From: skodak <skodak>
Date: Mon, 5 Mar 2007 11:27:01 +0000 (+0000)
Subject: MDL-8524 general roles cleanup; MDL-8373 authenticated user role now created during... 
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=efe12f6c229f67c5c2395182848190d198be2156;p=moodle.git

MDL-8524 general roles cleanup; MDL-8373 authenticated user role now created during upgrade from 1.7.x, xhtml and CSS cleanup in roles GUI; accesslib inline docs cleanup; risk bitmask fixes
---

diff --git a/admin/roles/allowassign.php b/admin/roles/allowassign.php
index 61626faa94..c871ef421d 100755
--- a/admin/roles/allowassign.php
+++ b/admin/roles/allowassign.php
@@ -80,7 +80,7 @@
 
     echo '<form action="allowassign.php" method="post">';
     print_table($table);
-    echo '<div class="singlebutton"><input type="submit" value="'.get_string('savechanges').'"/></div>';
+    echo '<div class="buttons"><input type="submit" value="'.get_string('savechanges').'"/></div>';
     echo '<input type="hidden" name="dummy" value="1" />'; // this is needed otherwise we do not know a form has been submitted
     echo '</form>';
 
diff --git a/admin/roles/allowoverride.php b/admin/roles/allowoverride.php
index 3db7cb9ccc..3d7e7119f9 100755
--- a/admin/roles/allowoverride.php
+++ b/admin/roles/allowoverride.php
@@ -78,7 +78,7 @@
 
     echo '<form action="allowoverride.php" method="post">';
     print_table($table);
-    echo '<div class="singlebutton"><input type="submit" value="'.get_string('savechanges').'"/></div>';
+    echo '<div class="buttons"><input type="submit" value="'.get_string('savechanges').'"/></div>';
     echo '<input type="hidden" name="dummy" value="1" />'; // this is needed otherwise we do not know a form has been submitted
     echo '</form>';
 
diff --git a/admin/roles/assign.html b/admin/roles/assign.html
index f6f228d1ff..44e1c94d66 100755
--- a/admin/roles/assign.html
+++ b/admin/roles/assign.html
@@ -15,7 +15,7 @@
                   onfocus="getElementById('assignform').add.disabled=true;
                            getElementById('assignform').remove.disabled=false;
                            getElementById('assignform').addselect.selectedIndex=-1;">
-          
+
           <?php
               foreach ($contextusers as $contextuser) {
                   $fullname = fullname($contextuser, true);
diff --git a/admin/roles/assign.php b/admin/roles/assign.php
index 11d1c263cd..9919e94a1e 100755
--- a/admin/roles/assign.php
+++ b/admin/roles/assign.php
@@ -19,7 +19,7 @@
     $timeend        = optional_param('timened', 0, PARAM_INT);
     $userid         = optional_param('userid', 0, PARAM_INT); // needed for user tabs
     $courseid       = optional_param('courseid', 0, PARAM_INT); // needed for user tabs
-    
+
     $errors = array();
 
     $previoussearch = ($searchtext != '') or ($previoussearch) ? 1:0;
@@ -50,9 +50,11 @@
         }
     } else {
         $courseid = SITEID;
-        $course = get_site();
+        $course = clone($SITE);
     }
 
+    require_login($course);
+
     if ($context->contextlevel == CONTEXT_COURSE) {
         require_login($context->instanceid);
     } else {
@@ -61,7 +63,10 @@
 
     require_capability('moodle/role:assign', $context);
 
-    $assignableroles = get_assignable_roles($context);
+/// needed for tabs.php
+    $overridableroles = get_overridable_roles($context);
+    $assignableroles  = get_assignable_roles($context);
+
 /// Get some language strings
 
     $strassignusers = get_string('assignusers', 'role');
@@ -163,7 +168,7 @@
 
             $sitecontext = get_context_instance(CONTEXT_SYSTEM);
             $topleveladmin = false;
-   
+
             // we only worry about this if the role has doanything capability at site level
             if ($context->id == $sitecontext->id && $adminroles = get_roles_with_capability('moodle/site:doanything', CAP_ALLOW, $sitecontext)) {
                 foreach ($adminroles as $adminrole) {
@@ -172,7 +177,7 @@
                     }
                 }
             }
-            
+
             foreach ($frm->removeselect as $removeuser) {
                 $removeuser = clean_param($removeuser, PARAM_INT);
 
@@ -215,7 +220,7 @@
         }
 
         $select  = "username <> 'guest' AND deleted = 0 AND confirmed = 1";
-    
+
         $usercount = count_records_select('user', $select) - count($contextusers);
 
         $searchtext = trim($searchtext);
@@ -227,18 +232,17 @@
             $select  .= " AND ($FULLNAME $LIKE '%$searchtext%' OR email $LIKE '%$searchtext%') ";
         }
 
-        $availableusers = get_recordset_sql('SELECT id, firstname, lastname, email 
-                                               FROM '.$CFG->prefix.'user 
+        $availableusers = get_recordset_sql('SELECT id, firstname, lastname, email
+                                               FROM '.$CFG->prefix.'user
                                               WHERE '.$select.'
                                             ORDER BY lastname ASC, firstname ASC');
 
         /// In the .html file below we loop through these results and exclude any in $contextusers
 
         echo '<div style="text-align:center">'.$strcurrentcontext.': '.print_context_name($context).'<br/>';
-        echo '<label>'.$strroletoassign.'</label>: ';
-        $assignableroles = array('0'=>get_string('listallroles', 'role').'...') + $assignableroles; 
+        $assignableroles = array('0'=>get_string('listallroles', 'role').'...') + $assignableroles;
         popup_form("$CFG->wwwroot/$CFG->admin/roles/assign.php?userid=$userid&amp;courseid=$courseid&amp;contextid=$contextid&amp;roleid=",
-            $assignableroles, 'switchrole', $roleid, '');
+            $assignableroles, 'switchrole', $roleid, '', '', '', false, 'self', $strroletoassign);
         echo '</div>';
 
         print_simple_box_start('center');
diff --git a/admin/roles/manage.html b/admin/roles/manage.html
index 6835d0d812..9a357ac63a 100755
--- a/admin/roles/manage.html
+++ b/admin/roles/manage.html
@@ -20,7 +20,7 @@
 <input type="hidden" name="sesskey" value="<?php p(sesskey()) ?>" />
 <input type="hidden" name="action" value="<?php if ($action != 'view') { echo p($action); } ?>" />
 </fieldset>
-<table cellpadding="9" cellspacing="0" align="center">
+<table class="roledesc" cellpadding="9" cellspacing="0">
 <?php if ($action == 'view') { ?>
     <tr valign="top">
         <td align="right"><?php print_string('name') ?>:</td>
@@ -67,7 +67,7 @@
     $strprohibit = get_string('prohibit','role');
 ?>
 
-<table class="rolecap" align="center">
+<table class="rolecap">
 
 <tr>
 <th class="name" align="left" scope="col"><?php print_string('capability','role') ?></th>
@@ -132,31 +132,31 @@ foreach ($capabilities as $capability) {
     $riskinfo = '<td class="risk managetrust">';
     $rowclasses = '';
     if (RISK_MANAGETRUST & (int)$capability->riskbitmask) {
-        $riskinfo .= '<a target="docspopup" title="'.get_string('riskmanagetrust', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
+        $riskinfo .= '<a onclick="this.target=\'docspopup\'" title="'.get_string('riskmanagetrust', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
         $riskinfo .= '<img src="'.$CFG->pixpath.'/i/risk_managetrust.gif" alt="'.get_string('riskmanagetrustshort', 'admin').'" /></a>';
         $rowclasses .= ' riskmanagetrust';
     }
     $riskinfo .= '</td><td class="risk config">';
     if (RISK_CONFIG & (int)$capability->riskbitmask) {
-        $riskinfo .= '<a target="docspopup" title="'.get_string('riskconfig', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
+        $riskinfo .= '<a onclick="this.target=\'docspopup\'" title="'.get_string('riskconfig', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
         $riskinfo .= '<img src="'.$CFG->pixpath.'/i/risk_config.gif" alt="'.get_string('riskconfigshort', 'admin').'" /></a>';
         $rowclasses .= ' riskconfig';
     }
     $riskinfo .= '</td><td class="risk xss">';
     if (RISK_XSS & (int)$capability->riskbitmask) {
-        $riskinfo .= '<a target="docspopup" title="'.get_string('riskxss', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
+        $riskinfo .= '<a onclick="this.target=\'docspopup\'" title="'.get_string('riskxss', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
         $riskinfo .= '<img src="'.$CFG->pixpath.'/i/risk_xss.gif" alt="'.get_string('riskxssshort', 'admin').'" /></a>';
         $rowclasses .= ' riskxss';
     }
     $riskinfo .= '</td><td class="risk personal">';
     if (RISK_PERSONAL & (int)$capability->riskbitmask) {
-        $riskinfo .= '<a target="docspopup" title="'.get_string('riskpersonal', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
+        $riskinfo .= '<a onclick="this.target=\'docspopup\'" title="'.get_string('riskpersonal', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
         $riskinfo .= '<img src="'.$CFG->pixpath.'/i/risk_personal.gif" alt="'.get_string('riskpersonalshort', 'admin').'" /></a>';
         $rowclasses .= ' riskpersonal';
     }
     $riskinfo .= '</td><td class="risk spam">';
     if (RISK_SPAM & (int)$capability->riskbitmask) {
-        $riskinfo .= '<a target="docspopup" title="'.get_string('riskspam', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
+        $riskinfo .= '<a onclick="this.target=\'docspopup\'" title="'.get_string('riskspam', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
         $riskinfo .= '<img src="'.$CFG->pixpath.'/i/risk_spam.gif" alt="'.get_string('riskspamshort', 'admin').'" /></a>';
         $rowclasses .= ' riskspam';
     }
@@ -175,7 +175,7 @@ foreach ($capabilities as $capability) {
     ?>
 
         <tr class="rolecap <?php echo $rowclasses; ?>">
-        <td class="name"><span class="cap-desc"><a target="docspopup" href="<?php echo $CFG->docroot.'/'.$lang.'/'.$strcapabilities.'/'.$capability->name ?>"><?php echo get_capability_string($capability->name); ?></a><span class="cap-name"><?php echo $capability->name ?></span></span></td>
+        <td class="name"><span class="cap-desc"><a onclick="this.target='docspopup'" href="<?php echo $CFG->docroot.'/'.$lang.'/'.$strcapabilities.'/'.$capability->name ?>"><?php echo get_capability_string($capability->name); ?></a><span class="cap-name"><?php echo $capability->name ?></span></span></td>
         <td class="inherit <?php echo $isinherit ?>">
           <input type="radio" title="<?php p($strinherit); ?>" name="<?php echo $capability->name; ?>" value="<?php echo CAP_INHERIT ?>" <?php if (!isset($localoverride->permission) || $localoverride->permission==CAP_INHERIT){ echo 'checked="checked"'; }?> <?php echo $disabled; ?>/></td>
         <td class="allow <?php echo $isallow ?>">
diff --git a/admin/roles/manage.php b/admin/roles/manage.php
index 209eafd7e1..960df0bae9 100755
--- a/admin/roles/manage.php
+++ b/admin/roles/manage.php
@@ -15,7 +15,7 @@
     $confirm     = optional_param('confirm', 0, PARAM_BOOL);
     $cancel      = optional_param('cancel', 0, PARAM_BOOL);
 
-    $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
+    $sitecontext = get_context_instance(CONTEXT_SYSTEM);
 
     require_capability('moodle/role:manage', $sitecontext);
 
@@ -307,24 +307,7 @@
             }
 
             if ($confirm and data_submitted() and confirm_sesskey()) {
-                $legacyroles = get_legacy_roles();
-
-                $defaultcaps = array();
-                foreach($legacyroles as $ltype=>$lcap) {
-                    $localoverride = get_local_override($roleid, $sitecontext->id, $lcap);
-                    if (!empty($localoverride->permission) and $localoverride->permission == CAP_ALLOW) {
-                        //choose first selected legacy capability
-                        $defaultcaps = get_default_capabilities($ltype);
-                        break;
-                    }
-                }
-
-                delete_records('role_capabilities', 'roleid', $roleid);
-                if (!empty($defaultcaps)) {
-                    foreach($defaultcaps as $cap=>$permission) {
-                        assign_capability($cap, $permission, $roleid, $sitecontext->id);
-                    }
-                }
+                reset_role_capabilities($roleid);
                 redirect('manage.php?action=view&amp;roleid='.$roleid);
 
             } else {
@@ -490,7 +473,9 @@
 
         $options = new object();
         $options->action = 'add';
+        echo '<div class="buttons">';
         print_single_button('manage.php', $options, get_string('addrole', 'role'), 'get');
+        echo '</div>';
     }
 
     admin_externalpage_print_footer($adminroot);
diff --git a/admin/roles/managetabs.php b/admin/roles/managetabs.php
index 97b429c0fa..7e2ed9f581 100755
--- a/admin/roles/managetabs.php
+++ b/admin/roles/managetabs.php
@@ -1,6 +1,12 @@
 <?php
 // this page deals with the 2 tabs for manage.php and grant.php
 
+    if (!defined('MOODLE_INTERNAL')) {
+        die('Direct access to this script is forbidden.');    ///  It must be included from a Moodle page
+    }
+
+    $toprow = array();
+
     $toprow[] = new tabobject('manage', $CFG->wwwroot.'/'.$CFG->admin.'/roles/manage.php', get_string('manageroles', 'role'),'', true);
 
     $toprow[] = new tabobject('allowassign', $CFG->wwwroot.'/'.$CFG->admin.'/roles/allowassign.php', get_string('allowassign', 'role'));
diff --git a/admin/roles/override.html b/admin/roles/override.html
index 8a9800bb05..6ccff871df 100755
--- a/admin/roles/override.html
+++ b/admin/roles/override.html
@@ -6,11 +6,13 @@
 ?>
 
 <form id="overrideform" action="override.php" method="post">
+    <fieldset class="invisiblefieldset">
     <input type="hidden" name="contextid" value="<?php p($contextid) ?>" />
     <input type="hidden" name="roleid" value="<?php p($roleid) ?>" />
     <input type="hidden" name="sesskey" value="<?php p(sesskey()) ?>" />
     <input type="hidden" name="userid" value="<?php p($userid) ?>" />
     <input type="hidden" name="courseid" value="<?php p($courseid) ?>" />
+    </fieldset>
 
     <table class="rolecap">
         <tr>
@@ -62,31 +64,31 @@
             $riskinfo = '<td class="risk managetrust">';
             $rowclasses = '';
             if (RISK_MANAGETRUST & (int)$capability->riskbitmask) {
-                $riskinfo .= '<a target="docspopup" title="'.get_string('riskmanagetrust', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
+                $riskinfo .= '<a onclick="this.target=\'docspopup\'" title="'.get_string('riskmanagetrust', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
                 $riskinfo .= '<img src="'.$CFG->pixpath.'/i/risk_managetrust.gif" alt="'.get_string('riskmanagetrustshort', 'admin').'" /></a>';
                 $rowclasses .= ' riskmanagetrust';
             }
             $riskinfo .= '</td><td class="risk config">';
             if (RISK_CONFIG & (int)$capability->riskbitmask) {
-                $riskinfo .= '<a target="docspopup" title="'.get_string('riskconfig', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
+                $riskinfo .= '<a onclick="this.target=\'docspopup\'" title="'.get_string('riskconfig', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
                 $riskinfo .= '<img src="'.$CFG->pixpath.'/i/risk_config.gif" alt="'.get_string('riskconfigshort', 'admin').'" /></a>';
                 $rowclasses .= ' riskconfig';
             }
             $riskinfo .= '</td><td class="risk xss">';
             if (RISK_XSS & (int)$capability->riskbitmask) {
-                $riskinfo .= '<a target="docspopup" title="'.get_string('riskxss', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
+                $riskinfo .= '<a onclick="this.target=\'docspopup\'" title="'.get_string('riskxss', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
                 $riskinfo .= '<img src="'.$CFG->pixpath.'/i/risk_xss.gif" alt="'.get_string('riskxssshort', 'admin').'" /></a>';
                 $rowclasses .= ' riskxss';
             }
             $riskinfo .= '</td><td class="risk personal">';
             if (RISK_PERSONAL & (int)$capability->riskbitmask) {
-                $riskinfo .= '<a target="docspopup" title="'.get_string('riskpersonal', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
+                $riskinfo .= '<a onclick="this.target=\'docspopup\'" title="'.get_string('riskpersonal', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
                 $riskinfo .= '<img src="'.$CFG->pixpath.'/i/risk_personal.gif" alt="'.get_string('riskpersonalshort', 'admin').'" /></a>';
                 $rowclasses .= ' riskpersonal';
             }
             $riskinfo .= '</td><td class="risk spam">';
             if (RISK_SPAM & (int)$capability->riskbitmask) {
-                $riskinfo .= '<a target="docspopup" title="'.get_string('riskspam', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
+                $riskinfo .= '<a onclick="this.target=\'docspopup\'" title="'.get_string('riskspam', 'admin').'" href="'.$CFG->docroot.'/'.$lang.'/'.$strrisks.'">';
                 $riskinfo .= '<img src="'.$CFG->pixpath.'/i/risk_spam.gif" alt="'.get_string('riskspamshort', 'admin').'" /></a>';
                 $rowclasses .= ' riskspam';
             }
@@ -96,13 +98,7 @@
         ?>
 
         <tr class="rolecap <?php echo $rowclasses; ?>">
-             <td class="name">
-                 <span class="cap-desc">
-                    <a target="docspopup" href="<?php echo $CFG->docroot.'/'.$lang.'/'.$strcapabilities.'/'.$capability->name ?>">
-                    <?php echo get_capability_string($capability->name); ?></a>
-                 </span>
-                 <span class="cap-name"><?php echo $capability->name ?></span>
-             </td>
+             <td class="name"><span class="cap-desc"><a onclick="this.target='docspopup'" href="<?php echo $CFG->docroot.'/'.$lang.'/'.$strcapabilities.'/'.$capability->name ?>"><?php echo get_capability_string($capability->name); ?></a><span class="cap-name"><?php echo $capability->name ?></span></span></td>
 
              <td class="inherit">
              <input type="radio" title="<?php p($strinherit); ?>" name="<?php echo $capability->name; ?>" value="0"
@@ -136,8 +132,7 @@
 
         <?php } ?>
     </table>
-    <br />
-    <div align="center">
+    <div class="submit buttons">
         <input type="submit" value="<?php print_string('savechanges') ?>" />
         <input type="submit" name="cancel" value="<?php print_string('cancel') ?>" />
     </div>
diff --git a/admin/roles/override.php b/admin/roles/override.php
index b94ea7e1cd..8f1700b0f8 100755
--- a/admin/roles/override.php
+++ b/admin/roles/override.php
@@ -2,7 +2,7 @@
 
     require_once('../../config.php');
 
-    $contextid = required_param('contextid',PARAM_INT);    // context id
+    $contextid = required_param('contextid', PARAM_INT);   // context id
     $roleid    = optional_param('roleid', 0, PARAM_INT);   // requested role id
     $userid    = optional_param('userid', 0, PARAM_INT);   // needed for user tabs
     $courseid  = optional_param('courseid', 0, PARAM_INT); // needed for user tabs
@@ -12,29 +12,34 @@
         error('Bad context ID');
     }
 
-    if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
+    if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM)) {
         error('No site ID');
     }
 
     if ($context->id == $sitecontext->id) {
-        error ('Can not override base role capabilities');
+        error('Can not override base role capabilities');
     }
 
-    require_capability('moodle/role:override', $context);   // Just to make sure
+    if (!has_capability('moodle/role:override', $context)) {
+        error('You do not have permission to change overrides in this context!');
+    }
 
     if ($courseid) {
         if (!$course = get_record('course', 'id', $courseid)) {
             error('Bad course ID');
         }
     } else {
-        $course = $SITE;
+        $course = clone($SITE);
+        $courseid = SITEID;
     }
 
+    require_login($course);
+
     $baseurl = 'override.php?contextid='.$context->id;
     if (!empty($userid)) {
         $baseurl .= '&amp;userid='.$userid;
     }
-    if (!empty($courseid)) {
+    if ($courseid != SITEID) {
         $baseurl .= '&amp;courseid='.$courseid;
     }
 
@@ -42,6 +47,9 @@
         redirect($baseurl);
     }
 
+/// needed for tabs.php
+    $overridableroles = get_overridable_roles($context);
+    $assignableroles  = get_assignable_roles($context);
 
 /// Get some language strings
 
@@ -53,6 +61,7 @@
     $strparticipants   = get_string('participants');
 
 /// Make sure this user can override that role
+
     if ($roleid) {
         if (!user_can_override($context, $roleid)) {
             error ('you can not override this role in this context');
@@ -64,18 +73,23 @@
         $fullname = fullname($user, has_capability('moodle/site:viewfullnames', $context));
     }
 
+/// get all cababilities
+    $capabilities = fetch_context_capabilities($context);
+
 /// Process incoming role override
     if ($data = data_submitted() and $roleid and confirm_sesskey()) {
         $allowed_values = array(CAP_INHERIT, CAP_ALLOW, CAP_PREVENT, CAP_PROHIBIT);
-        $capabilities = fetch_context_capabilities($context); // capabilities applicable in this context
 
         $localoverrides = get_records_select('role_capabilities', "roleid = $roleid AND contextid = $context->id",
                                              '', 'capability, permission, id');
 
         foreach ($capabilities as $cap) {
+
             if (!isset($data->{$cap->name})) {
+                //cap not specified in form
                 continue;
             }
+
             $capname = $cap->name;
             $value = clean_param($data->{$cap->name}, PARAM_INT);
             if (!in_array($value, $allowed_values)) {
@@ -151,15 +165,13 @@
 
     print_heading_with_help(get_string('overrides', 'role'), 'overrides');
 
-    $overridableroles = get_overridable_roles($context);
-
     if ($roleid) {
     /// prints a form to swap roles
-        echo '<div align="center">'.$strcurrentcontext.': '.print_context_name($context).'<br/>';
-        echo $strroletooverride.': ';
-        $overridableroles = array('0'=>get_string('listallroles', 'role').'...') + $overridableroles; 
+        echo '<div class="selector">';
+        echo $strcurrentcontext.': '.print_context_name($context).'<br/>';
+        $overridableroles = array('0'=>get_string('listallroles', 'role').'...') + $overridableroles;
         popup_form("$CFG->wwwroot/$CFG->admin/roles/override.php?userid=$userid&amp;courseid=$courseid&amp;contextid=$contextid&amp;roleid=",
-            $overridableroles, 'switchrole', $roleid, '');
+            $overridableroles, 'switchrole', $roleid, '', '', '', false, 'self', $strroletooverride);
         echo '</div>';
 
         $parentcontexts = get_parent_contexts($context);
@@ -177,11 +189,12 @@
 
         $lang = str_replace('_utf8', '', current_language());
 
-        // Get the capabilities overrideable in this context
-        if ($capabilities = fetch_context_capabilities($context)) {
+        if (!empty($capabilities)) {
+            // Print the capabilities overrideable in this context
             print_simple_box_start('center');
             include_once('override.html');
             print_simple_box_end();
+
         } else {
             notice(get_string('nocapabilitiesincontext', 'role'),
                     $CFG->wwwroot.'/'.$CFG->admin.'/roles/'.$baseurl);
diff --git a/admin/roles/tabs.php b/admin/roles/tabs.php
index 738a0bed9a..1629572488 100755
--- a/admin/roles/tabs.php
+++ b/admin/roles/tabs.php
@@ -1,6 +1,11 @@
 <?php // $Id$
 
 // Handles headers and tabs for the roles control at any level apart from SYSTEM level
+// We also assume that $currenttab, $assignableroles and $overridableroles are defined
+
+if (!defined('MOODLE_INTERNAL')) {
+    die('Direct access to this script is forbidden.');    ///  It must be included from a Moodle page
+}
 
 if ($currenttab != 'update') {
     switch ($context->contextlevel) {
@@ -29,11 +34,14 @@ if ($currenttab != 'update') {
         case CONTEXT_COURSE:
             if ($context->instanceid != SITEID) {
                 $streditcoursesettings = get_string("editcoursesettings");
-    
+
                 $course = get_record('course', 'id', $context->instanceid);
+
+                require_login($course);
+
                 print_header($streditcoursesettings, $course->fullname,
                         "<a href=\"$CFG->wwwroot/course/view.php?id=$course->id\">$course->shortname</a> -> $straction");
-            }                        
+            }
             break;
 
         case CONTEXT_GROUP:
@@ -54,6 +62,8 @@ if ($currenttab != 'update') {
                 error("The required instance of this module doesn't exist");
             }
 
+            require_login($course);
+
             $strnav = "<a href=\"$CFG->wwwroot/mod/$module->name/view.php?id=$cm->id\">$instance->name</a> ->";
             $fullmodulename = get_string("modulename", $module->name);
             $streditinga = get_string("editinga", "moodle", $fullmodulename);
@@ -65,7 +75,6 @@ if ($currenttab != 'update') {
                 $focuscursor = "form.name";
             }
 
-            $COURSE = $course;
             print_header_simple($streditinga, '',
                     "<a href=\"$CFG->wwwroot/mod/$module->name/index.php?id=$course->id\">$strmodulenameplural</a> ->
                     $strnav <a href=\"$CFG->wwwroot/course/mod.php?update=$cm->id&amp;sesskey=".sesskey()."\">$streditinga</a> -> $straction", $focuscursor, "", false);
@@ -81,6 +90,9 @@ if ($currenttab != 'update') {
                     switch ($blockinstance->pagetype) {
                         case 'course-view':
                             if ($course = get_record('course', 'id', $blockinstance->pageid)) {
+
+                                require_login($course);
+
                                 if ($course->id != SITEID) {
                                     $navigation = "<a href=\"$CFG->wwwroot/course/view.php?id=$course->id\">$course->shortname</a> -> $navigation";
                                 }
@@ -123,14 +135,7 @@ if ($context->contextlevel != CONTEXT_SYSTEM) {    // Print tabs for anything ex
     $toprow[] = new tabobject('roles', $CFG->wwwroot.'/'.$CFG->admin.'/roles/assign.php?contextid='.
                                $context->id, get_string('roles'));
 
-    if (isset($tabsmode)) {
-
-        if (!isset($assignableroles)) {
-            $assignableroles = get_assignable_roles($context);
-        }
-        if (!isset($overridableroles)) {
-            $overridableroles = get_overridable_roles($context);
-        }
+    if (!empty($tabsmode)) {
 
         if (!empty($assignableroles)) {
             $secondrow[] = new tabobject('assign',
diff --git a/blocks/rss_client/block_rss_client.php b/blocks/rss_client/block_rss_client.php
index f6177a2f0d..e290092fdd 100644
--- a/blocks/rss_client/block_rss_client.php
+++ b/blocks/rss_client/block_rss_client.php
@@ -19,7 +19,7 @@
 
     function init() {
         $this->title = get_string('feedstitle', 'block_rss_client');
-        $this->version = 2006100101;
+        $this->version = 2006100102;
     }
 
     function preferred_width() {
diff --git a/blocks/rss_client/db/access.php b/blocks/rss_client/db/access.php
index 7b53f2ca51..b8cec59f3f 100644
--- a/blocks/rss_client/db/access.php
+++ b/blocks/rss_client/db/access.php
@@ -46,6 +46,8 @@ $block_rss_client_capabilities = array(
 
     'block/rss_client:createsharedfeeds' => array(
 
+        'riskbitmask' => RISK_SPAM,
+
         'captype' => 'write',
         'contextlevel' => CONTEXT_SYSTEM,
         'legacy' => array(
@@ -67,6 +69,8 @@ $block_rss_client_capabilities = array(
 
     'block/rss_client:manageanyfeeds' => array(
 
+        'riskbitmask' => RISK_SPAM,
+
         'captype' => 'write',
         'contextlevel' => CONTEXT_SYSTEM,
         'legacy' => array(
diff --git a/enrol/authorize/db/access.php b/enrol/authorize/db/access.php
index 5341963281..04ece9ab3c 100644
--- a/enrol/authorize/db/access.php
+++ b/enrol/authorize/db/access.php
@@ -3,6 +3,7 @@
 $enrol_authorize_capabilities = array(
 
     'enrol/authorize:managepayments' => array(
+        'riskbitmask' => RISK_PERSONAL,
         'captype' => 'write',
         'contextlevel' => CONTEXT_SYSTEM,
         'legacy' => array(
diff --git a/enrol/authorize/version.php b/enrol/authorize/version.php
index 4b8f6c9464..297dbbbdbf 100755
--- a/enrol/authorize/version.php
+++ b/enrol/authorize/version.php
@@ -1,6 +1,6 @@
 <?php // $Id$
 
-$plugin->version  = 2006112900;
+$plugin->version  = 2006112901;
 $plugin->requires = 2006100401;
 
 ?>
diff --git a/lib/accesslib.php b/lib/accesslib.php
index f856007af4..2b173aaec6 100755
--- a/lib/accesslib.php
+++ b/lib/accesslib.php
@@ -773,7 +773,7 @@ function is_parent_context($c1, $c2) {
 }
 
 
-/*
+/**
  * auxillary function for load_user_capabilities()
  * handler in usort() to sort contexts according to level
  * @param object contexta
@@ -1147,7 +1147,7 @@ function load_all_capabilities() {
 }
 
 
-/*
+/**
  * Check all the login enrolment information for the given user object
  * by querying the enrolment plugins
  */
@@ -1560,8 +1560,8 @@ function get_legacy_roles() {
         'editingteacher' => 'moodle/legacy:editingteacher',
         'teacher'        => 'moodle/legacy:teacher',
         'student'        => 'moodle/legacy:student',
-        'user'           => 'moodle/legacy:user',
-        'guest'          => 'moodle/legacy:guest'
+        'guest'          => 'moodle/legacy:guest',
+        'user'           => 'moodle/legacy:user'
     );
 }
 
@@ -1656,7 +1656,7 @@ function create_context($contextlevel, $instanceid) {
     }
 }
 
-/*
+/**
  * This hacky function is needed because we can not change system context instanceid using normal upgrade routine.
  */
 function create_system_context() {
@@ -2215,7 +2215,7 @@ function role_unassign($roleid=0, $userid=0, $groupid=0, $contextid=0) {
     return $success;
 }
 
-/*
+/**
  * A convenience function to take care of the common case where you
  * just want to enrol someone using the default role into a course
  *
@@ -2389,7 +2389,7 @@ function get_default_capabilities($legacyrole) {
     $defaults = array();
     $components = array();
     foreach ($allcaps as $cap) {
-        if (!array_search($cap->component, $components)) {
+        if (!in_array($cap->component, $components)) {
             $components[] = $cap->component;
             $alldefs = array_merge($alldefs, load_capability_def($cap->component));
         }
@@ -2408,6 +2408,35 @@ function get_default_capabilities($legacyrole) {
     return $defaults;
 }
 
+/**
+ * Reset role capabilitites to default according to selected legacy capability.
+ * If several legacy caps selected, use the first from get_default_capabilities.
+ * If no legacy selected, removes all capabilities.
+ *
+ * @param int @roleid
+ */
+function reset_role_capabilities($roleid) {
+    $sitecontext = get_context_instance(CONTEXT_SYSTEM);
+    $legacyroles = get_legacy_roles();
+
+    $defaultcaps = array();
+    foreach($legacyroles as $ltype=>$lcap) {
+        $localoverride = get_local_override($roleid, $sitecontext->id, $lcap);
+        if (!empty($localoverride->permission) and $localoverride->permission == CAP_ALLOW) {
+            //choose first selected legacy capability
+            $defaultcaps = get_default_capabilities($ltype);
+            break;
+        }
+    }
+
+    delete_records('role_capabilities', 'roleid', $roleid);
+    if (!empty($defaultcaps)) {
+        foreach($defaultcaps as $cap=>$permission) {
+            assign_capability($cap, $permission, $roleid, $sitecontext->id);
+        }
+    }
+}
+
 /**
  * Updates the capabilities table with the component capability definitions.
  * If no parameters are given, the function updates the core moodle
@@ -3355,7 +3384,7 @@ function get_assignable_roles ($context, $field="name") {
  * @param object $context
  * @return array
  */
-function get_overridable_roles ($context) {
+function get_overridable_roles($context) {
 
     $options = array();
 
@@ -3370,7 +3399,7 @@ function get_overridable_roles ($context) {
     return $options;
 }
 
-/*
+/**
  *  Returns a role object that is the default role for new enrolments
  *  in a given course
  *
@@ -3626,7 +3655,7 @@ function get_roles_on_exact_context($context) {
 
 }
 
-/*
+/**
  * Switches the current user to another role for the current session and only
  * in the given context.  If roleid is not valid (eg 0) or the current user
  * doesn't have permissions to be switching roles then the user's session
@@ -3724,7 +3753,8 @@ function get_roles_with_assignment_on_context($context) {
 
 
 
-/* find all user assignemnt of users for this role, on this context
+/**
+ * Find all user assignemnt of users for this role, on this context
  */
 function get_users_from_role_on_context($role, $context) {
 
@@ -3736,7 +3766,7 @@ function get_users_from_role_on_context($role, $context) {
                                   AND roleid = $role->id");
 }
 
-/* 
+/**
  * Simple function returning a boolean true if roles exist, otherwise false
  */
 function user_has_role_assignment($userid, $roleid, $contextid=0) {
@@ -3748,8 +3778,10 @@ function user_has_role_assignment($userid, $roleid, $contextid=0) {
     }
 }
 
-// inserts all parental context and self into context_rel table
-/** @param object $context-context to be deleted
+/** 
+ * Inserts all parental context and self into context_rel table
+ *
+ * @param object $context-context to be deleted
  * @param bool deletechild - deltes child contexts dependencies
  */
 function insert_context_rel($context, $deletechild=true, $deleteparent=true) {
@@ -3773,7 +3805,10 @@ function insert_context_rel($context, $deletechild=true, $deleteparent=true) {
     }  
 }
 
-// rebuild context_rel table without deleting
+
+/**
+ * rebuild context_rel table without deleting
+ */
 function build_context_rel() {
   
     global $db;
diff --git a/lib/db/upgrade.php b/lib/db/upgrade.php
index f7b70d1ff3..6e6e78292d 100644
--- a/lib/db/upgrade.php
+++ b/lib/db/upgrade.php
@@ -614,6 +614,20 @@ function xmldb_main_upgrade($oldversion=0) {
         }
     }
 
+    if ($result && $oldversion < 2007021401) {
+    /// create default logged in user role if not present - upgrade rom 1.7.x
+        if (empty($CFG->defaultuserroleid) or $CFG->defaultuserroleid == $CFG->guestroleid) {
+            if (!get_records('role', 'shortname', 'user')) {
+                $userroleid = create_role(addslashes(get_string('authenticateduser')), 'user',
+                                          addslashes(get_string('authenticateduserdescription')), 'moodle/legacy:user');
+                if ($userroleid) {
+                    reset_role_capabilities($userroleid);
+                    set_config('defaultuserroleid', $userroleid);
+                }
+            }
+        }
+    }
+
     return $result;
 
 }
diff --git a/mod/data/db/access.php b/mod/data/db/access.php
index 29ba9fc2fc..148d76c5ac 100644
--- a/mod/data/db/access.php
+++ b/mod/data/db/access.php
@@ -169,6 +169,8 @@ $mod_data_capabilities = array(
 
     'mod/data:manageuserpresets' => array(
 
+        'riskbitmask' => RISK_SPAM | RISK_XSS,
+
         'captype' => 'write',
         'contextlevel' => CONTEXT_MODULE,
         'legacy' => array(
diff --git a/mod/data/version.php b/mod/data/version.php
index edbb95be03..1b8b588e10 100644
--- a/mod/data/version.php
+++ b/mod/data/version.php
@@ -5,7 +5,7 @@
 //  This fragment is called by /admin/index.php
 ////////////////////////////////////////////////////////////////////////////////
 
-$module->version  = 2007022600;
+$module->version  = 2007022601;
 $module->requires = 2007020200;  // Requires this Moodle version
 $module->cron     = 60;
 
diff --git a/theme/standard/styles_layout.css b/theme/standard/styles_layout.css
index 14ea7f55e0..f426a4d2c3 100644
--- a/theme/standard/styles_layout.css
+++ b/theme/standard/styles_layout.css
@@ -780,24 +780,35 @@ body#admin-modules table.generaltable td.c0
   margin-top: 1em;
 }
 
-#admin-roles-manage .buttons {
+#admin-roles-allowassign .buttons,
+#admin-roles-allowoverride .buttons,
+#admin-roles-manage .buttons,
+#admin-roles-override .buttons {
   margin: 20px;
   text-align:center;
 }
 
-#admin-roles-manage .buttons .singlebutton {
-  display: inline;
+#admin-roles-manage .buttons .singlebutton,
+#admin-roles-override .buttons .singlebutton {
+    display: inline;
+  padding: 5px;
 }
 
-#admin-roles-manage .singlebutton,
-#admin-roles-allowoverride .singlebutton,
-#admin-roles-allowassign .singlebutton {
-  padding: 5px;
-  text-align:center;
+#admin-roles-manage .selector,
+#admin-roles-override .selector {
+    text-align:center;
 }
 
-#admin-roles-manage .selector {
-  text-align:center;
+#admin-roles-manage table.roledesc,
+#admin-roles-override table.roledesc {
+  margin-left:auto;
+  margin-right:auto;
+}
+
+#admin-roles-manage table.rolecap,
+#admin-roles-override table.rolecap {
+  margin-left:auto;
+  margin-right:auto;
 }
 
 .rolecap .inherit,
diff --git a/version.php b/version.php
index 4776ffb59d..1bcad71992 100644
--- a/version.php
+++ b/version.php
@@ -6,7 +6,7 @@
 // This is compared against the values stored in the database to determine
 // whether upgrades should be performed (see lib/db/*.php)
 
-   $version = 2007021400;  // YYYYMMDD = date
+   $version = 2007021401;  // YYYYMMDD = date
                            //       XY = increments within a single day
 
    $release = '1.9 dev';    // Human-friendly version name