Exemple #1
0
/**
 * Get the potential assignees selector for a given context.
 *
 * If this context is a course context, or inside a course context (module or
 * some blocks) then return a core_role_potential_assignees_below_course object. Otherwise
 * return a core_role_potential_assignees_course_and_above.
 *
 * @param context $context a context.
 * @param string $name passed to user selector constructor.
 * @param array $options to user selector constructor.
 * @return user_selector_base an appropriate user selector.
 */
function core_role_get_potential_user_selector(context $context, $name, $options)
{
    $blockinsidecourse = false;
    if ($context->contextlevel == CONTEXT_BLOCK) {
        $parentcontext = $context->get_parent_context();
        $blockinsidecourse = in_array($parentcontext->contextlevel, array(CONTEXT_MODULE, CONTEXT_COURSE));
    }
    if (($context->contextlevel == CONTEXT_MODULE || $blockinsidecourse) && !is_inside_frontpage($context)) {
        $potentialuserselector = new core_role_potential_assignees_below_course('addselect', $options);
    } else {
        $potentialuserselector = new core_role_potential_assignees_course_and_above('addselect', $options);
    }
    return $potentialuserselector;
}
    protected function definition() {
        $mform = $this->_form;

        $mform->addElement('header', 'preferencespage',
                get_string('preferencespage', 'quiz_overview'));

        if (!$this->_customdata['currentgroup']) {
            $studentsstring = get_string('participants');
        } else {
            $a = new stdClass();
            $a->coursestudent = get_string('participants');
            $a->groupname = groups_get_group_name($this->_customdata['currentgroup']);
            if (20 < strlen($a->groupname)) {
                $studentsstring = get_string('studentingrouplong', 'quiz_overview', $a);
            } else {
                $studentsstring = get_string('studentingroup', 'quiz_overview', $a);
            }
        }
        $options = array();
        if (!$this->_customdata['currentgroup']) {
            $options[quiz_attempts_report::ALL_ATTEMPTS] = get_string('optallattempts', 'quiz_overview');
        }
        if ($this->_customdata['currentgroup'] ||
                !is_inside_frontpage($this->_customdata['context'])) {
            $options[quiz_attempts_report::ALL_STUDENTS] =
                    get_string('optallstudents', 'quiz_overview', $studentsstring);
            $options[quiz_attempts_report::STUDENTS_WITH] =
                     get_string('optattemptsonly', 'quiz_overview', $studentsstring);
            $options[quiz_attempts_report::STUDENTS_WITH_NO] =
                    get_string('optnoattemptsonly', 'quiz_overview', $studentsstring);
        }
        $mform->addElement('select', 'attemptsmode',
                get_string('show', 'quiz_overview'), $options);

        $this->definition_inner($mform);

        $mform->addElement('header', 'preferencesuser',
                get_string('preferencesuser', 'quiz_overview'));

        $mform->addElement('text', 'pagesize', get_string('pagesize', 'quiz_overview'));
        $mform->setType('pagesize', PARAM_INT);

        $mform->addElement('submit', 'submitbutton',
                get_string('preferencessave', 'quiz_overview'));
    }
 protected function definition()
 {
     $mform = $this->_form;
     $mform->addElement('header', 'preferencespage', get_string('preferencespage', 'quiz_overview'));
     if (!$this->_customdata['currentgroup']) {
         $studentsstring = get_string('participants');
     } else {
         $a = new stdClass();
         $a->coursestudent = get_string('participants');
         $a->groupname = groups_get_group_name($this->_customdata['currentgroup']);
         if (20 < strlen($a->groupname)) {
             $studentsstring = get_string('studentingrouplong', 'quiz_overview', $a);
         } else {
             $studentsstring = get_string('studentingroup', 'quiz_overview', $a);
         }
     }
     $options = array();
     if (!$this->_customdata['currentgroup']) {
         $options[QUIZ_REPORT_ATTEMPTS_ALL] = get_string('optallattempts', 'quiz_overview');
     }
     if ($this->_customdata['currentgroup'] || !is_inside_frontpage($this->_customdata['context'])) {
         $options[QUIZ_REPORT_ATTEMPTS_ALL_STUDENTS] = get_string('optallstudents', 'quiz_overview', $studentsstring);
         $options[QUIZ_REPORT_ATTEMPTS_STUDENTS_WITH] = get_string('optattemptsonly', 'quiz_overview', $studentsstring);
         $options[QUIZ_REPORT_ATTEMPTS_STUDENTS_WITH_NO] = get_string('optnoattemptsonly', 'quiz_overview', $studentsstring);
     }
     $mform->addElement('select', 'attemptsmode', get_string('show', 'quiz_overview'), $options);
     $showattemptsgrp = array();
     if ($this->_customdata['qmsubselect']) {
         $gm = '<span class="highlight">' . quiz_get_grading_option_name($this->_customdata['quiz']->grademethod) . '</span>';
         $showattemptsgrp[] = $mform->createElement('advcheckbox', 'qmfilter', get_string('showattempts', 'quiz_overview'), get_string('optonlygradedattempts', 'quiz_overview', $gm), null, array(0, 1));
     }
     if (has_capability('mod/quiz:regrade', $this->_customdata['context'])) {
         $showattemptsgrp[] = $mform->createElement('advcheckbox', 'regradefilter', get_string('showattempts', 'quiz_overview'), get_string('optonlyregradedattempts', 'quiz_overview'), null, array(0, 1));
     }
     if ($showattemptsgrp) {
         $mform->addGroup($showattemptsgrp, null, get_string('showattempts', 'quiz_overview'), '<br />', false);
     }
     $mform->addElement('header', 'preferencesuser', get_string('preferencesuser', 'quiz_overview'));
     $mform->addElement('text', 'pagesize', get_string('pagesize', 'quiz_overview'));
     $mform->setType('pagesize', PARAM_INT);
     $mform->addElement('selectyesno', 'detailedmarks', get_string('showdetailedmarks', 'quiz_overview'));
     $mform->addElement('submit', 'submitbutton', get_string('preferencessave', 'quiz_overview'));
 }
Exemple #4
0
 if (!($contextusers = get_role_users($roleid, $context, false, 'u.id, u.firstname, u.lastname, u.email, ra.hidden'))) {
     $contextusers = array();
 }
 $select = "username <> 'guest' AND deleted = 0 AND confirmed = 1";
 $usercount = count_records_select('user', $select) - count($contextusers);
 $searchtext = trim($searchtext);
 if ($searchtext !== '') {
     // Search for a subset of remaining users
     $LIKE = sql_ilike();
     $FULLNAME = sql_fullname();
     $selectsql = " AND ({$FULLNAME} {$LIKE} '%{$searchtext}%' OR email {$LIKE} '%{$searchtext}%') ";
     $select .= $selectsql;
 } else {
     $selectsql = "";
 }
 if ($context->contextlevel > CONTEXT_COURSE && !is_inside_frontpage($context)) {
     // mod or block (or group?)
     /************************************************************************
      *                                                                      *
      * context level is above or equal course context level                 *
      * in this case we pull out all users matching search criteria (if any) *
      *                                                                      *
      * MDL-11324                                                            *
      * a mini get_users_by_capability() call here, this is done instead of  *
      * get_users_by_capability() because                                    *
      * 1) get_users_by_capability() does not deal with searching by name    *
      * 2) exceptions array can be potentially large for large courses       *
      * 3) get_recordset_sql() is more efficient                             *
      *                                                                      *
      ************************************************************************/
     if ($possibleroles = get_roles_with_capability('moodle/course:view', CAP_ALLOW, $context)) {
Exemple #5
0
/**
 * Who has this capability in this context?
 *
 * This can be a very expensive call - use sparingly and keep
 * the results if you are going to need them again soon.
 *
 * Note if $fields is empty this function attempts to get u.*
 * which can get rather large - and has a serious perf impact
 * on some DBs.
 *
 * @param context $context
 * @param string|array $capability - capability name(s)
 * @param string $fields - fields to be pulled. The user table is aliased to 'u'. u.id MUST be included.
 * @param string $sort - the sort order. Default is lastaccess time.
 * @param mixed $limitfrom - number of records to skip (offset)
 * @param mixed $limitnum - number of records to fetch
 * @param string|array $groups - single group or array of groups - only return
 *               users who are in one of these group(s).
 * @param string|array $exceptions - list of users to exclude, comma separated or array
 * @param bool $doanything_ignored not used any more, admin accounts are never returned
 * @param bool $view_ignored - use get_enrolled_sql() instead
 * @param bool $useviewallgroups if $groups is set the return users who
 *               have capability both $capability and moodle/site:accessallgroups
 *               in this context, as well as users who have $capability and who are
 *               in $groups.
 * @return mixed
 */
function get_users_by_capability(context $context, $capability, $fields = '', $sort = '', $limitfrom = '', $limitnum = '', $groups = '', $exceptions = '', $doanything_ignored = null, $view_ignored = null, $useviewallgroups = false)
{
    global $CFG, $DB;
    $defaultuserroleid = isset($CFG->defaultuserroleid) ? $CFG->defaultuserroleid : 0;
    $defaultfrontpageroleid = isset($CFG->defaultfrontpageroleid) ? $CFG->defaultfrontpageroleid : 0;
    $ctxids = trim($context->path, '/');
    $ctxids = str_replace('/', ',', $ctxids);
    // Context is the frontpage
    $iscoursepage = false;
    // coursepage other than fp
    $isfrontpage = false;
    if ($context->contextlevel == CONTEXT_COURSE) {
        if ($context->instanceid == SITEID) {
            $isfrontpage = true;
        } else {
            $iscoursepage = true;
        }
    }
    $isfrontpage = $isfrontpage || is_inside_frontpage($context);
    $caps = (array) $capability;
    // construct list of context paths bottom-->top
    list($contextids, $paths) = get_context_info_list($context);
    // we need to find out all roles that have these capabilities either in definition or in overrides
    $defs = array();
    list($incontexts, $params) = $DB->get_in_or_equal($contextids, SQL_PARAMS_NAMED, 'con');
    list($incaps, $params2) = $DB->get_in_or_equal($caps, SQL_PARAMS_NAMED, 'cap');
    $params = array_merge($params, $params2);
    $sql = "SELECT rc.id, rc.roleid, rc.permission, rc.capability, ctx.path\n              FROM {role_capabilities} rc\n              JOIN {context} ctx on rc.contextid = ctx.id\n             WHERE rc.contextid {$incontexts} AND rc.capability {$incaps}";
    $rcs = $DB->get_records_sql($sql, $params);
    foreach ($rcs as $rc) {
        $defs[$rc->capability][$rc->path][$rc->roleid] = $rc->permission;
    }
    // go through the permissions bottom-->top direction to evaluate the current permission,
    // first one wins (prohibit is an exception that always wins)
    $access = array();
    foreach ($caps as $cap) {
        foreach ($paths as $path) {
            if (empty($defs[$cap][$path])) {
                continue;
            }
            foreach ($defs[$cap][$path] as $roleid => $perm) {
                if ($perm == CAP_PROHIBIT) {
                    $access[$cap][$roleid] = CAP_PROHIBIT;
                    continue;
                }
                if (!isset($access[$cap][$roleid])) {
                    $access[$cap][$roleid] = (int) $perm;
                }
            }
        }
    }
    // make lists of roles that are needed and prohibited in this context
    $needed = array();
    // one of these is enough
    $prohibited = array();
    // must not have any of these
    foreach ($caps as $cap) {
        if (empty($access[$cap])) {
            continue;
        }
        foreach ($access[$cap] as $roleid => $perm) {
            if ($perm == CAP_PROHIBIT) {
                unset($needed[$cap][$roleid]);
                $prohibited[$cap][$roleid] = true;
            } else {
                if ($perm == CAP_ALLOW and empty($prohibited[$cap][$roleid])) {
                    $needed[$cap][$roleid] = true;
                }
            }
        }
        if (empty($needed[$cap]) or !empty($prohibited[$cap][$defaultuserroleid])) {
            // easy, nobody has the permission
            unset($needed[$cap]);
            unset($prohibited[$cap]);
        } else {
            if ($isfrontpage and !empty($prohibited[$cap][$defaultfrontpageroleid])) {
                // everybody is disqualified on the frontapge
                unset($needed[$cap]);
                unset($prohibited[$cap]);
            }
        }
        if (empty($prohibited[$cap])) {
            unset($prohibited[$cap]);
        }
    }
    if (empty($needed)) {
        // there can not be anybody if no roles match this request
        return array();
    }
    if (empty($prohibited)) {
        // we can compact the needed roles
        $n = array();
        foreach ($needed as $cap) {
            foreach ($cap as $roleid => $unused) {
                $n[$roleid] = true;
            }
        }
        $needed = array('any' => $n);
        unset($n);
    }
    /// ***** Set up default fields ******
    if (empty($fields)) {
        if ($iscoursepage) {
            $fields = 'u.*, ul.timeaccess AS lastaccess';
        } else {
            $fields = 'u.*';
        }
    } else {
        if (debugging('', DEBUG_DEVELOPER) && strpos($fields, 'u.*') === false && strpos($fields, 'u.id') === false) {
            debugging('u.id must be included in the list of fields passed to get_users_by_capability().', DEBUG_DEVELOPER);
        }
    }
    /// Set up default sort
    if (empty($sort)) {
        // default to course lastaccess or just lastaccess
        if ($iscoursepage) {
            $sort = 'ul.timeaccess';
        } else {
            $sort = 'u.lastaccess';
        }
    }
    // Prepare query clauses
    $wherecond = array();
    $params = array();
    $joins = array();
    // User lastaccess JOIN
    if (strpos($sort, 'ul.timeaccess') === false and strpos($fields, 'ul.timeaccess') === false) {
        // user_lastaccess is not required MDL-13810
    } else {
        if ($iscoursepage) {
            $joins[] = "LEFT OUTER JOIN {user_lastaccess} ul ON (ul.userid = u.id AND ul.courseid = {$context->instanceid})";
        } else {
            throw new coding_exception('Invalid sort in get_users_by_capability(), ul.timeaccess allowed only for course contexts.');
        }
    }
    /// We never return deleted users or guest account.
    $wherecond[] = "u.deleted = 0 AND u.id <> :guestid";
    $params['guestid'] = $CFG->siteguest;
    /// Groups
    if ($groups) {
        $groups = (array) $groups;
        list($grouptest, $grpparams) = $DB->get_in_or_equal($groups, SQL_PARAMS_NAMED, 'grp');
        $grouptest = "u.id IN (SELECT userid FROM {groups_members} gm WHERE gm.groupid {$grouptest})";
        $params = array_merge($params, $grpparams);
        if ($useviewallgroups) {
            $viewallgroupsusers = get_users_by_capability($context, 'moodle/site:accessallgroups', 'u.id, u.id', '', '', '', '', $exceptions);
            if (!empty($viewallgroupsusers)) {
                $wherecond[] = "({$grouptest} OR u.id IN (" . implode(',', array_keys($viewallgroupsusers)) . '))';
            } else {
                $wherecond[] = "({$grouptest})";
            }
        } else {
            $wherecond[] = "({$grouptest})";
        }
    }
    /// User exceptions
    if (!empty($exceptions)) {
        $exceptions = (array) $exceptions;
        list($exsql, $exparams) = $DB->get_in_or_equal($exceptions, SQL_PARAMS_NAMED, 'exc', false);
        $params = array_merge($params, $exparams);
        $wherecond[] = "u.id {$exsql}";
    }
    // now add the needed and prohibited roles conditions as joins
    if (!empty($needed['any'])) {
        // simple case - there are no prohibits involved
        if (!empty($needed['any'][$defaultuserroleid]) or $isfrontpage and !empty($needed['any'][$defaultfrontpageroleid])) {
            // everybody
        } else {
            $joins[] = "JOIN (SELECT DISTINCT userid\n                                FROM {role_assignments}\n                               WHERE contextid IN ({$ctxids})\n                                     AND roleid IN (" . implode(',', array_keys($needed['any'])) . ")\n                             ) ra ON ra.userid = u.id";
        }
    } else {
        $unions = array();
        $everybody = false;
        foreach ($needed as $cap => $unused) {
            if (empty($prohibited[$cap])) {
                if (!empty($needed[$cap][$defaultuserroleid]) or $isfrontpage and !empty($needed[$cap][$defaultfrontpageroleid])) {
                    $everybody = true;
                    break;
                } else {
                    $unions[] = "SELECT userid\n                                   FROM {role_assignments}\n                                  WHERE contextid IN ({$ctxids})\n                                        AND roleid IN (" . implode(',', array_keys($needed[$cap])) . ")";
                }
            } else {
                if (!empty($prohibited[$cap][$defaultuserroleid]) or $isfrontpage and !empty($prohibited[$cap][$defaultfrontpageroleid])) {
                    // nobody can have this cap because it is prevented in default roles
                    continue;
                } else {
                    if (!empty($needed[$cap][$defaultuserroleid]) or $isfrontpage and !empty($needed[$cap][$defaultfrontpageroleid])) {
                        // everybody except the prohibitted - hiding does not matter
                        $unions[] = "SELECT id AS userid\n                                   FROM {user}\n                                  WHERE id NOT IN (SELECT userid\n                                                     FROM {role_assignments}\n                                                    WHERE contextid IN ({$ctxids})\n                                                          AND roleid IN (" . implode(',', array_keys($prohibited[$cap])) . "))";
                    } else {
                        $unions[] = "SELECT userid\n                                   FROM {role_assignments}\n                                  WHERE contextid IN ({$ctxids})\n                                        AND roleid IN (" . implode(',', array_keys($needed[$cap])) . ")\n                                        AND roleid NOT IN (" . implode(',', array_keys($prohibited[$cap])) . ")";
                    }
                }
            }
        }
        if (!$everybody) {
            if ($unions) {
                $joins[] = "JOIN (SELECT DISTINCT userid FROM ( " . implode(' UNION ', $unions) . " ) us) ra ON ra.userid = u.id";
            } else {
                // only prohibits found - nobody can be matched
                $wherecond[] = "1 = 2";
            }
        }
    }
    // Collect WHERE conditions and needed joins
    $where = implode(' AND ', $wherecond);
    if ($where !== '') {
        $where = 'WHERE ' . $where;
    }
    $joins = implode("\n", $joins);
    /// Ok, let's get the users!
    $sql = "SELECT {$fields}\n              FROM {user} u\n            {$joins}\n            {$where}\n          ORDER BY {$sort}";
    return $DB->get_records_sql($sql, $params, $limitfrom, $limitnum);
}
Exemple #6
0
 /**
  * Handle deleting a block.
  * @return boolean true if anything was done. False if not.
  */
 public function process_url_delete()
 {
     global $CFG, $PAGE, $OUTPUT;
     $blockid = optional_param('bui_deleteid', null, PARAM_INT);
     $confirmdelete = optional_param('bui_confirm', null, PARAM_INT);
     if (!$blockid) {
         return false;
     }
     require_sesskey();
     $block = $this->page->blocks->find_instance($blockid);
     if (!$this->user_can_delete_block($block)) {
         throw new moodle_exception('nopermissions', '', $this->page->url->out(), get_string('deleteablock'));
     }
     if (!$confirmdelete) {
         $deletepage = new moodle_page();
         $deletepage->set_pagelayout('admin');
         $deletepage->set_course($this->page->course);
         $deletepage->set_context($this->page->context);
         if ($this->page->cm) {
             $deletepage->set_cm($this->page->cm);
         }
         $deleteurlbase = str_replace($CFG->wwwroot . '/', '/', $this->page->url->out_omit_querystring());
         $deleteurlparams = $this->page->url->params();
         $deletepage->set_url($deleteurlbase, $deleteurlparams);
         $deletepage->set_block_actions_done();
         // At this point we are either going to redirect, or display the form, so
         // overwrite global $PAGE ready for this. (Formslib refers to it.)
         $PAGE = $deletepage;
         //some functions like MoodleQuickForm::addHelpButton use $OUTPUT so we need to replace that too
         $output = $deletepage->get_renderer('core');
         $OUTPUT = $output;
         $site = get_site();
         $blocktitle = $block->get_title();
         $strdeletecheck = get_string('deletecheck', 'block', $blocktitle);
         $message = get_string('deleteblockcheck', 'block', $blocktitle);
         // If the block is being shown in sub contexts display a warning.
         if ($block->instance->showinsubcontexts == 1) {
             $parentcontext = context::instance_by_id($block->instance->parentcontextid);
             $systemcontext = context_system::instance();
             $messagestring = new stdClass();
             $messagestring->location = $parentcontext->get_context_name();
             // Checking for blocks that may have visibility on the front page and pages added on that.
             if ($parentcontext->id != $systemcontext->id && is_inside_frontpage($parentcontext)) {
                 $messagestring->pagetype = get_string('showonfrontpageandsubs', 'block');
             } else {
                 $pagetypes = generate_page_type_patterns($this->page->pagetype, $parentcontext);
                 $messagestring->pagetype = $block->instance->pagetypepattern;
                 if (isset($pagetypes[$block->instance->pagetypepattern])) {
                     $messagestring->pagetype = $pagetypes[$block->instance->pagetypepattern];
                 }
             }
             $message = get_string('deleteblockwarning', 'block', $messagestring);
         }
         $PAGE->navbar->add($strdeletecheck);
         $PAGE->set_title($blocktitle . ': ' . $strdeletecheck);
         $PAGE->set_heading($site->fullname);
         echo $OUTPUT->header();
         $confirmurl = new moodle_url($deletepage->url, array('sesskey' => sesskey(), 'bui_deleteid' => $block->instance->id, 'bui_confirm' => 1));
         $cancelurl = new moodle_url($deletepage->url);
         $yesbutton = new single_button($confirmurl, get_string('yes'));
         $nobutton = new single_button($cancelurl, get_string('no'));
         echo $OUTPUT->confirm($message, $yesbutton, $nobutton);
         echo $OUTPUT->footer();
         // Make sure that nothing else happens after we have displayed this form.
         exit;
     } else {
         blocks_delete_instance($block->instance);
         // bui_deleteid and bui_confirm should not be in the PAGE url.
         $this->page->ensure_param_not_in_url('bui_deleteid');
         $this->page->ensure_param_not_in_url('bui_confirm');
         return true;
     }
 }
Exemple #7
0
    }
}
/// Check login and permissions.
require_login($course);
$canview = has_any_capability(array('moodle/role:assign', 'moodle/role:safeoverride', 'moodle/role:override', 'moodle/role:manage'), $context);
if (!$canview) {
    print_error('nopermissions', 'error', '', get_string('checkpermissions', 'role'));
}
/// These are needed early because of tabs.php
$assignableroles = get_assignable_roles($context, ROLENAME_BOTH);
$overridableroles = get_overridable_roles($context, ROLENAME_BOTH);
/// Get the user_selector we will need.
/// Teachers within a course just get to see the same list of people they can
/// assign roles to. Admins (people with moodle/role:manage) can run this report for any user.
$options = array('context' => $context, 'roleid' => 0);
if ($context->contextlevel > CONTEXT_COURSE && !is_inside_frontpage($context) && !has_capability('moodle/role:manage', $context)) {
    $userselector = new potential_assignees_below_course('reportuser', $options);
} else {
    $userselector = new potential_assignees_course_and_above('reportuser', $options);
}
$userselector->set_multiselect(false);
$userselector->set_rows(10);
/// Work out an appropriate page title.
$title = get_string('checkpermissionsin', 'role', $contextname);
$straction = get_string('checkpermissions', 'role');
// Used by tabs.php
/// Print the header and tabs
if ($context->contextlevel == CONTEXT_USER) {
    $user = get_record('user', 'id', $userid);
    $fullname = fullname($user, has_capability('moodle/site:viewfullnames', $context));
    /// course header
/**
 * Who has this capability in this context?
 *
 * This can be a very expensive call - use sparingly and keep
 * the results if you are going to need them again soon.
 * 
 * Note if $fields is empty this function attempts to get u.*
 * which can get rather large - and has a serious perf impact
 * on some DBs.
 *
 * @param $context - object
 * @param $capability - string capability, or an array of capabilities, in which
 *               case users having any of those capabilities will be returned.
 *               For performance reasons, you are advised to put the capability
 *               that the user is most likely to have first.
 * @param $fields - fields to be pulled. The user table is aliased to 'u'. u.id MUST be included.
 * @param $sort - the sort order. Default is lastaccess time.
 * @param $limitfrom - number of records to skip (offset)
 * @param $limitnum - number of records to fetch
 * @param $groups - single group or array of groups - only return
 *               users who are in one of these group(s).
 * @param $exceptions - list of users to exclude
 * @param view - set to true when roles are pulled for display only
 *               this is so that we can filter roles with no visible
 *               assignment, for example, you might want to "hide" all
 *               course creators when browsing the course participants
 *               list.
 * @param boolean $useviewallgroups if $groups is set the return users who
 *               have capability both $capability and moodle/site:accessallgroups
 *               in this context, as well as users who have $capability and who are
 *               in $groups.
 */
function get_users_by_capability($context, $capability, $fields = '', $sort = '', $limitfrom = '', $limitnum = '', $groups = '', $exceptions = '', $doanything = true, $view = false, $useviewallgroups = false)
{
    global $CFG;
    $ctxids = substr($context->path, 1);
    // kill leading slash
    $ctxids = str_replace('/', ',', $ctxids);
    // Context is the frontpage
    $isfrontpage = false;
    $iscoursepage = false;
    // coursepage other than fp
    if ($context->contextlevel == CONTEXT_COURSE) {
        if ($context->instanceid == SITEID) {
            $isfrontpage = true;
        } else {
            $iscoursepage = true;
        }
    }
    // What roles/rolecaps are interesting?
    if (is_array($capability)) {
        $caps = "'" . implode("','", $capability) . "'";
        $capabilities = $capability;
    } else {
        $caps = "'" . $capability . "'";
        $capabilities = array($capability);
    }
    if ($doanything === true) {
        $caps .= ",'moodle/site:doanything'";
        $capabilities[] = 'moodle/site:doanything';
        $doanything_join = '';
        $doanything_cond = '';
    } else {
        // This is an outer join against
        // admin-ish roleids. Any row that succeeds
        // in JOINing here ends up removed from
        // the resultset. This means we remove
        // rolecaps from roles that also have
        // 'doanything' capabilities.
        $doanything_join = "LEFT OUTER JOIN (\n                              SELECT DISTINCT rc.roleid\n                              FROM {$CFG->prefix}role_capabilities rc\n                              WHERE rc.capability='moodle/site:doanything'\n                                    AND rc.permission=" . CAP_ALLOW . "\n                                    AND rc.contextid IN ({$ctxids})\n                          ) dar\n                             ON rc.roleid=dar.roleid";
        $doanything_cond = "AND dar.roleid IS NULL";
    }
    // fetch all capability records - we'll walk several
    // times over them, and should be a small set
    $negperm = false;
    // has any negative (<0) permission?
    $roleids = array();
    $sql = "SELECT rc.id, rc.roleid, rc.permission, rc.capability,\n                   ctx.depth AS ctxdepth, ctx.contextlevel AS ctxlevel\n            FROM {$CFG->prefix}role_capabilities rc\n            JOIN {$CFG->prefix}context ctx on rc.contextid = ctx.id\n            {$doanything_join}\n            WHERE rc.capability IN ({$caps}) AND ctx.id IN ({$ctxids})\n                  {$doanything_cond}\n            ORDER BY rc.roleid ASC, ctx.depth ASC";
    if ($capdefs = get_records_sql($sql)) {
        foreach ($capdefs as $rcid => $rc) {
            $roleids[] = (int) $rc->roleid;
            if ($rc->permission < 0) {
                $negperm = true;
            }
        }
    }
    $roleids = array_unique($roleids);
    if (count($roleids) === 0) {
        // noone here!
        return false;
    }
    // is the default role interesting? does it have
    // a relevant rolecap? (we use this a lot later)
    if (in_array((int) $CFG->defaultuserroleid, $roleids, true)) {
        $defaultroleinteresting = true;
    } else {
        $defaultroleinteresting = false;
    }
    // is the default role interesting? does it have
    // a relevant rolecap? (we use this a lot later)
    if (($isfrontpage or is_inside_frontpage($context)) and !empty($CFG->defaultfrontpageroleid) and in_array((int) $CFG->defaultfrontpageroleid, $roleids, true)) {
        if (!empty($CFG->fullusersbycapabilityonfrontpage)) {
            // new in 1.9.6 - full support for defaultfrontpagerole MDL-19039
            $frontpageroleinteresting = true;
        } else {
            // old style 1.9.0-1.9.5 - much faster + fewer negative override problems on frontpage
            $frontpageroleinteresting = $context->contextlevel == CONTEXT_COURSE;
        }
    } else {
        $frontpageroleinteresting = false;
    }
    //
    // Prepare query clauses
    //
    $wherecond = array();
    // Non-deleted users. We never return deleted users.
    $wherecond['nondeleted'] = 'u.deleted = 0';
    /// Groups
    if ($groups) {
        if (is_array($groups)) {
            $grouptest = 'gm.groupid IN (' . implode(',', $groups) . ')';
        } else {
            $grouptest = 'gm.groupid = ' . $groups;
        }
        $grouptest = 'u.id IN (SELECT userid FROM ' . $CFG->prefix . 'groups_members gm WHERE ' . $grouptest . ')';
        if ($useviewallgroups) {
            $viewallgroupsusers = get_users_by_capability($context, 'moodle/site:accessallgroups', 'u.id, u.id', '', '', '', '', $exceptions);
            $wherecond['groups'] = '(' . $grouptest . ' OR u.id IN (' . implode(',', array_keys($viewallgroupsusers)) . '))';
        } else {
            $wherecond['groups'] = '(' . $grouptest . ')';
        }
    }
    /// User exceptions
    if (!empty($exceptions)) {
        $wherecond['userexceptions'] = ' u.id NOT IN (' . $exceptions . ')';
    }
    /// Set up hidden role-assignments sql
    if ($view && !has_capability('moodle/role:viewhiddenassigns', $context)) {
        $condhiddenra = 'AND ra.hidden = 0 ';
        $sscondhiddenra = 'AND ssra.hidden = 0 ';
    } else {
        $condhiddenra = '';
        $sscondhiddenra = '';
    }
    // Collect WHERE conditions
    $where = implode(' AND ', array_values($wherecond));
    if ($where != '') {
        $where = 'WHERE ' . $where;
    }
    /// Set up default fields
    if (empty($fields)) {
        if ($iscoursepage) {
            $fields = 'u.*, ul.timeaccess as lastaccess';
        } else {
            $fields = 'u.*';
        }
    } else {
        if (debugging('', DEBUG_DEVELOPER) && strpos($fields, 'u.*') === false && strpos($fields, 'u.id') === false) {
            debugging('u.id must be included in the list of fields passed to get_users_by_capability.', DEBUG_DEVELOPER);
        }
    }
    /// Set up default sort
    if (empty($sort)) {
        // default to course lastaccess or just lastaccess
        if ($iscoursepage) {
            $sort = 'ul.timeaccess';
        } else {
            $sort = 'u.lastaccess';
        }
    }
    $sortby = $sort ? " ORDER BY {$sort} " : '';
    // User lastaccess JOIN
    if (strpos($sort, 'ul.timeaccess') === FALSE and strpos($fields, 'ul.timeaccess') === FALSE) {
        // user_lastaccess is not required MDL-13810
        $uljoin = '';
    } else {
        $uljoin = "LEFT OUTER JOIN {$CFG->prefix}user_lastaccess ul \n                         ON (ul.userid = u.id AND ul.courseid = {$context->instanceid})";
    }
    //
    // Simple cases - No negative permissions means we can take shortcuts
    //
    if (!$negperm) {
        // at the frontpage, and all site users have it - easy!
        if ($frontpageroleinteresting) {
            return get_records_sql("SELECT {$fields}\n                                    FROM {$CFG->prefix}user u\n                                    WHERE u.deleted = 0\n                                    ORDER BY {$sort}", $limitfrom, $limitnum);
        }
        // all site users have it, anyway
        // TODO: NOT ALWAYS!  Check this case because this gets run for cases like this:
        // 1) Default role has the permission for a module thing like mod/choice:choose
        // 2) We are checking for an activity module context in a course
        // 3) Thus all users are returned even though course:view is also required
        if ($defaultroleinteresting) {
            $sql = "SELECT {$fields}\n                    FROM {$CFG->prefix}user u\n                    {$uljoin}\n                    {$where}\n                    ORDER BY {$sort}";
            return get_records_sql($sql, $limitfrom, $limitnum);
        }
        /// Simple SQL assuming no negative rolecaps.
        /// We use a subselect to grab the role assignments
        /// ensuring only one row per user -- even if they
        /// have many "relevant" role assignments.
        $select = " SELECT {$fields}";
        $from = " FROM {$CFG->prefix}user u\n                    JOIN (SELECT DISTINCT ssra.userid\n                          FROM {$CFG->prefix}role_assignments ssra\n                          WHERE ssra.contextid IN ({$ctxids})\n                                AND ssra.roleid IN (" . implode(',', $roleids) . ")\n                                {$sscondhiddenra}\n                          ) ra ON ra.userid = u.id\n                    {$uljoin} ";
        return get_records_sql($select . $from . $where . $sortby, $limitfrom, $limitnum);
    }
    //
    // If there are any negative rolecaps, we need to
    // work through a subselect that will bring several rows
    // per user (one per RA).
    // Since we cannot do the job in pure SQL (not without SQL stored
    // procedures anyway), we end up tied to processing the data in PHP
    // all the way down to pagination.
    //
    // In some cases, this will mean bringing across a ton of data --
    // when paginating, we have to walk the permisisons of all the rows
    // in the _previous_ pages to get the pagination correct in the case
    // of users that end up not having the permission - this removed.
    //
    // Prepare the role permissions datastructure for fast lookups
    $roleperms = array();
    // each role cap and depth
    foreach ($capdefs as $rcid => $rc) {
        $rid = (int) $rc->roleid;
        $perm = (int) $rc->permission;
        $rcdepth = (int) $rc->ctxdepth;
        if (!isset($roleperms[$rc->capability][$rid])) {
            $roleperms[$rc->capability][$rid] = (object) array('perm' => $perm, 'rcdepth' => $rcdepth);
        } else {
            if ($roleperms[$rc->capability][$rid]->perm == CAP_PROHIBIT) {
                continue;
            }
            // override - as we are going
            // from general to local perms
            // (as per the ORDER BY...depth ASC above)
            // and local perms win...
            $roleperms[$rc->capability][$rid] = (object) array('perm' => $perm, 'rcdepth' => $rcdepth);
        }
    }
    if ($context->contextlevel == CONTEXT_SYSTEM || $frontpageroleinteresting || $defaultroleinteresting) {
        // Handle system / sitecourse / defaultrole-with-perhaps-neg-overrides
        // with a SELECT FROM user LEFT OUTER JOIN against ra -
        // This is expensive on the SQL and PHP sides -
        // moves a ton of data across the wire.
        $ss = "SELECT u.id as userid, ra.roleid,\n                      ctx.depth\n               FROM {$CFG->prefix}user u\n               LEFT OUTER JOIN {$CFG->prefix}role_assignments ra \n                 ON (ra.userid = u.id\n                     AND ra.contextid IN ({$ctxids})\n                     AND ra.roleid IN (" . implode(',', $roleids) . ")\n                     {$condhiddenra})\n               LEFT OUTER JOIN {$CFG->prefix}context ctx\n                 ON ra.contextid=ctx.id\n               WHERE u.deleted=0";
    } else {
        // "Normal complex case" - the rolecaps we are after will
        // be defined in a role assignment somewhere.
        $ss = "SELECT ra.userid as userid, ra.roleid,\n                      ctx.depth\n               FROM {$CFG->prefix}role_assignments ra \n               JOIN {$CFG->prefix}context ctx\n                 ON ra.contextid=ctx.id\n               WHERE ra.contextid IN ({$ctxids})\n                     {$condhiddenra}\n                     AND ra.roleid IN (" . implode(',', $roleids) . ")";
    }
    $select = "SELECT {$fields} ,ra.roleid, ra.depth ";
    $from = "FROM ({$ss}) ra\n               JOIN {$CFG->prefix}user u\n                 ON ra.userid=u.id\n               {$uljoin} ";
    // Each user's entries MUST come clustered together
    // and RAs ordered in depth DESC - the role/cap resolution
    // code depends on this.
    $sort .= ' , ra.userid ASC, ra.depth DESC';
    $sortby .= ' , ra.userid ASC, ra.depth DESC ';
    $rs = get_recordset_sql($select . $from . $where . $sortby);
    //
    // Process the user accounts+RAs, folding repeats together...
    //
    // The processing for this recordset is tricky - to fold
    // the role/perms of users with multiple role-assignments
    // correctly while still processing one-row-at-a-time
    // we need to add a few additional 'private' fields to
    // the results array - so we can treat the rows as a
    // state machine to track the cap/perms and at what RA-depth
    // and RC-depth they were defined.
    //
    // So what we do here is:
    // - loop over rows, checking pagination limits
    // - when we find a new user, if we are in the page add it to the
    //   $results, and start building $ras array with its role-assignments
    // - when we are dealing with the next user, or are at the end of the userlist
    //   (last rec or last in page), trigger the check-permission idiom
    // - the check permission idiom will
    //   - add the default enrolment if needed
    //   - call has_any_capability_from_rarc(), which based on RAs and RCs will return a bool
    //     (should be fairly tight code ;-) )
    // - if the user has permission, all is good, just $c++ (counter)
    // - ...else, decrease the counter - so pagination is kept straight,
    //      and (if we are in the page) remove from the results
    //
    $results = array();
    // pagination controls
    $c = 0;
    $limitfrom = (int) $limitfrom;
    $limitnum = (int) $limitnum;
    //
    // Track our last user id so we know when we are dealing
    // with a new user...
    //
    $lastuserid = 0;
    //
    // In this loop, we
    // $ras: role assignments, multidimensional array
    // treat as a stack - going from local to general
    // $ras = (( roleid=> x, $depth=>y) , ( roleid=> x, $depth=>y))
    //
    while ($user = rs_fetch_next_record($rs)) {
        //error_log(" Record: " . print_r($user,1));
        //
        // Pagination controls
        // Note that we might end up removing a user
        // that ends up _not_ having the rights,
        // therefore rolling back $c
        //
        if ($lastuserid != $user->id) {
            // Did the last user end up with a positive permission?
            if ($lastuserid != 0) {
                if ($frontpageroleinteresting) {
                    // add frontpage role if interesting
                    $ras[] = array('roleid' => $CFG->defaultfrontpageroleid, 'depth' => $context->depth);
                }
                if ($defaultroleinteresting) {
                    // add the role at the end of $ras
                    $ras[] = array('roleid' => $CFG->defaultuserroleid, 'depth' => 1);
                }
                if (has_any_capability_from_rarc($ras, $roleperms, $capabilities)) {
                    $c++;
                } else {
                    // remove the user from the result set,
                    // only if we are 'in the page'
                    if ($limitfrom === 0 || $c >= $limitfrom) {
                        unset($results[$lastuserid]);
                    }
                }
            }
            // Did we hit pagination limit?
            if ($limitnum !== 0 && $c >= $limitfrom + $limitnum) {
                // we are done!
                break;
            }
            // New user setup, and $ras reset
            $lastuserid = $user->id;
            $ras = array();
            if (!empty($user->roleid)) {
                $ras[] = array('roleid' => (int) $user->roleid, 'depth' => (int) $user->depth);
            }
            // if we are 'in the page', also add the rec
            // to the results...
            if ($limitfrom === 0 || $c >= $limitfrom) {
                $results[$user->id] = $user;
                // trivial
            }
        } else {
            // Additional RA for $lastuserid
            $ras[] = array('roleid' => (int) $user->roleid, 'depth' => (int) $user->depth);
        }
    }
    // end while(fetch)
    // Prune last entry if necessary
    if ($lastuserid != 0) {
        if ($frontpageroleinteresting) {
            // add frontpage role if interesting
            $ras[] = array('roleid' => $CFG->defaultfrontpageroleid, 'depth' => $context->depth);
        }
        if ($defaultroleinteresting) {
            // add the role at the end of $ras
            $ras[] = array('roleid' => $CFG->defaultuserroleid, 'depth' => 1);
        }
        if (!has_any_capability_from_rarc($ras, $roleperms, $capabilities)) {
            // remove the user from the result set,
            // only if we are 'in the page'
            if ($limitfrom === 0 || $c >= $limitfrom) {
                if (isset($results[$lastuserid])) {
                    unset($results[$lastuserid]);
                }
            }
        }
    }
    return $results;
}