This architecture allows for the creation of different roles that will have assignable capabilities. Each role is a list that basically says what that role is allowed to do. Admins can create site-wide roles beyond the existing standard roles, and "teachers" will also be able to create new roles within their own courses (though only roles with less power than they have). People can be assigned to one or more roles at the site level or the course level.
Add database tables
1. 'role'
Field name Description Field Type id unique record id int name short name of role (no spaces) varchar fullname full name of role text description description of role text timemodified timestamp int sortorder int courseid id from course table int userid id from user table - last modifier of role int Notes:
- Roles will be created on a per course basis. However any roles with courseid=1 (site course) will be available to all courses
- Language strings will be retained for the 6 reserved roles. Other roles may use the HTML
<lang>tag syntax within the 'fullname' field for multilingual support eg
<lang lang="en">dog</lang><lang lang="de">hund</lang><lang lang="ma">kuri</lang>
- Course participant listings will order by sortorder. However site roles will be listed before course roles.
Recommendation: use 1 - 1000 for site roles; use 1000+ for course roles
2. role_capabilities
Field name Description Field Type id unique record id int module name of the module (no spaces) varchar capability name of capability (no spaces) varchar Notes:
- This table is primarily maintained by module code
- The following API functions will be added for modules to use.
add_capability ( $module, $capability )
remove_capability ( $module, $capability )These functions will modify the 'role_capabilities' and 'role_allocations' tables
- String files will need to have names for the capabilities. Recommended format: prefix capability name in language string with 'cap'
3. role_allocations
Field name Description Field Type id unique record id int roleid id from role table int capabilitiesid id from role_capabilities table int Notes:
- This is not a flag table. Entries are only for capabilities that exist for a role.
4. role_users
Field name Description Field Type id unique record id int userid id from user table int courseid id from courses table int roleid id from role table int timestart timestamp int timeend timestamp int timemodified timestamp int assignerid id from user table - who assigned the role int Notes:
- Users can potentially have multiple roles
- This table will be primarily filled in by enrolment plug-ins or manually entered by users who have an 'assign roles' capability.
Amend database tables
- course
new field 'default_role' - this is what is given to people who self enrol.
Remove database tables
- user_coursecreators
- user_students
- user_teachers
New Functions
- require_capability ( $module, $capability, $courseid )
function require_capability ( $module, $capability, $courseid) { global $USER; return ( isset ($USER->capabilities["{$module}_{$capability}"][$courseid]) or isadmin () ); }The core function of the new system
If asked for a capability that doesn't exist then return false. This should never happen as the module code maintains both the 'role_capabilities' table and the calls to require_capability.
- user_possesses_role_capabilities ( $role, $courseid )
returns true if a user possesses all the capabilities of the given role, false otherwise
Amended Functions
- isteacher ( $courseid, $userid, $includeadmin )
- isstudent ( $courseid, $userid )
- isguest ( $userid )
Deprecated Functions
- isteacheredit ( $courseid, $userid )
- iscreator ($userid )
Other Changes
- course/loginas.php
Capabilities in the $USER variable need to be 'AND'ed between the real user and the pseudo user. This is to avoid the real user attaining any extra capabilities while limiting their experience to the pseudo-users capabilities.
Global User Variable
Capabilities for a user will be initialised with the global $USER variable. The format will be as follows:
$USER->capabilities[ module_capability ][ course_id ]where 'module_capability' is a concatenation of the respective fields in the 'role_capabilities' table.
Reserved role names
- user
- admin
- teacher
- teacheredit
- student
- creator
- guest
The role of teacheredit is for backward compatibility.
The user_admin table will remain and the role of admin will be tested against this table only. When testing a capability, the admin will always return true.
All users on the site will have the 'user' role. This will allow the admin to assign capabilities which apply to everyone on the site. For example, the 'edit own profile' capability in the moodle module. The courseid field will be set to 0 in the 'role' table. The 'timestart' and 'timeend' fields may be used to limit user access to the site.
Administration pages
Remove:
- Assign Teachers
- Assign Creators
Add:
- Edit Role
When creating a role, a user can only assign capabilities they already possess. Capabilities they do not possess will be displayed but will be disabled.
The moodle module capabilities will only appear when editing site roles.
- Assign Role
A user with the 'assign roles' capability can only assign roles to which they possess all capabilities. Other roles will be not be displayed. However a user with the 'assign roles' capability can remove roles for which they do not possess all the capabilities.
The courses available in the select box will be determined by which courses the user has the 'assign roles' capability. Only roles available to this course will be used (and also confined by the restriction above)