Problem with checking capabilities after upgrade to 4.2.4

[nikosdimitrakas]

In a commit from 13 October 2023 that was released in 4.2.4, the checking of the capabilities was changed (function has_capability on row 1050 in vpl_class.php). It used to check the user's capability in a context, but now it requires the user to be enrolled or site admin. Thus, any user that has a capability by having a system role, does not seem to qualify. We had an API user for an integration that had a system role that provided view and grade capabilities, but we still received required_capability_exception "Sorry, but you do not currently have permissions to do that (View full VPL assignment description)." when calling mod_vpl_info. And a similar exception when calling mod_vpl_open.
I did not see any mention in the release notes for 4.2.4 that this would have been an intentional behavioural change, so I guess this was a mistake. We have now temporarily made our integration user a site admin, but it would be nice if the capabilities provided by system roles can work again.

[jcrodriguez-dis]

Dear Nikos Dimitrakas,

Thank you for bringing this to our attention and for your detailed explanation of the issue.

We acknowledge the unintended behavioral change introduced in version 4.2.4 regarding capability checks for users with system roles. After reviewing this, we have decided to revert the behavior for web service requests to the previous implementation, removing the requirement of being enrolled in the current course. This change will be included in the next VPL release.

Best regards,
Juan Carlos