ILIAS Release_3_5_x_branch .rev 46805: Services/AccessControl/classes/class.ilAccessHandler.php Source File

Go to the documentation of this file.
00001 <?php
00002 /*
00003         +-----------------------------------------------------------------------------+
00004         | ILIAS open source                                                           |
00005         +-----------------------------------------------------------------------------+
00006         | Copyright (c) 1998-2001 ILIAS open source, University of Cologne            |
00007         |                                                                             |
00008         | This program is free software; you can redistribute it and/or               |
00009         | modify it under the terms of the GNU General Public License                 |
00010         | as published by the Free Software Foundation; either version 2              |
00011         | of the License, or (at your option) any later version.                      |
00012         |                                                                             |
00013         | This program is distributed in the hope that it will be useful,             |
00014         | but WITHOUT ANY WARRANTY; without even the implied warranty of              |
00015         | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               |
00016         | GNU General Public License for more details.                                |
00017         |                                                                             |
00018         | You should have received a copy of the GNU General Public License           |
00019         | along with this program; if not, write to the Free Software                 |
00020         | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA. |
00021         +-----------------------------------------------------------------------------+
00022 */
00023 
00024 require_once("Services/AccessControl/classes/class.ilAccessInfo.php");
00025 
00036 class ilAccessHandler
00037 {
00041         function ilAccessHandler()
00042         {
00043                 global $rbacsystem;
00044 
00045                 $this->rbacsystem =& $rbacsystem;
00046                 $this->results = array();
00047                 $this->current_info = new ilAccessInfo();
00048                 
00049                 // use function enable to switch on/off tests (only cache is used so far)
00050                 $this->cache = true;
00051                 $this->rbac = true;
00052                 $this->tree = true;
00053                 $this->condition = true;
00054                 $this->path = true;
00055                 $this->status = true;
00056                 $this->obj_id_cache = array();
00057                 $this->obj_type_cache = array();
00058         }
00059 
00070         function storeAccessResult($a_permission, $a_cmd, $a_ref_id, $a_access_granted, $a_user_id = "",$a_info = "")
00071         {
00072                 global $ilUser;
00073 
00074                 if ($a_user_id == "")
00075                 {
00076                         $a_user_id = $ilUser->getId();
00077                 }
00078                 
00079                 if ($a_info == "")
00080                 {
00081                         $a_info = $this->current_info;
00082                 }
00083 
00084                 //var_dump("<pre>",$a_permission,"</pre>");
00085 
00086                 if ($this->cache)
00087                 {
00088                         $this->results[$a_ref_id][$a_permission][$a_cmd][$a_user_id] = 
00089                                         array("granted" => $a_access_granted, "info" => $a_info);
00090                                                 
00091                         $this->current_result_element = array($a_access_granted,$a_ref_id,$a_permission,$a_cmd,$a_user_id);                     
00092                         $this->last_result = $this->results[$a_ref_id][$a_permission][$a_cmd][$a_user_id];
00093                         $this->last_info = $a_info;
00094                 }
00095 
00096                 // get new info object
00097                 $this->current_info = new ilAccessInfo();
00098 
00099         }
00100 
00101 
00114         function getStoredAccessResult($a_permission, $a_cmd, $a_ref_id, $a_user_id = "")
00115         {
00116                 global $ilUser;
00117 
00118                 if ($a_user_id == "")
00119                 {
00120                         $a_user_id = $ilUser->getId();
00121                 }
00122                 
00123                 /*if (is_object($this->results[$a_ref_id][$a_permission][$a_cmd][$a_user_id]['info']))
00124                 {
00125                         $this->current_info = $this->results[$a_ref_id][$a_permission][$a_cmd][$a_user_id]['info'];
00126                 }*/
00127 
00128                 return $this->results[$a_ref_id][$a_permission][$a_cmd][$a_user_id];
00129         }
00130 
00131 
00135         function addInfoItem($a_type, $a_text, $a_data = "")
00136         {
00137                 $this->current_info->addInfoItem($a_type, $a_text, $a_data);
00138         }
00139 
00151         function checkAccess($a_permission, $a_cmd, $a_ref_id, $a_type = "", $a_obj_id = "")
00152         {
00153                 global $ilUser;
00154 
00155                 return $this->checkAccessOfUser($ilUser->getId(),$a_permission, $a_cmd, $a_ref_id, $a_type, $a_obj_id);
00156         }
00157 
00170         function checkAccessOfUser($a_user_id,$a_permission, $a_cmd, $a_ref_id, $a_type = "", $a_obj_id = "")
00171         {
00172                 global $ilBench;
00173                 
00174                 $ilBench->start("AccessControl", "0400_clear_info");
00175                 $this->current_info->clear();
00176                 $ilBench->stop("AccessControl", "0400_clear_info");
00177                 
00178                 $ilBench->start("AccessControl", "0500_lookup_id_and_type");
00179                 // get object id if not provided
00180                 if ($a_obj_id == "")
00181                 {
00182                         if ($this->obj_id_cache[$a_ref_id] > 0)
00183                         {
00184                                 $a_obj_id = $this->obj_id_cache[$a_ref_id];
00185                         }
00186                         else
00187                         {
00188                                 $a_obj_id = ilObject::_lookupObjId($a_ref_id);
00189                                 $this->obj_id_cache[$a_ref_id] = $a_obj_id;
00190                         }
00191                 }
00192                 if ($a_type == "")
00193                 {
00194                         if ($this->obj_type_cache[$a_ref_id] != "")
00195                         {
00196                                 $a_type = $this->obj_type_cache[$a_ref_id];
00197                         }
00198                         else
00199                         {
00200                                 $a_type = ilObject::_lookupType($a_ref_id, true);
00201                                 $this->obj_type_cache[$a_ref_id] = $a_type;
00202                         }
00203                 }
00204                 $ilBench->stop("AccessControl", "0500_lookup_id_and_type");
00205 
00206                 // get cache result
00207                 if ($this->doCacheCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id))
00208                 {
00209                         return true;
00210                 }
00211 
00212                 // to do: payment handling
00213 
00214                 // check if object is in tree and not deleted
00215                 if (!$this->doTreeCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id))
00216                 {
00217                         return false;
00218                 }
00219 
00220                 // rbac check for current object
00221                 if (!$this->doRBACCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id))
00222                 {
00223                         return false;
00224                 }
00225 
00226                 // check read permission for all parents
00227                 if (!$this->doPathCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id))
00228                 {
00229                         return false;
00230                 }
00231 
00232                 // condition check (currently only implemented for read permission)
00233                 if (!$this->doConditionCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id, $a_obj_id, $a_type))
00234                 {
00235                         return false;
00236                 }
00237 
00238                 // object type specific check
00239                 if (!$this->doStatusCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id, $a_obj_id, $a_type))
00240                 {
00241                         return false;
00242                 }
00243 
00244                 // all checks passed
00245                 return true;
00246         }
00247 
00251         function getInfo()
00252         {
00253                 //return $this->last_result;
00254                 //$this->last_info->setQueryData($this->current_result_element);
00255                 //var_dump("<pre>",$this->results,"</pre>");
00256                 return $this->last_info->getInfoItems();
00257         }
00258         
00262         function getResultLast()
00263         {
00264                 return $this->last_result;
00265         }
00266         
00267         function getResultAll($a_ref_id = "")
00268         {
00269                 if ($a_ref_id == "")
00270                 {
00271                         return $this->results;
00272                 }
00273                 
00274                 return $this->results[$a_ref_id];
00275         }
00276         
00281         function doCacheCheck($a_permission, $a_cmd, $a_ref_id,$a_user_id)
00282         {
00283                 global $ilBench;
00284                 //echo "cacheCheck<br/>";
00285 
00286                 $ilBench->start("AccessControl", "1000_checkAccess_get_cache_result");
00287                 $stored_access = $this->getStoredAccessResult($a_permission, $a_cmd, $a_ref_id,$a_user_id);
00288                 //var_dump($stored_access);
00289                 if (is_array($stored_access))
00290                 {
00291                         $this->current_info = $stored_access["info"];
00292                         //var_dump("cache-treffer:");
00293                         $ilBench->stop("AccessControl", "1000_checkAccess_get_cache_result");
00294                         return $stored_access["granted"];
00295                 }
00296                 
00297                 // not in cache
00298                 $ilBench->stop("AccessControl", "1000_checkAccess_get_cache_result");
00299                 return false;
00300         }
00301         
00306         function doTreeCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id)
00307         {
00308                 global $tree, $lng, $ilBench;
00309                 //echo "treeCheck<br/>";
00310 
00311                 $ilBench->start("AccessControl", "2000_checkAccess_in_tree");
00312 
00313                 if(!$tree->isInTree($a_ref_id) or $tree->isDeleted($a_ref_id))
00314                 {
00315                         $this->current_info->addInfoItem(IL_DELETED, $lng->txt("object_deleted"));
00316                         $this->storeAccessResult($a_permission, $a_cmd, $a_ref_id, false,$a_user_id);
00317                         $ilBench->stop("AccessControl", "2000_checkAccess_in_tree");
00318 
00319                         return false;
00320                 }
00321 
00322                 $this->storeAccessResult($a_permission, $a_cmd, $a_ref_id, true,$a_user_id);            
00323                 $ilBench->stop("AccessControl", "2000_checkAccess_in_tree");
00324                 return true;
00325         }
00326         
00331         function doRBACCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id)
00332         {
00333                 global $lng, $ilBench, $ilErr, $ilLog;
00334                 //echo "rbacCheck<br/>";
00335                 $ilBench->start("AccessControl", "2000_checkAccess_rbac_check");
00336 
00337                 if ($a_permission == "")
00338                 {
00339                                 $message = sprintf('%s::doRBACCheck(): No operations given! $a_ref_id: %s',
00340                                                                    get_class($this),
00341                                                                    $a_ref_id);
00342                                 $ilLog->write($message,$ilLog->FATAL);
00343                                 $ilErr->raiseError($message,$ilErr->MESSAGE);
00344                 }
00345                 
00346                 $access = $this->rbacsystem->checkAccessOfUser($a_user_id, $a_permission, $a_ref_id);
00347 
00348                 if (!$access)
00349                 {
00350                         $this->current_info->addInfoItem(IL_NO_PERMISSION, $lng->txt("no_permission"));
00351                 }
00352                 
00353                 $this->storeAccessResult($a_permission, $a_cmd, $a_ref_id, $access,$a_user_id);
00354                 $ilBench->stop("AccessControl", "2000_checkAccess_rbac_check");
00355 
00356                 return $access;
00357         }
00358         
00363         function doPathCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id, $a_all = false)
00364         {
00365                 global $tree, $lng, $ilBench;
00366                 //echo "pathCheck<br/>";
00367                 $ilBench->start("AccessControl", "3100_checkAccess_check_parents_get_path");
00368                 $path = $tree->getPathId($a_ref_id);
00369                 $ilBench->stop("AccessControl", "3100_checkAccess_check_parents_get_path");
00370 
00371                 $tmp_info = $this->current_info;
00372                 //var_dump($this->tmp_info);
00373                                         
00374                 foreach ($path as $id)
00375                 {
00376                         if ($a_ref_id == $id)
00377                         {
00378                                 continue;
00379                         }
00380                         
00381                         $access = $this->checkAccessOfUser($a_user_id, "read", "info", $id);
00382 
00383                         if ($access == false)
00384                         {
00385                                 
00386                                 //$this->doCacheCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id);
00387                                 $tmp_info->addInfoItem(IL_NO_PARENT_ACCESS, $lng->txt("no_parent_access"),$id);
00388 
00389                                 if ($a_all == false)
00390                                 {
00391                                         $ilBench->start("AccessControl", "3200_checkAccess_check_parents_store_result");
00392                                         $this->storeAccessResult($a_permission, $a_cmd, $a_ref_id, $access,$a_user_id,$tmp_info);
00393                                         $ilBench->stop("AccessControl", "3200_checkAccess_check_parents_store_result");
00394                                         return false;
00395                                 }
00396                         }
00397                 }
00398                 
00399                 $ilBench->start("AccessControl", "3200_checkAccess_check_parents_store_result");
00400                 $this->storeAccessResult($a_permission, $a_cmd, $a_ref_id, $access,$a_user_id,$tmp_info);
00401                 $ilBench->stop("AccessControl", "3200_checkAccess_check_parents_store_result");
00402                 
00403                 return true;
00404         }
00405         
00410         function doConditionCheck($a_permission, $a_cmd, $a_ref_id,$a_user_id, $a_obj_id, $a_type)
00411         {
00412                 //echo "conditionCheck<br/>";
00413                 global $lng, $ilBench;
00414 
00415                 $ilBench->start("AccessControl", "4000_checkAccess_condition_check");
00416 
00417                 if ($a_permission == "read" &&
00418                         !$this->checkAccessOfUser($a_user_id, "write", "", $a_ref_id, $a_type, $a_obj_id))
00419                 {
00420                         if(!ilConditionHandler::_checkAllConditionsOfTarget($a_obj_id))
00421                         {
00422                                 $conditions = ilConditionHandler::_getConditionsOfTarget($a_obj_id, $a_type);
00423                                 
00424                                 foreach ($conditions as $condition)
00425                                 {
00426                                         $this->current_info->addInfoItem(IL_MISSING_PRECONDITION,
00427                                                 $lng->txt("missing_precondition").": ".
00428                                                 ilObject::_lookupTitle($condition["trigger_obj_id"])." ".
00429                                                 $lng->txt("condition_".$condition["operator"])." ".
00430                                                 $condition["value"], $condition);
00431                                 }
00432                                 
00433                                 $this->storeAccessResult($a_permission, $a_cmd, $a_ref_id, false, $a_user_id);
00434                                 $ilBench->stop("AccessControl", "4000_checkAccess_condition_check");
00435                                 return false;
00436                         }
00437                 }
00438 
00439                 $this->storeAccessResult($a_permission, $a_cmd, $a_ref_id, true, $a_user_id);
00440                 $ilBench->stop("AccessControl", "4000_checkAccess_condition_check");
00441                 return true;
00442         }
00443         
00448         function doStatusCheck($a_permission, $a_cmd, $a_ref_id,$a_user_id, $a_obj_id, $a_type)
00449         {
00450                 global $objDefinition, $ilBench;
00451                 //echo "statusCheck<br/>";
00452                 $ilBench->start("AccessControl", "5000_checkAccess_object_check");
00453                                 
00454                 $class = $objDefinition->getClassName($a_type);
00455                 $location = $objDefinition->getLocation($a_type);
00456                 $full_class = "ilObj".$class."Access";
00457                 include_once($location."/class.".$full_class.".php");
00458                 // static call to ilObj..::_checkAccess($a_cmd, $a_permission, $a_ref_id, $a_obj_id)
00459 
00460                 $obj_access = call_user_func(array($full_class, "_checkAccess"),
00461                         $a_cmd, $a_permission, $a_ref_id, $a_obj_id, $a_user_id);
00462 
00463                 if (!($obj_access === true))
00464                 {
00465                         //$this->current_info->addInfoItem(IL_NO_OBJECT_ACCESS, $obj_acess);
00466                         $this->storeAccessResult($a_permission, $a_cmd, $a_ref_id, false, $a_user_id);
00467                         $ilBench->stop("AccessControl", "5000_checkAccess_object_check");
00468                         return false;
00469                 }
00470                 
00471                 $ilBench->stop("AccessControl", "5000_checkAccess_object_check");
00472 
00473                 $ilBench->start("AccessControl", "6000_checkAccess_store_access");
00474                 $this->storeAccessResult($a_permission, $a_cmd, $a_ref_id, true, $a_user_id);
00475                 $ilBench->stop("AccessControl", "6000_checkAccess_store_access");
00476                 return true;
00477         }
00478         
00479         function clear()
00480         {
00481                 $this->results = array();
00482                 $this->last_result = "";
00483                 $this->current_info = new ilAccessInfo();
00484         }
00485         
00486         function enable($a_str,$a_bool)
00487         {
00488                 $this->$a_str = $a_bool;
00489         }
00490 }