/** * Constructor. * * This method loads loads all the information about the current state of * the overrides, then updates that based on any submitted data. It also * works out which capabilities should be locked for this user. * * @param object $context the context this table relates to. * @param integer $roleid the role being overridden. * @param boolean $safeoverridesonly If true, the user is only allowed to override * capabilities with no risks. */ public function __construct($context, $roleid, $safeoverridesonly) { parent::__construct($context, 'overriderolestable', $roleid); $this->displaypermissions = $this->allpermissions; $this->strnotset = get_string('notset', 'core_role'); // Determine which capabilities should be locked. if ($safeoverridesonly) { foreach ($this->capabilities as $capid => $cap) { if (!is_safe_capability($cap)) { $this->capabilities[$capid]->locked = true; $this->haslockedcapabilities = true; } } } }
$PAGE->set_heading(get_string('frontpage', 'admin')); } else { $PAGE->set_heading($course->fullname); } break; case CONTEXT_MODULE: $PAGE->set_heading($context->get_context_name(false)); $PAGE->set_cacheable(false); break; case CONTEXT_BLOCK: $PAGE->set_heading($PAGE->course->fullname); break; } // Handle confirmations and actions. // We have a capability and overrides are allowed or safe overrides are allowed and this is safe. if ($capability && ($allowoverrides || $allowsafeoverrides && is_safe_capability($capability))) { // If we already know the the role ID, it is overrideable, and we are setting prevent or unprohibit. if (isset($overridableroles[$roleid]) && ($prevent || $unprohibit)) { // We are preventing. if ($prevent) { if ($confirm && data_submitted() && confirm_sesskey()) { role_change_permission($roleid, $context, $capability->name, CAP_PREVENT); redirect($PAGE->url); } else { $a = (object) array('cap' => get_capability_docs_link($capability) . " ({$capability->name})", 'role' => $overridableroles[$roleid], 'context' => $contextname); $message = get_string('confirmroleprevent', 'core_role', $a); $continueurl = new moodle_url($PAGE->url, array('contextid' => $context->id, 'roleid' => $roleid, 'capability' => $capability->name, 'prevent' => 1, 'sesskey' => sesskey(), 'confirm' => 1)); } } // We are unprohibiting. if ($unprohibit) {
require_sesskey(); $OUTPUT->header(); list($overridableroles, $overridecounts, $nameswithcounts) = get_overridable_roles($context, ROLENAME_BOTH, true); if ($getroles) { echo json_encode($overridableroles); die; } $capability = required_param('capability', PARAM_CAPABILITY); $roleid = required_param('roleid', PARAM_INT); $action = required_param('action', PARAM_ALPHA); $capability = $DB->get_record('capabilities', array('name' => $capability), '*', MUST_EXIST); if (!isset($overridableroles[$roleid])) { throw new moodle_exception('invalidarguments'); } if (!has_capability('moodle/role:override', $context)) { if (!has_capability('moodle/role:safeoverride', $context) || !is_safe_capability($capability)) { require_capability('moodle/role:override', $context); } } switch ($action) { case 'allow': role_change_permission($roleid, $context, $capability->name, CAP_ALLOW); break; case 'prevent': role_change_permission($roleid, $context, $capability->name, CAP_PREVENT); break; case 'prohibit': role_change_permission($roleid, $context, $capability->name, CAP_PROHIBIT); break; case 'unprohibit': role_change_permission($roleid, $context, $capability->name, CAP_INHERIT);
/** * Test capability riskiness. */ public function test_is_safe_capability() { global $DB; // Note: there is not much to test, just make sure no notices are throw for the most dangerous cap. $capability = $DB->get_record('capabilities', array('name' => 'moodle/site:config'), '*', MUST_EXIST); $this->assertFalse(is_safe_capability($capability)); }
protected function add_row_cells($capability) { global $OUTPUT, $PAGE; $context = $this->context; $contextid = $this->context->id; $allowoverrides = $this->allowoverrides; $allowsafeoverrides = $this->allowsafeoverrides; $overridableroles = $this->overridableroles; $roles = $this->roles; list($needed, $forbidden) = get_roles_with_cap_in_context($context, $capability->name); $neededroles = array(); $forbiddenroles = array(); $allowable = $overridableroles; $forbitable = $overridableroles; foreach ($neededroles as $id => $unused) { unset($allowable[$id]); } foreach ($forbidden as $id => $unused) { unset($allowable[$id]); unset($forbitable[$id]); } foreach ($roles as $id => $name) { if (isset($needed[$id])) { $neededroles[$id] = $roles[$id]; if (isset($overridableroles[$id]) and ($allowoverrides or $allowsafeoverrides and is_safe_capability($capability))) { $preventurl = new moodle_url($PAGE->url, array('contextid' => $contextid, 'roleid' => $id, 'capability' => $capability->name, 'prevent' => 1)); $neededroles[$id] .= $OUTPUT->action_icon($preventurl, new pix_icon('t/delete', get_string('prevent', 'core_role'))); } } } $neededroles = implode(', ', $neededroles); foreach ($roles as $id => $name) { if (isset($forbidden[$id]) and ($allowoverrides or $allowsafeoverrides and is_safe_capability($capability))) { $forbiddenroles[$id] = $roles[$id]; if (isset($overridableroles[$id]) and prohibit_is_removable($id, $context, $capability->name)) { $unprohibiturl = new moodle_url($PAGE->url, array('contextid' => $contextid, 'roleid' => $id, 'capability' => $capability->name, 'unprohibit' => 1)); $forbiddenroles[$id] .= $OUTPUT->action_icon($unprohibiturl, new pix_icon('t/delete', get_string('delete'))); } } } $forbiddenroles = implode(', ', $forbiddenroles); if ($allowable and ($allowoverrides or $allowsafeoverrides and is_safe_capability($capability))) { $allowurl = new moodle_url($PAGE->url, array('contextid' => $contextid, 'capability' => $capability->name, 'allow' => 1)); $neededroles .= '<div class="allowmore">' . $OUTPUT->action_icon($allowurl, new pix_icon('t/add', get_string('allow', 'core_role'))) . '</div>'; } if ($forbitable and ($allowoverrides or $allowsafeoverrides and is_safe_capability($capability))) { $prohibiturl = new moodle_url($PAGE->url, array('contextid' => $contextid, 'capability' => $capability->name, 'prohibit' => 1)); $forbiddenroles .= '<div class="prohibitmore">' . $OUTPUT->action_icon($prohibiturl, new pix_icon('t/add', get_string('prohibit', 'core_role'))) . '</div>'; } $risks = $this->get_risks($capability); echo '<td>' . $risks . '</td>'; echo '<td>' . $neededroles . '</td>'; echo '<td>' . $forbiddenroles . '</td>'; }
protected function add_row_cells($capability) { global $OUTPUT, $PAGE; $renderer = $PAGE->get_renderer('core'); $adminurl = new moodle_url("/admin/"); $context = $this->context; $contextid = $this->context->id; $allowoverrides = $this->allowoverrides; $allowsafeoverrides = $this->allowsafeoverrides; $overridableroles = $this->overridableroles; $roles = $this->roles; list($needed, $forbidden) = get_roles_with_cap_in_context($context, $capability->name); $neededroles = array(); $forbiddenroles = array(); $allowable = $overridableroles; $forbitable = $overridableroles; foreach ($neededroles as $id => $unused) { unset($allowable[$id]); } foreach ($forbidden as $id => $unused) { unset($allowable[$id]); unset($forbitable[$id]); } foreach ($roles as $id => $name) { if (isset($needed[$id])) { $templatecontext = array("rolename" => $name, "roleid" => $id, "action" => "prevent", "spanclass" => "allowed", "linkclass" => "preventlink", "adminurl" => $adminurl->out(), "imageurl" => ""); if (isset($overridableroles[$id]) and ($allowoverrides or $allowsafeoverrides and is_safe_capability($capability))) { $templatecontext['imageurl'] = $renderer->pix_url('t/delete'); } $neededroles[$id] = $renderer->render_from_template('core/permissionmanager_role', $templatecontext); } } $neededroles = implode(' ', $neededroles); foreach ($roles as $id => $name) { if (isset($forbidden[$id]) and ($allowoverrides or $allowsafeoverrides and is_safe_capability($capability))) { $templatecontext = array("rolename" => $name, "roleid" => $id, "action" => "unprohibit", "spanclass" => "forbidden", "linkclass" => "unprohibitlink", "adminurl" => $adminurl->out(), "imageurl" => ""); if (isset($overridableroles[$id]) and prohibit_is_removable($id, $context, $capability->name)) { $templatecontext['imageurl'] = $renderer->pix_url('t/delete'); } $forbiddenroles[$id] = $renderer->render_from_template('core/permissionmanager_role', $templatecontext); } } $forbiddenroles = implode(' ', $forbiddenroles); if ($allowable and ($allowoverrides or $allowsafeoverrides and is_safe_capability($capability))) { $allowurl = new moodle_url($PAGE->url, array('contextid' => $contextid, 'capability' => $capability->name, 'allow' => 1)); $allowicon = $OUTPUT->action_icon($allowurl, new pix_icon('t/add', get_string('allow', 'core_role')), null, array('class' => 'allowlink', 'data-action' => 'allow')); $neededroles .= html_writer::div($allowicon, 'allowmore'); } if ($forbitable and ($allowoverrides or $allowsafeoverrides and is_safe_capability($capability))) { $prohibiturl = new moodle_url($PAGE->url, array('contextid' => $contextid, 'capability' => $capability->name, 'prohibit' => 1)); $prohibiticon = $OUTPUT->action_icon($prohibiturl, new pix_icon('t/add', get_string('prohibit', 'core_role')), null, array('class' => 'prohibitlink', 'data-action' => 'prohibit')); $forbiddenroles .= html_writer::div($prohibiticon, 'prohibitmore'); } $risks = $this->get_risks($capability); $contents = html_writer::tag('td', $risks, array('class' => 'risks text-nowrap')); $contents .= html_writer::tag('td', $neededroles, array('class' => 'allowedroles')); $contents .= html_writer::tag('td', $forbiddenroles, array('class' => 'forbiddenroles')); return $contents; }