From 19f2318a445c6d8c7caa8c90c66ddc18c5449f2d Mon Sep 17 00:00:00 2001
From: martinlanghoff <martinlanghoff>
Date: Sun, 6 Jan 2008 23:26:19 +0000
Subject: [PATCH] accesslib: get_users_by_capability() now excludes
 doanything'ers properly

With some subselect-outer-join poison-pill magic, when the we don't
want doanything users, we remove the roles that would grant such
dubious status.

Just a flick of the SQL muscle, actually.
---
 lib/accesslib.php | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/lib/accesslib.php b/lib/accesslib.php
index 2ece09de0a..bd8e27ab9e 100755
--- a/lib/accesslib.php
+++ b/lib/accesslib.php
@@ -4216,12 +4216,32 @@ function get_users_by_capability($context, $capability, $fields='', $sort='',
     $caps = "'$capability'";
     if ($doanything===true) {
         $caps.=",'moodle/site:doanything'";
+        $doanything_join='';
+        $doanything_cond='';
+    } else {
+        // This is an outer join against
+        // admin-ish roleids. Any row that succeeds
+        // in JOINing here ends up removed from
+        // the resultset. This means we remove
+        // rolecaps from roles that also have
+        // 'doanything' capabilities.
+        $doanything_join="LEFT OUTER JOIN (
+                              SELECT DISTINCT rc.roleid
+                              FROM {$CFG->prefix}role_capabilities rc
+                              WHERE rc.capability='moodle/site:doanything'
+                                    AND rc.permission=".CAP_ALLOW."
+                                    AND rc.contextid IN ($ctxids)
+                          ) dar
+                             ON rc.roleid=dar.roleid";
+        $doanything_cond="AND dar.roleid IS NULL";
     }
     $sql = "SELECT rc.id, rc.roleid, rc.permission, rc.capability,
                    ctx.depth AS ctxdepth, ctx.contextlevel AS ctxlevel
             FROM {$CFG->prefix}role_capabilities rc
             JOIN {$CFG->prefix}context ctx on rc.contextid = ctx.id
+            $doanything_join
             WHERE rc.capability IN ($caps) AND ctx.id IN ($ctxids)
+                  $doanything_cond
             ORDER BY rc.roleid ASC, ctx.depth ASC";
     // fetch all records - we'll walk several
     // times over them, and should be a small set
@@ -4236,6 +4256,7 @@ function get_users_by_capability($context, $capability, $fields='', $sort='',
             $negperm = true;
         }
     }
+        
     $roleids = array_unique($roleids);
 
     if (count($roleids)===0) { // noone here!
-- 
2.39.5