach ($neededroles as $id => $unused) {
unset($allowable[$id]);
}
foreach ($forbidden as $id => $unused) {
unset($allowable[$id]);
unset($forbitable[$id]);
}
foreach ($roles as $id => $name) {
if (isset($needed[$id])) {
$neededroles[$id] = $roles[$id];
if (isset($overridableroles[$id]) and ($allowoverrides or $allowsafeoverrides and is_safe_capability($capability))) {
$preventurl = new moodle_url($PAGE->url, array('contextid' => $contextid, 'roleid' => $id, 'capability' => $capability->name, 'prevent' => 1));
$neededroles[$id] .= $OUTPUT->action_icon($preventurl, new pix_icon('t/delete', get_string('prevent', 'core_role')));
}
}
}
$neededroles = implode(', ', $neededroles);
foreach ($roles as $id => $name) {
if (isset($forbidden[$id]) and ($allowoverrides or $allowsafeoverrides and is_safe_capability($capability))) {
$forbiddenroles[$id] = $roles[$id];
if (isset($overridableroles[$id]) and prohibit_is_removable($id, $context, $capability->name)) {
$unprohibiturl = new moodle_url($PAGE->url, array('contextid' => $contextid, 'roleid' => $id, 'capability' => $capability->name, 'unprohibit' => 1));
$forbiddenroles[$id] .= $OUTPUT->action_icon($unprohibiturl, new pix_icon('t/delete', get_string('delete')));
}
}
}
$forbiddenroles = implode(', ', $forbiddenroles);
if ($allowable and ($allowoverrides or $allowsafeoverrides and is_safe_capability($capability))) {
$allowurl = new moodle_url($PAGE->url, array('contextid' => $contextid, 'capability' => $capability->name, 'allow' => 1));
$neededroles .= '<div class="allowmore">' . $OUTPUT->action_icon($allowurl, new pix_icon('t/add', get_string('allow', 'core_role'))) . '</div>';
}
if ($forbitable and ($allowoverrides or $allowsafeoverrides and is_safe_capability($capability))) {
$prohibiturl = new moodle_url($PAGE->url, array('contextid' => $contextid, 'capability' => $capability->name, 'prohibit' => 1));
$forbiddenroles .= '<div class="prohibitmore">' . $OUTPUT->action_icon($prohibiturl, new pix_icon('t/add', get_string('prohibit', 'core_role'))) . '</div>';
}
$risks = $this->get_risks($capability);
echo '<td>' . $risks . '</td>';
echo '<td>' . $neededroles . '</td>';
echo '<td>' . $forbiddenroles . '</td>';
}
protected function add_row_cells($capability)
{
global $OUTPUT, $PAGE;
$renderer = $PAGE->get_renderer('core');
$adminurl = new moodle_url("/admin/");
$context = $this->context;
$contextid = $this->context->id;
$allowoverrides = $this->allowoverrides;
$allowsafeoverrides = $this->allowsafeoverrides;
$overridableroles = $this->overridableroles;
$roles = $this->roles;
list($needed, $forbidden) = get_roles_with_cap_in_context($context, $capability->name);
$neededroles = array();
$forbiddenroles = array();
$allowable = $overridableroles;
$forbitable = $overridableroles;
foreach ($neededroles as $id => $unused) {
unset($allowable[$id]);
}
foreach ($forbidden as $id => $unused) {
unset($allowable[$id]);
unset($forbitable[$id]);
}
foreach ($roles as $id => $name) {
if (isset($needed[$id])) {
$templatecontext = array("rolename" => $name, "roleid" => $id, "action" => "prevent", "spanclass" => "allowed", "linkclass" => "preventlink", "adminurl" => $adminurl->out(), "imageurl" => "");
if (isset($overridableroles[$id]) and ($allowoverrides or $allowsafeoverrides and is_safe_capability($capability))) {
$templatecontext['imageurl'] = $renderer->pix_url('t/delete');
}
$neededroles[$id] = $renderer->render_from_template('core/permissionmanager_role', $templatecontext);
}
}
$neededroles = implode(' ', $neededroles);
foreach ($roles as $id => $name) {
if (isset($forbidden[$id]) and ($allowoverrides or $allowsafeoverrides and is_safe_capability($capability))) {
$templatecontext = array("rolename" => $name, "roleid" => $id, "action" => "unprohibit", "spanclass" => "forbidden", "linkclass" => "unprohibitlink", "adminurl" => $adminurl->out(), "imageurl" => "");
if (isset($overridableroles[$id]) and prohibit_is_removable($id, $context, $capability->name)) {
$templatecontext['imageurl'] = $renderer->pix_url('t/delete');
}
$forbiddenroles[$id] = $renderer->render_from_template('core/permissionmanager_role', $templatecontext);
}
}
$forbiddenroles = implode(' ', $forbiddenroles);
if ($allowable and ($allowoverrides or $allowsafeoverrides and is_safe_capability($capability))) {
$allowurl = new moodle_url($PAGE->url, array('contextid' => $contextid, 'capability' => $capability->name, 'allow' => 1));
$allowicon = $OUTPUT->action_icon($allowurl, new pix_icon('t/add', get_string('allow', 'core_role')), null, array('class' => 'allowlink', 'data-action' => 'allow'));
$neededroles .= html_writer::div($allowicon, 'allowmore');
}
if ($forbitable and ($allowoverrides or $allowsafeoverrides and is_safe_capability($capability))) {
$prohibiturl = new moodle_url($PAGE->url, array('contextid' => $contextid, 'capability' => $capability->name, 'prohibit' => 1));
$prohibiticon = $OUTPUT->action_icon($prohibiturl, new pix_icon('t/add', get_string('prohibit', 'core_role')), null, array('class' => 'prohibitlink', 'data-action' => 'prohibit'));
$forbiddenroles .= html_writer::div($prohibiticon, 'prohibitmore');
}
$risks = $this->get_risks($capability);
$contents = html_writer::tag('td', $risks, array('class' => 'risks text-nowrap'));
$contents .= html_writer::tag('td', $neededroles, array('class' => 'allowedroles'));
$contents .= html_writer::tag('td', $forbiddenroles, array('class' => 'forbiddenroles'));
return $contents;
}
