Best practice forum (Archived)

Proper role to let an HR person manage appraisals?

Hi guys, been asked to give a user with a "manager" system role permission to "manage appraisals"

/totara/appraisal/manage.php

Seems like the "manageappraisals" capability is not good enough for this.

Do I really need to give her "site:config" capability as well to manage appraisals?

I've run into this scenario before when trying to let a user "manage rooms" in face to face activity.

It seems like for many trivial admin functions such as these (but not all!), you need to have site:config capabilty.

Is there a workaround for this? What is best practice?

Surely the people who need to "manage appraisals" and/or "manage rooms" are not always the same people who need to control site debugging levels, other nerdy stuff, etc.

Thanks for any help!

Best,

Larry

Permalink | Reply

Hi Larry,

Basically site:config actually bypasses any capability checks. If you give someone site:config the system assumes they have to be able to do everything, so any require_capability checks are essentially skipped. So it's not the right way to get around any permissions issue.

Also, by default the Manager role already has that capability so anyone assigned to the Manager role at the system level (site Administration->Users->Permissions->Assign system roles) should be able to manage appraisals. Can you explain further what difficulty you are having?

Permalink | Show parent | Reply

Thanks for the response Ciaran!

I agree that in theory managers should be able to manage appraisals because they have the "manageappraisals" capability as part of their manager role.

The problem is that I am getting "access denied" at this URL with a user with "manager" role:

/totara/appraisal/manage.php

Is there some other URL they should be trying to manage appraisals from?

Or maybe it's a bug.

Or maybe I am doing something else wrong.

But this is a complaint from a customer and confirmed by our project manager.. so it's definitely something fishy or unclear going on here.

I dived into the code a little bit and it seems like in order to use the manage interface php runs

admin_externalpage_setup('manageappraisals') which requires site:config capability.

Thanks,

Permalink | Show parent | Reply

Hi Larry,

The code that checks for site:config capability in admin_externalpage_setup function only runs if the requested page does not exist in the admin tree.

If a user is assigned to the Manager role at the site level (Site Administration->Users->Permissions->Assign System Roles), and the Manager role has the manageappraisals capability (Site Administration->Users->Permissions->Define Roles), then it should function properly. I think you need to check that the users are assigned properly and that the roles are properly defined with the right capabilities - this should work out-of-the-box without any tinkering.

Permalink | Show parent | Reply

Thanks for the response.

I tested another installation (Version 2.5.3 ) and can confirm what I have stated before.

As it stands now on both sites, our "managers" (stock role) do not have a link to the "manage appraisals" page on their admin link trees and they get access denied if they try to go there manually (type in the url)

Is there some other way I am supposed to reach this page as a manager? Either I don't have or can't find a link to it.

https://totara20.learning.nu/totara/appraisal/manage.php?lang=en

Best,

Larry

Permalink | Show parent | Reply

Ah, we've tracked down the issue Larry.

There was a bug in 2.5.3 with the capability checks for Appraisals. It was fixed as part of a patch for another issue in 2.5.5 which is why I couldn't reproduce it.

So an upgrade to 2.5.5 or above should resolve this for you.

Permalink | Show parent | Reply

Okay that makes sense... cause both Totaras exhibiting this weird behavior are a 2.53 :)

Permalink | Show parent | Reply