New permissions evaluation in 2.0

Jump to: navigation, search
New permissions evaluation
Project state Implemented
Tracker issue MDL-21710
Discussion n/a
Assignee Petr Škoda (škoďák)

Moodle 2.0


Goals

The main goals are to:

  1. replace current confusing permission evaluation
  2. improve performance
  3. enable improvements in permission overriding UI

Permission evaluation algorithm

  1. find all roles with given capability used in definition or override
  2. evaluate permissions in given context for each role separately (going from bottom to top in context tree, first found wins unless there is a CAP_PROHIBIT on any level above)
  3. user has capability if he/she has at least one role which evaluated to CAP_ALLOW and at the same time no role which was evaluated to CAP_PROHIBIT

Allowed_roles.png

Performance improvements

has_capability() and get_users_by_capability() uses fixed number of queries. The result could be returned as sql query instead of database records.

Backwards compatibility

The only potential problem is CAP_PREVENT in overrides when user has several conflicting roles. Originally this was highlighted as a special feature, unfortunately it was in fact the main source of confusion.

See also