New permissions evaluation in 2.0: Difference between revisions
From MoodleDocs
No edit summary |
(Fixing links to dev pages) |
||
| Line 28: | Line 28: | ||
=See also= | =See also= | ||
* [[ | * [[Enrolment rewrite and role tweaks proposal]] | ||
* [[ | * [[Role overrides revisited]] | ||
* [[New permission overriding UI]] | * [[New permission overriding UI]] | ||
* [[Role archetypes]] | * [[Role archetypes]] | ||
Revision as of 07:46, 21 September 2011
| New permissions evaluation | |
|---|---|
| Project state | Implemented |
| Tracker issue | MDL-21710 |
| Discussion | n/a |
| Assignee | Petr Škoda (škoďák) |
Moodle 2.0
Goals
The main goals are:
- replace current confusing permission evaluation
- improve performance
- enable improvements in permission overriding UI
Permission evaluation algorithm
- find all roles with given capability used in definition or override
- evaluate permissions in given context for each role separately (going from bottom to top in context tree, first found wins unless there is a CAP_PROHIBIT on any level)
- user has capability if he/she has at least one role which evaluated to CAP_ALLOW and at the same time no role which was evaluated to CAP_PROHIBIT
http://tracker.moodle.org/secure/attachment/19672/Allowed_roles.png
Performance improvements
has_capability() and get_users_by_capability() uses fixed number of queries. The result could be returned as sql query instead of database records.
Backwards compatibility
The only potential problem is CAP_PREVENT in overrides when user has several conflicting roles. Originally this was highlighted as a special feature, unfortunately it was in fact the major source of confusion.
