Note: This article is a work in progress. Please use the page comments or an appropriate moodle.org forum for any recommendations/suggestions for improvement.

Moodle 2.0

Goals

The main goals are:

1. replace current confusing permission evaluation
2. improve performance
3. enable improvements in permission overriding UI

Permission evaluation algorithm

1. find all roles with given capability used in definition or override
2. evaluate permissions in given context for each role separately (going from bottom to top in context tree, first found wins unless there is a CAP_PROHIBIT on any level)
3. user has capability if he/she has at least one role which evaluated to CAP_ALLOW and at the same time no role which was evaluated to CAP_PROHIBIT

http://tracker.moodle.org/secure/attachment/19670/Allowed_roles.png

Performance improvements

has_capability() and get_users_by_capability() uses fixed number of queries. The result could be returned as sql query instead of database records.

Backwards compatibility

The only potential problem is CAP_PREVENT in overrides when user has several conflicting roles. Originally this was highlighted as a special feature, unfortunately it was in fact the major source of confusion.

See also

• Development:Enrolment rewrite and role tweaks proposal
• Development:New permission overriding UI
• Development:Role overrides revisited