ILIAS Release_3_6_x_branch .rev 46809: Services/AccessControl/classes/class.ilAccessHandler.php Source File

Go to the documentation of this file.
00001 <?php
00002 /*
00003         +-----------------------------------------------------------------------------+
00004         | ILIAS open source                                                           |
00005         +-----------------------------------------------------------------------------+
00006         | Copyright (c) 1998-2001 ILIAS open source, University of Cologne            |
00007         |                                                                             |
00008         | This program is free software; you can redistribute it and/or               |
00009         | modify it under the terms of the GNU General Public License                 |
00010         | as published by the Free Software Foundation; either version 2              |
00011         | of the License, or (at your option) any later version.                      |
00012         |                                                                             |
00013         | This program is distributed in the hope that it will be useful,             |
00014         | but WITHOUT ANY WARRANTY; without even the implied warranty of              |
00015         | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               |
00016         | GNU General Public License for more details.                                |
00017         |                                                                             |
00018         | You should have received a copy of the GNU General Public License           |
00019         | along with this program; if not, write to the Free Software                 |
00020         | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA. |
00021         +-----------------------------------------------------------------------------+
00022 */
00023 
00024 require_once("Services/AccessControl/classes/class.ilAccessInfo.php");
00025 
00037 class ilAccessHandler
00038 {
00042         function ilAccessHandler()
00043         {
00044                 global $rbacsystem;
00045 
00046                 $this->rbacsystem =& $rbacsystem;
00047                 $this->results = array();
00048                 $this->current_info = new ilAccessInfo();
00049                 
00050                 // use function enable to switch on/off tests (only cache is used so far)
00051                 $this->cache = true;
00052                 $this->rbac = true;
00053                 $this->tree = true;
00054                 $this->condition = true;
00055                 $this->path = true;
00056                 $this->status = true;
00057                 $this->obj_id_cache = array();
00058                 $this->obj_type_cache = array();
00059         }
00060 
00071         function storeAccessResult($a_permission, $a_cmd, $a_ref_id, $a_access_granted, $a_user_id = "",$a_info = "")
00072         {
00073                 global $ilUser;
00074 
00075                 if ($a_user_id == "")
00076                 {
00077                         $a_user_id = $ilUser->getId();
00078                 }
00079                 
00080                 if ($a_info == "")
00081                 {
00082                         $a_info = $this->current_info;
00083                 }
00084 
00085                 //var_dump("<pre>",$a_permission,"</pre>");
00086 
00087                 if ($this->cache)
00088                 {
00089                         $this->results[$a_ref_id][$a_permission][$a_cmd][$a_user_id] = 
00090                                         array("granted" => $a_access_granted, "info" => $a_info);
00091                                                 
00092                         $this->current_result_element = array($a_access_granted,$a_ref_id,$a_permission,$a_cmd,$a_user_id);                     
00093                         $this->last_result = $this->results[$a_ref_id][$a_permission][$a_cmd][$a_user_id];
00094                         $this->last_info = $a_info;
00095                 }
00096 
00097                 // get new info object
00098                 $this->current_info = new ilAccessInfo();
00099 
00100         }
00101 
00102 
00115         function getStoredAccessResult($a_permission, $a_cmd, $a_ref_id, $a_user_id = "")
00116         {
00117                 global $ilUser;
00118 
00119                 if ($a_user_id == "")
00120                 {
00121                         $a_user_id = $ilUser->getId();
00122                 }
00123                 
00124                 /*if (is_object($this->results[$a_ref_id][$a_permission][$a_cmd][$a_user_id]['info']))
00125                 {
00126                         $this->current_info = $this->results[$a_ref_id][$a_permission][$a_cmd][$a_user_id]['info'];
00127                 }*/
00128 
00129                 return $this->results[$a_ref_id][$a_permission][$a_cmd][$a_user_id];
00130         }
00131 
00132 
00136         function addInfoItem($a_type, $a_text, $a_data = "")
00137         {
00138                 $this->current_info->addInfoItem($a_type, $a_text, $a_data);
00139         }
00140 
00152         function checkAccess($a_permission, $a_cmd, $a_ref_id, $a_type = "", $a_obj_id = "")
00153         {
00154                 global $ilUser;
00155 
00156                 return $this->checkAccessOfUser($ilUser->getId(),$a_permission, $a_cmd, $a_ref_id, $a_type, $a_obj_id);
00157         }
00158 
00171         function checkAccessOfUser($a_user_id,$a_permission, $a_cmd, $a_ref_id, $a_type = "", $a_obj_id = "")
00172         {
00173                 global $ilBench;
00174                 
00175                 $ilBench->start("AccessControl", "0400_clear_info");
00176                 $this->current_info->clear();
00177                 $ilBench->stop("AccessControl", "0400_clear_info");
00178                 
00179                 $ilBench->start("AccessControl", "0500_lookup_id_and_type");
00180                 // get object id if not provided
00181                 if ($a_obj_id == "")
00182                 {
00183                         if ($this->obj_id_cache[$a_ref_id] > 0)
00184                         {
00185                                 $a_obj_id = $this->obj_id_cache[$a_ref_id];
00186                         }
00187                         else
00188                         {
00189                                 $a_obj_id = ilObject::_lookupObjId($a_ref_id);
00190                                 $this->obj_id_cache[$a_ref_id] = $a_obj_id;
00191                         }
00192                 }
00193                 if ($a_type == "")
00194                 {
00195                         if ($this->obj_type_cache[$a_ref_id] != "")
00196                         {
00197                                 $a_type = $this->obj_type_cache[$a_ref_id];
00198                         }
00199                         else
00200                         {
00201                                 $a_type = ilObject::_lookupType($a_ref_id, true);
00202                                 $this->obj_type_cache[$a_ref_id] = $a_type;
00203                         }
00204                 }
00205                 $ilBench->stop("AccessControl", "0500_lookup_id_and_type");
00206 
00207                 // get cache result
00208                 if ($this->doCacheCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id))
00209                 {
00210                         return true;
00211                 }
00212 
00213                 // to do: payment handling
00214 
00215                 // check if object is in tree and not deleted
00216                 if (!$this->doTreeCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id))
00217                 {
00218                         return false;
00219                 }
00220 
00221                 // rbac check for current object
00222                 if (!$this->doRBACCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id))
00223                 {
00224                         return false;
00225                 }
00226 
00227                 // check read permission for all parents
00228                 $par_check = $this->doPathCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id);
00229                 if (!$par_check)
00230                 {
00231                         return false;
00232                 }
00233 
00234                 // condition check (currently only implemented for read permission)
00235                 if (!$this->doConditionCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id, $a_obj_id, $a_type))
00236                 {
00237                         return false;
00238                 }
00239 
00240                 // object type specific check
00241                 if (!$this->doStatusCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id, $a_obj_id, $a_type))
00242                 {
00243                         return false;
00244                 }
00245 
00246                 // all checks passed
00247                 return true;
00248         }
00249 
00253         function getInfo()
00254         {
00255                 //return $this->last_result;
00256                 //$this->last_info->setQueryData($this->current_result_element);
00257                 //var_dump("<pre>",$this->results,"</pre>");
00258                 return $this->last_info->getInfoItems();
00259         }
00260         
00264         function getResultLast()
00265         {
00266                 return $this->last_result;
00267         }
00268         
00269         function getResultAll($a_ref_id = "")
00270         {
00271                 if ($a_ref_id == "")
00272                 {
00273                         return $this->results;
00274                 }
00275                 
00276                 return $this->results[$a_ref_id];
00277         }
00278         
00283         function doCacheCheck($a_permission, $a_cmd, $a_ref_id,$a_user_id)
00284         {
00285                 global $ilBench;
00286                 //echo "cacheCheck<br/>";
00287 
00288                 $ilBench->start("AccessControl", "1000_checkAccess_get_cache_result");
00289                 $stored_access = $this->getStoredAccessResult($a_permission, $a_cmd, $a_ref_id,$a_user_id);
00290                 //var_dump($stored_access);
00291                 if (is_array($stored_access))
00292                 {
00293                         $this->current_info = $stored_access["info"];
00294                         //var_dump("cache-treffer:");
00295                         $ilBench->stop("AccessControl", "1000_checkAccess_get_cache_result");
00296                         return $stored_access["granted"];
00297                 }
00298                 
00299                 // not in cache
00300                 $ilBench->stop("AccessControl", "1000_checkAccess_get_cache_result");
00301                 return false;
00302         }
00303         
00308         function doTreeCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id)
00309         {
00310                 global $tree, $lng, $ilBench;
00311                 //echo "treeCheck<br/>";
00312 
00313                 $ilBench->start("AccessControl", "2000_checkAccess_in_tree");
00314 
00315                 if(!$tree->isInTree($a_ref_id) or $tree->isDeleted($a_ref_id))
00316                 {
00317                         $this->current_info->addInfoItem(IL_DELETED, $lng->txt("object_deleted"));
00318                         $this->storeAccessResult($a_permission, $a_cmd, $a_ref_id, false,$a_user_id);
00319                         $ilBench->stop("AccessControl", "2000_checkAccess_in_tree");
00320 
00321                         return false;
00322                 }
00323 
00324                 $this->storeAccessResult($a_permission, $a_cmd, $a_ref_id, true,$a_user_id);            
00325                 $ilBench->stop("AccessControl", "2000_checkAccess_in_tree");
00326                 return true;
00327         }
00328         
00333         function doRBACCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id)
00334         {
00335                 global $lng, $ilBench, $ilErr, $ilLog;
00336                 //echo "rbacCheck<br/>";
00337                 $ilBench->start("AccessControl", "2500_checkAccess_rbac_check");
00338 
00339                 if ($a_permission == "")
00340                 {
00341                                 $message = sprintf('%s::doRBACCheck(): No operations given! $a_ref_id: %s',
00342                                                                    get_class($this),
00343                                                                    $a_ref_id);
00344                                 $ilLog->write($message,$ilLog->FATAL);
00345                                 $ilErr->raiseError($message,$ilErr->MESSAGE);
00346                 }
00347                 
00348                 $access = $this->rbacsystem->checkAccessOfUser($a_user_id, $a_permission, $a_ref_id);
00349 
00350                 if (!$access)
00351                 {
00352                         $this->current_info->addInfoItem(IL_NO_PERMISSION, $lng->txt("no_permission"));
00353                 }
00354                 
00355                 $this->storeAccessResult($a_permission, $a_cmd, $a_ref_id, $access,$a_user_id);
00356                 $ilBench->stop("AccessControl", "2500_checkAccess_rbac_check");
00357 
00358                 return $access;
00359         }
00360         
00365         function doPathCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id, $a_all = false)
00366         {
00367                 global $tree, $lng, $ilBench;
00368                 //echo "pathCheck<br/>";
00369                 $ilBench->start("AccessControl", "3100_checkAccess_check_parents_get_path");
00370                 $path = $tree->getPathId($a_ref_id);
00371                 $ilBench->stop("AccessControl", "3100_checkAccess_check_parents_get_path");
00372 
00373                 $tmp_info = $this->current_info;
00374                 //var_dump($this->tmp_info);
00375                                         
00376                 foreach ($path as $id)
00377                 {
00378                         if ($a_ref_id == $id)
00379                         {
00380                                 continue;
00381                         }
00382                         
00383                         $access = $this->checkAccessOfUser($a_user_id, "read", "info", $id);
00384 
00385                         if ($access == false)
00386                         {
00387                                 
00388                                 //$this->doCacheCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id);
00389                                 $tmp_info->addInfoItem(IL_NO_PARENT_ACCESS, $lng->txt("no_parent_access"),$id);
00390 
00391                                 if ($a_all == false)
00392                                 {
00393                                         $ilBench->start("AccessControl", "3200_checkAccess_check_parents_store_result");
00394                                         $this->storeAccessResult($a_permission, $a_cmd, $a_ref_id, $access,$a_user_id,$tmp_info);
00395                                         $ilBench->stop("AccessControl", "3200_checkAccess_check_parents_store_result");
00396                                         return false;
00397                                 }
00398                         }
00399                 }
00400                 
00401                 $ilBench->start("AccessControl", "3200_checkAccess_check_parents_store_result");
00402                 $this->storeAccessResult($a_permission, $a_cmd, $a_ref_id, $access,$a_user_id,$tmp_info);
00403                 $ilBench->stop("AccessControl", "3200_checkAccess_check_parents_store_result");
00404                 
00405                 return true;
00406         }
00407         
00412         function doConditionCheck($a_permission, $a_cmd, $a_ref_id,$a_user_id, $a_obj_id, $a_type)
00413         {
00414                 //echo "conditionCheck<br/>";
00415                 global $lng, $ilBench;
00416 
00417                 $ilBench->start("AccessControl", "4000_checkAccess_condition_check");
00418 
00419                 if ($a_permission == "read" &&
00420                         !$this->checkAccessOfUser($a_user_id, "write", "", $a_ref_id, $a_type, $a_obj_id))
00421                 {
00422                         if(!ilConditionHandler::_checkAllConditionsOfTarget($a_obj_id))
00423                         {
00424                                 $conditions = ilConditionHandler::_getConditionsOfTarget($a_obj_id, $a_type);
00425                                 
00426                                 foreach ($conditions as $condition)
00427                                 {
00428                                         $this->current_info->addInfoItem(IL_MISSING_PRECONDITION,
00429                                                 $lng->txt("missing_precondition").": ".
00430                                                 ilObject::_lookupTitle($condition["trigger_obj_id"])." ".
00431                                                 $lng->txt("condition_".$condition["operator"])." ".
00432                                                 $condition["value"], $condition);
00433                                 }
00434                                 
00435                                 $this->storeAccessResult($a_permission, $a_cmd, $a_ref_id, false, $a_user_id);
00436                                 $ilBench->stop("AccessControl", "4000_checkAccess_condition_check");
00437                                 return false;
00438                         }
00439                 }
00440 
00441                 $this->storeAccessResult($a_permission, $a_cmd, $a_ref_id, true, $a_user_id);
00442                 $ilBench->stop("AccessControl", "4000_checkAccess_condition_check");
00443                 return true;
00444         }
00445         
00450         function doStatusCheck($a_permission, $a_cmd, $a_ref_id,$a_user_id, $a_obj_id, $a_type)
00451         {
00452                 global $objDefinition, $ilBench;
00453                 //echo "statusCheck<br/>";
00454                 $ilBench->start("AccessControl", "5000_checkAccess_object_check");
00455                                 
00456                 $class = $objDefinition->getClassName($a_type);
00457                 $location = $objDefinition->getLocation($a_type);
00458                 $full_class = "ilObj".$class."Access";
00459                 include_once($location."/class.".$full_class.".php");
00460                 // static call to ilObj..::_checkAccess($a_cmd, $a_permission, $a_ref_id, $a_obj_id)
00461 
00462                 $obj_access = call_user_func(array($full_class, "_checkAccess"),
00463                         $a_cmd, $a_permission, $a_ref_id, $a_obj_id, $a_user_id);
00464 
00465                 if (!($obj_access === true))
00466                 {
00467                         //$this->current_info->addInfoItem(IL_NO_OBJECT_ACCESS, $obj_acess);
00468                         $this->storeAccessResult($a_permission, $a_cmd, $a_ref_id, false, $a_user_id);
00469                         $ilBench->stop("AccessControl", "5000_checkAccess_object_check");
00470                         return false;
00471                 }
00472                 
00473                 $ilBench->stop("AccessControl", "5000_checkAccess_object_check");
00474 
00475                 $ilBench->start("AccessControl", "6000_checkAccess_store_access");
00476                 $this->storeAccessResult($a_permission, $a_cmd, $a_ref_id, true, $a_user_id);
00477                 $ilBench->stop("AccessControl", "6000_checkAccess_store_access");
00478                 return true;
00479         }
00480         
00481         function clear()
00482         {
00483                 $this->results = array();
00484                 $this->last_result = "";
00485                 $this->current_info = new ilAccessInfo();
00486         }
00487         
00488         function enable($a_str,$a_bool)
00489         {
00490                 $this->$a_str = $a_bool;
00491         }
00492 }