lang/en_utf8/help/permissions.html

   1 <h1>Permissions</h1>
   2
   3 <p>
   4 Permissions are the settings that you grant for specific capabilities.
   5 </p>
   6
   7 <p>
   8 For example, one capability is "Start new discussions" (in forums).
   9 </p>
  10
  11 <p>
  12 In each role, you can choose to set the permission for such a capability
  13 to one of four values:
  14 <dl>
  15 <dt>NOT SET</dt>
  16 <dd>This is the default setting, generally.  It's a neutral setting that
  17     means "use whatever setting the user already had".   If a role
  18     gets assigned to someone (eg in a course) that has this permission for
  19     a capability, then the actual permission they'll have will just be
  20     the same as they already had at higher-level contexts (eg categories
  21     or site level).  Ultimately, if permission is never allowed at any
  22     level, then the user will have no permission for that capability.
  23     </dd>
  24
  25 <dt>ALLOW</dt>
  26 <dd>By choosing this you are granting permission for this capability
  27     to people who are assigned this role.  This permission applies
  28     for the context that this role gets assigned plus all "lower"
  29     contexts.  For example, if this role is a student role assigned
  30     to a course, then students will be able to "start new discussions"
  31     in all forums in that course, UNLESS some forum contains an
  32     override or a new assignment with a Prevent or Prohibit value
  33     for this capability.</dd>
  34
  35 <dt>PREVENT</dt>
  36 <dd>By choosing this you are removing permission for this capability,
  37     even if the users with this role were allowed that permission in
  38     a higher context.</dd>
  39
  40 <dt>PROHIBIT</dt>
  41 <dd>This is rarely needed, but occasionally you might want to completely
  42     deny permissions to a role in a way that can NOT be overridden at
  43     any lower context.  A good example of when you might need this is
  44     when an admin wants to prohibit one person from starting new
  45     discussions in any forum on the whole site.   In this case they
  46     can create a role with that capability set to "Prohibit" and then
  47     assign it to that user in the site context.
  48   </dd>
  49
  50 </dl>
  51 </p>
  52
  53 <h1>Conflict resolution of permissions</h1>
  54
  55 <p> Permissions at a "lower" context will generally override
  56     anything at a "higher" context (this applies to overrides
  57     and assigned roles).  The exception is PROHIBIT which can not
  58     be overridden at lower levels.
  59 </p>
  60
  61 <p> If two roles are assigned to a person in the same context, one with
  62     ALLOW and one with PREVENT, which one wins?  In this case, Moodle will
  63     look up the context tree for a "decider".   </p>
  64
  65 <p> For example, a student has two roles in a course, one that allows
  66     them to start new discussions, one that prevents them.  In this case,
  67     we check the categories and the site contexts, looking for another
  68     defined permission to help us decide.  If we don't find one, then
  69     permission is PREVENT by default (because the two settings cancelled
  70     each other out, and thus you have no permission).
  71 </p>
  72
  73 <h1>Special exceptions</h1>
  74
  75 <p> Note that the guest user account will generally be prevented from
  76     posting content (eg forums, calendar entries, blogs) even if it
  77     is given the capability to do so.
  78 </p>
  79
  80
  81 <p>
  82 See also
  83 <a href="help.php?file=roles.html">Roles</a>,
  84 <a href="help.php?file=contexts.html">Contexts</a>,
  85 <a href="help.php?file=assignroles.html">Assign Roles</a> and
  86 <a href="help.php?file=overrides.html">Overrides</a>.
  87 </p>