ILIAS Release_3_7_x_branch .rev 46817: classes/class.ilRbacAdmin.php Source File

Go to the documentation of this file.
00001 <?php
00002 /*
00003         +-----------------------------------------------------------------------------+
00004         | ILIAS open source                                                           |
00005         +-----------------------------------------------------------------------------+
00006         | Copyright (c) 1998-2001 ILIAS open source, University of Cologne            |
00007         |                                                                             |
00008         | This program is free software; you can redistribute it and/or               |
00009         | modify it under the terms of the GNU General Public License                 |
00010         | as published by the Free Software Foundation; either version 2              |
00011         | of the License, or (at your option) any later version.                      |
00012         |                                                                             |
00013         | This program is distributed in the hope that it will be useful,             |
00014         | but WITHOUT ANY WARRANTY; without even the implied warranty of              |
00015         | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               |
00016         | GNU General Public License for more details.                                |
00017         |                                                                             |
00018         | You should have received a copy of the GNU General Public License           |
00019         | along with this program; if not, write to the Free Software                 |
00020         | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA. |
00021         +-----------------------------------------------------------------------------+
00022 */
00023 
00024 
00038 class ilRbacAdmin
00039 {
00044         function ilRbacAdmin()
00045         {
00046                 global $ilDB,$ilErr,$ilias;
00047 
00048                 // set db & error handler
00049                 (isset($ilDB)) ? $this->ilDB =& $ilDB : $this->ilDB =& $ilias->db;
00050                 
00051                 if (!isset($ilErr))
00052                 {
00053                         $ilErr = new ilErrorHandling();
00054                         $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK,array($ilErr,'errorHandler'));
00055                 }
00056                 else
00057                 {
00058                         $this->ilErr =& $ilErr;
00059                 }
00060         }
00061 
00069         function removeUser($a_usr_id)
00070         {
00071                 if (!isset($a_usr_id))
00072                 {
00073                         $message = get_class($this)."::removeUser(): No usr_id given!";
00074                         $this->ilErr->raiseError($message,$this->ilErr->WARNING);
00075                 }
00076 
00077                 $q = "DELETE FROM rbac_ua WHERE usr_id='".$a_usr_id."'";
00078                 $this->ilDB->query($q);
00079                 
00080                 return true;
00081         }
00082 
00090         function deleteRole($a_rol_id,$a_ref_id)
00091         {
00092                 global $lng;
00093 
00094                 if (!isset($a_rol_id) or !isset($a_ref_id))
00095                 {
00096                         $message = get_class($this)."::deleteRole(): Missing parameter! role_id: ".$a_rol_id." ref_id of role folder: ".$a_ref_id;
00097                         $this->ilErr->raiseError($message,$this->ilErr->WARNING);
00098                 }
00099 
00100                 // exclude system role from rbac
00101                 if ($a_rol_id == SYSTEM_ROLE_ID)
00102                 {
00103                         $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"),$this->ilErr->MESSAGE);
00104                 }
00105 
00106                 // TODO: check assigned users before deletion
00107                 // This is done in ilObjRole. Should be better moved to this place?
00108                 
00109                 // delete user assignements
00110                 $q = "DELETE FROM rbac_ua ".
00111                          "WHERE rol_id = '".$a_rol_id ."'";
00112                 $this->ilDB->query($q);
00113                 
00114                 // delete permission assignments
00115                 $q = "DELETE FROM rbac_pa ".
00116                          "WHERE rol_id = '".$a_rol_id."'";
00117                 $this->ilDB->query($q);
00118                 
00119                 //delete rbac_templates and rbac_fa
00120                 $this->deleteLocalRole($a_rol_id);
00121                 
00122                 return true;
00123         }
00124 
00131         function deleteTemplate($a_obj_id)
00132         {
00133                 if (!isset($a_obj_id))
00134                 {
00135                         $message = get_class($this)."::deleteTemplate(): No obj_id given!";
00136                         $this->ilErr->raiseError($message,$this->ilErr->WARNING);
00137                 }
00138 
00139                 $q = "DELETE FROM rbac_templates ".
00140                          "WHERE rol_id = '".$a_obj_id ."'";
00141                 $this->ilDB->query($q);
00142 
00143                 $q = "DELETE FROM rbac_fa ".
00144                          "WHERE rol_id = '".$a_obj_id ."'";
00145                 $this->ilDB->query($q);
00146 
00147                 return true;
00148         }
00149 
00157         function deleteLocalRole($a_rol_id,$a_ref_id = 0)
00158         {
00159                 if (!isset($a_rol_id))
00160                 {
00161                         $message = get_class($this)."::deleteLocalRole(): Missing parameter! role_id: '".$a_rol_id."'";
00162                         $this->ilErr->raiseError($message,$this->ilErr->WARNING);
00163                 }
00164                 
00165                 // exclude system role from rbac
00166                 if ($a_rol_id == SYSTEM_ROLE_ID)
00167                 {
00168                         return true;
00169                 }
00170 
00171                 if ($a_ref_id != 0)
00172                 {
00173                         $clause = "AND parent = '".$a_ref_id."'";
00174                 }
00175                 
00176                 $q = "DELETE FROM rbac_fa ".
00177                          "WHERE rol_id = '".$a_rol_id."' ".
00178                          $clause;
00179 
00180                 $this->ilDB->query($q);
00181 
00182                 $q = "DELETE FROM rbac_templates ".
00183                          "WHERE rol_id = '".$a_rol_id."' ".
00184                          $clause;
00185                 $this->ilDB->query($q);
00186 
00187                 return true;
00188         }
00189 
00190 
00200         function assignUser($a_rol_id,$a_usr_id,$a_default = false)
00201         {
00202                 if (!isset($a_rol_id) or !isset($a_usr_id))
00203                 {
00204                         $message = get_class($this)."::assignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
00205                         $this->ilErr->raiseError($message,$this->ilErr->WARNING);
00206                 }
00207                 
00208                 $q = "REPLACE INTO rbac_ua ".
00209                          "VALUES ('".$a_usr_id."','".$a_rol_id."')";
00210                 $res = $this->ilDB->query($q);
00211 
00212                 // Finally assign desktop items assigned to this role
00213                 include_once './classes/class.ilRoleDesktopItem.php';
00214 
00215                 $role_desk_item_obj =& new ilRoleDesktopItem($a_rol_id);
00216                 
00217                 if(is_object($tmp_user = ilObjectFactory::getInstanceByObjId($a_usr_id,false)))
00218                 {
00219                         foreach($role_desk_item_obj->getAll() as $item_data)
00220                         {
00221                                 if(!$tmp_user->isDesktopItem($item_data['item_id'],$item_data['item_type']))
00222                                 {
00223                                         $tmp_user->addDesktopItem($item_data['item_id'],$item_data['item_type']);
00224                                 }
00225                         }
00226                 }
00227                 return true;
00228         }
00229 
00237         function deassignUser($a_rol_id,$a_usr_id)
00238         {
00239                 if (!isset($a_rol_id) or !isset($a_usr_id))
00240                 {
00241                         $message = get_class($this)."::deassignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
00242                         $this->ilErr->raiseError($message,$this->ilErr->WARNING);
00243                 }
00244 
00245                 $q = "DELETE FROM rbac_ua ".
00246                          "WHERE usr_id='".$a_usr_id."' ".
00247                          "AND rol_id='".$a_rol_id."'";
00248                 $this->ilDB->query($q);
00249                 
00250                 return true;
00251         }
00252 
00261         function grantPermission($a_rol_id,$a_ops,$a_ref_id)
00262         {
00263                 if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id))
00264                 {
00265                         $this->ilErr->raiseError(get_class($this)."::grantPermission(): Missing parameter! ".
00266                                                         "role_id: ".$a_rol_id." ref_id: ".$a_ref_id." operations: ",$this->ilErr->WARNING);
00267                 }
00268 
00269                 if (!is_array($a_ops))
00270                 {
00271                         $this->ilErr->raiseError(get_class($this)."::grantPermission(): Wrong datatype for operations!",
00272                                                                          $this->ilErr->WARNING);
00273                 }
00274                 
00275                 if (count($a_ops) == 0)
00276                 {
00277                         return false;
00278                 }
00279                 
00280                 // exclude system role from rbac
00281                 if ($a_rol_id == SYSTEM_ROLE_ID)
00282                 {
00283                         return true;
00284                 }
00285                 
00286                 // convert all values to integer
00287                 foreach ($a_ops as $key => $operation)
00288                 {
00289                         $a_ops[$key] = (int) $operation;
00290                 }
00291 
00292                 // Serialization des ops_id Arrays
00293                 $ops_ids = addslashes(serialize($a_ops));
00294 
00295                 $q = "REPLACE INTO rbac_pa (rol_id,ops_id,ref_id) ".
00296                          "VALUES ".
00297                          "('".$a_rol_id."','".$ops_ids."','".$a_ref_id."')";
00298                 $this->ilDB->query($q);
00299 
00300                 return true;
00301         }
00302 
00312         function revokePermission($a_ref_id,$a_rol_id = 0,$a_keep_protected = true)
00313         {
00314                 global $rbacreview,$log;
00315 
00316                 if (!isset($a_ref_id))
00317                 {
00318                         $message = get_class($this)."::revokePermission(): Missing parameter! ref_id: ".$a_ref_id;
00319                         $this->ilErr->raiseError($message,$this->ilErr->WARNING);
00320                 }
00321 $log->write("ilRBACadmin::revokePermission(), 0");
00322 
00323                 // bypass protected status of roles
00324                 if ($a_keep_protected != true)
00325                 {
00326                         // exclude system role from rbac
00327                         if ($a_rol_id == SYSTEM_ROLE_ID)
00328                         {
00329                                 return true;
00330                         }
00331         
00332                         if ($a_rol_id)
00333                         {
00334                                 $and1 = " AND rol_id = '".$a_rol_id."'";
00335                         }
00336                         else
00337                         {
00338                                 $and1 = "";
00339                         }
00340         
00341                         // TODO: rename db_field from obj_id to ref_id and remove db-field set_id
00342                         $q = "DELETE FROM rbac_pa ".
00343                                  "WHERE ref_id = '".$a_ref_id."' ".
00344                                  $and1;
00345                         $this->ilDB->query($q);
00346         
00347                         return true;
00348                 }
00349                 
00350                 // consider protected status of roles
00351         
00352                 // in any case, get all roles in scope first
00353                 $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
00354 
00355                 if (!$a_rol_id)
00356                 {
00357 $log->write("ilRBACadmin::revokePermission(), 1");
00358 
00359                         $role_ids = array();
00360                         
00361                         foreach ($roles_in_scope as $role)
00362                         {
00363                                 if ($role['protected'] == true)
00364                                 {
00365                                         continue;
00366                                 }
00367                                 
00368                                 $role_ids[] = $role['obj_id'];
00369                         }
00370                         
00371                         // return if no role in array
00372                         if (!$role_ids)
00373                         {
00374                                 return true;
00375                         }
00376                         
00377                         $q = "DELETE FROM rbac_pa ".
00378                                  "WHERE rol_id IN (".implode(',',$role_ids).") ".
00379                                  "AND ref_id ='".$a_ref_id."'";
00380                         $this->ilDB->query($q);
00381                 }
00382                 else
00383                 {
00384 $log->write("ilRBACadmin::revokePermission(), 2");      
00385                         // exclude system role from rbac
00386                         if ($a_rol_id == SYSTEM_ROLE_ID)
00387                         {
00388                                 return true;
00389                         }
00390                         
00391                         // exclude protected permission settings from revoking
00392                         if ($roles_in_scope[$a_rol_id]['protected'] == true)
00393                         {
00394                                 return true;
00395                         }
00396 
00397                         $q = "DELETE FROM rbac_pa ".
00398                                  "WHERE ref_id = '".$a_ref_id."' ".
00399                                  "AND rol_id = '".$a_rol_id."'";
00400                         $this->ilDB->query($q);
00401                 }
00402 
00403                 return true;
00404         }
00405 
00413         function revokePermissionList($a_ref_ids,$a_rol_id)
00414         {
00415                 if (!isset($a_ref_ids) or !is_array($a_ref_ids))
00416                 {
00417                         $message = get_class($this)."::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: ".var_dump($a_ref_ids);
00418                         $this->ilErr->raiseError($message,$this->ilErr->WARNING);
00419                 }
00420 
00421                 if (!isset($a_rol_id))
00422                 {
00423                         $message = get_class($this)."::revokePermissionList(): Missing parameter! rol_id: ".$a_rol_id;
00424                         $this->ilErr->raiseError($message,$this->ilErr->WARNING);
00425                 }
00426 
00427                 // exclude system role from rbac
00428                 if ($a_rol_id == SYSTEM_ROLE_ID)
00429                 {
00430                         return true;
00431                 }
00432 
00433                 $ref_ids = implode(",",$a_ref_ids);
00434 
00435                 // TODO: rename db_field from obj_id to ref_id and remove db-field set_id
00436                 $q = "DELETE FROM rbac_pa ".
00437                          "WHERE ref_id IN (".$ref_ids.") ".
00438                          "AND rol_id = ".$a_rol_id;
00439                 $this->ilDB->query($q);
00440 
00441                 return true;
00442         }
00443 
00454         function copyRolePermission($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected = true)
00455         {
00456                 global $rbacreview;
00457 
00458                 if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent))
00459                 {
00460                         $message = get_class($this)."::copyRolePermission(): Missing parameter! source_id: ".$a_source_id.
00461                                            " source_parent_id: ".$a_source_parent.
00462                                            " dest_id : ".$a_dest_id.
00463                                            " dest_parent_id: ".$a_dest_parent;
00464                         $this->ilErr->raiseError($message,$this->ilErr->WARNING);
00465                 }
00466                 
00467                 // exclude system role from rbac
00468                 if ($a_dest_id == SYSTEM_ROLE_ID)
00469                 {
00470                         return true;
00471                 }
00472 
00473                 $q = "SELECT * FROM rbac_templates ".
00474                          "WHERE rol_id = '".$a_source_id."' ".
00475                          "AND parent = '".$a_source_parent."'";
00476                 $r = $this->ilDB->query($q);
00477 
00478                 while ($row = $r->fetchRow(DB_FETCHMODE_OBJECT))
00479                 {
00480                         $q = "INSERT INTO rbac_templates ".
00481                                  "VALUES ".
00482                                  "('".$a_dest_id."','".$row->type."','".$row->ops_id."','".$a_dest_parent."')";
00483                         $this->ilDB->query($q);
00484                 }
00485                 
00486                 // copy also protection status if applicable
00487                 if ($a_consider_protected == true)
00488                 {
00489                         if ($rbacreview->isProtected($a_source_parent,$a_source_id))
00490                         {
00491                                 $this->setProtected($a_dest_parent,$a_dest_id,'y');
00492                         }
00493                 }
00494 
00495                 return true;
00496         }
00510         function copyRolePermissionIntersection($a_source1_id,$a_source1_parent,$a_source2_id,$a_source2_parent,$a_dest_parent,$a_dest_id)
00511         {
00512                 global $rbacreview;
00513                 
00514                 if (!isset($a_source1_id) or !isset($a_source1_parent) 
00515                 or !isset($a_source2_id) or !isset($a_source2_parent) 
00516                 or !isset($a_dest_id) or !isset($a_dest_parent))
00517                 {
00518                         $message = get_class($this)."::copyRolePermissionIntersection(): Missing parameter! source1_id: ".$a_source1_id.
00519                                            " source1_parent: ".$a_source1_parent.
00520                                            " source2_id: ".$a_source2_id.
00521                                            " source2_parent: ".$a_source2_parent.
00522                                            " dest_id: ".$a_dest_id.
00523                                            " dest_parent_id: ".$a_dest_parent;
00524                         $this->ilErr->raiseError($message,$this->ilErr->WARNING);
00525                 }
00526                 
00527                 // exclude system role from rbac
00528                 if ($a_dest_id == SYSTEM_ROLE_ID)
00529                 {
00530                         return true;
00531                 }
00532                 
00533                 if ($rbacreview->isProtected($a_source2_parent,$a_source2_id))
00534                 {
00535                         return true;
00536                         //return $this->copyRolePermission($a_source2_id,$a_source2_parent,$a_dest_parent,$a_dest_id);
00537                 }
00538 
00539                 $q = "SELECT s1.type, s1.ops_id ".
00540                         "FROM rbac_templates AS s1, rbac_templates AS s2 ".
00541                         "WHERE s1.rol_id = '".$a_source1_id."' ".
00542                         "AND s1.parent = '".$a_source1_parent."' ".
00543                         "AND s2.rol_id = '".$a_source2_id."' ".
00544                         "AND s2.parent = '".$a_source2_parent."' ".
00545                         "AND s1.type = s2.type ".
00546                         "AND s1.ops_id = s2.ops_id";
00547                 $r = $this->ilDB->query($q);
00548 
00549                 while ($row = $r->fetchRow(DB_FETCHMODE_OBJECT))
00550                 {
00551                         $q = "INSERT INTO rbac_templates ".
00552                                  "VALUES ".
00553                                  "('".$a_dest_id."','".$row->type."','".$row->ops_id."','".$a_dest_parent."')";
00554                         $this->ilDB->query($q);
00555                 }
00556 
00557                 return true;
00558         }
00559         
00570         function deleteRolePermission($a_rol_id,$a_ref_id,$a_type = false)
00571         {
00572                 if (!isset($a_rol_id) or !isset($a_ref_id))
00573                 {
00574                         $message = get_class($this)."::deleteRolePermission(): Missing parameter! role_id: ".$a_rol_id." ref_id: ".$a_ref_id;
00575                         $this->ilErr->raiseError($message,$this->ilErr->WARNING);
00576                 }
00577 
00578                 // exclude system role from rbac
00579                 if ($a_rol_id == SYSTEM_ROLE_ID)
00580                 {
00581                         return true;
00582                 }
00583                 
00584                 if ($a_type !== false)
00585                 {
00586                         $and_type = " AND type='".$a_type."'";
00587                 }
00588 
00589                 $q = "DELETE FROM rbac_templates ".
00590                          "WHERE rol_id = '".$a_rol_id."' ".
00591                          "AND parent = '".$a_ref_id."'".
00592                          $and_type;
00593                 $this->ilDB->query($q);
00594 
00595                 return true;
00596         }
00597         
00608         function setRolePermission($a_rol_id,$a_type,$a_ops,$a_ref_id)
00609         {
00610                 if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id))
00611                 {
00612                         $message = get_class($this)."::setRolePermission(): Missing parameter!".
00613                                            " role_id: ".$a_rol_id.
00614                                            " type: ".$a_type.
00615                                            " operations: ".$a_ops.
00616                                            " ref_id: ".$a_ref_id;
00617                         $this->ilErr->raiseError($message,$this->ilErr->WARNING);
00618                 }
00619 
00620                 if (!is_string($a_type) or empty($a_type))
00621                 {
00622                         $message = get_class($this)."::setRolePermission(): a_type is no string or empty!";
00623                         $this->ilErr->raiseError($message,$this->ilErr->WARNING);
00624                 }
00625 
00626                 if (!is_array($a_ops) or empty($a_ops))
00627                 {
00628                         $message = get_class($this)."::setRolePermission(): a_ops is no array or empty!";
00629                         $this->ilErr->raiseError($message,$this->ilErr->WARNING);
00630                 }
00631                 
00632                 // exclude system role from rbac
00633                 if ($a_rol_id == SYSTEM_ROLE_ID)
00634                 {
00635                         return true;
00636                 }
00637                 
00638                 foreach ($a_ops as $op)
00639                 {
00640                         $q = "INSERT INTO rbac_templates ".
00641                                  "VALUES ".
00642                                  "('".$a_rol_id."','".$a_type."','".$op."','".$a_ref_id."')";
00643                         $this->ilDB->query($q);
00644                 }
00645 
00646                 return true;
00647         }
00648 
00662         function assignRoleToFolder($a_rol_id,$a_parent,$a_assign = "y")
00663         {
00664                 if (!isset($a_rol_id) or !isset($a_parent))
00665                 {
00666                         $message = get_class($this)."::assignRoleToFolder(): Missing Parameter!".
00667                                            " role_id: ".$a_rol_id.
00668                                            " parent_id: ".$a_parent.
00669                                            " assign: ".$a_assign;
00670                         $this->ilErr->raiseError($message,$this->ilErr->WARNING);
00671                 }
00672                 
00673                 // exclude system role from rbac
00674                 if ($a_rol_id == SYSTEM_ROLE_ID)
00675                 {
00676                         return true;
00677                 }
00678                 
00679                 // if a wrong value is passed, always set assign to "n"
00680                 if ($a_assign != "y")
00681                 {
00682                         $a_assign = "n";
00683                 }
00684 
00685                 $q = "INSERT INTO rbac_fa (rol_id,parent,assign) ".
00686                          "VALUES ('".$a_rol_id."','".$a_parent."','".$a_assign."')";
00687                 $this->ilDB->query($q);
00688 
00689                 return true;
00690         }
00691 
00700         function assignOperationToObject($a_type_id,$a_ops_id)
00701         {
00702                 if (!isset($a_type_id) or !isset($a_ops_id))
00703                 {
00704                         $message = get_class($this)."::assignOperationToObject(): Missing parameter!".
00705                                            "type_id: ".$a_type_id.
00706                                            "ops_id: ".$a_ops_id;
00707                         $this->ilErr->raiseError($message,$this->ilErr->WARNING);
00708                 }
00709 
00710                 $q = "INSERT INTO rbac_ta ".
00711                          "VALUES('".$a_type_id."','".$a_ops_id."')";
00712                 $this->ilDB->query($q);
00713 
00714                 return true;
00715         }
00716 
00725         function deassignOperationFromObject($a_type_id,$a_ops_id)
00726         {
00727                 if (!isset($a_type_id) or !isset($a_ops_id))
00728                 {
00729                         $message = get_class($this)."::deassignPermissionFromObject(): Missing parameter!".
00730                                            "type_id: ".$a_type_id.
00731                                            "ops_id: ".$a_ops_id;
00732                         $this->ilErr->raiseError($message,$this->ilErr->WARNING);
00733                 }
00734 
00735                 $q = "DELETE FROM rbac_ta ".
00736                          "WHERE typ_id = '".$a_type_id."' ".
00737                          "AND ops_id = '".$a_ops_id."'";
00738                 $this->ilDB->query($q);
00739         
00740                 return true;
00741         }
00742         
00743         function setProtected($a_ref_id,$a_role_id,$a_value)
00744         {
00745                 // ref_id not used yet. protected permission acts 'global' for each role, regardless of any broken inheritance before
00746                 $q = "UPDATE rbac_fa ".
00747                          "SET protected = '".$a_value."' ".
00748                          //"WHERE parent = '".$a_ref_id."' ".
00749                          "WHERE rol_id = '".$a_role_id."'";
00750                 $this->ilDB->query($q);
00751                 
00752                 return true;
00753         }
00754 } // END class.ilRbacAdmin
00755 ?>