ILIAS  Release_4_1_x_branch Revision 61804
 All Data Structures Namespaces Files Functions Variables Groups Pages
class.ilRbacAdmin.php
Go to the documentation of this file.
1 <?php
2 /*
3  +-----------------------------------------------------------------------------+
4  | ILIAS open source |
5  +-----------------------------------------------------------------------------+
6  | Copyright (c) 1998-2001 ILIAS open source, University of Cologne |
7  | |
8  | This program is free software; you can redistribute it and/or |
9  | modify it under the terms of the GNU General Public License |
10  | as published by the Free Software Foundation; either version 2 |
11  | of the License, or (at your option) any later version. |
12  | |
13  | This program is distributed in the hope that it will be useful, |
14  | but WITHOUT ANY WARRANTY; without even the implied warranty of |
15  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16  | GNU General Public License for more details. |
17  | |
18  | You should have received a copy of the GNU General Public License |
19  | along with this program; if not, write to the Free Software |
20  | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
21  +-----------------------------------------------------------------------------+
22 */
23 
24 
38 class ilRbacAdmin
39 {
44  function ilRbacAdmin()
45  {
46  global $ilDB,$ilErr,$ilias;
47 
48  // set db & error handler
49  (isset($ilDB)) ? $this->ilDB =& $ilDB : $this->ilDB =& $ilias->db;
50 
51  if (!isset($ilErr))
52  {
53  $ilErr = new ilErrorHandling();
54  $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK,array($ilErr,'errorHandler'));
55  }
56  else
57  {
58  $this->ilErr =& $ilErr;
59  }
60  }
61 
69  function removeUser($a_usr_id)
70  {
71  global $ilDB;
72 
73  if (!isset($a_usr_id))
74  {
75  $message = get_class($this)."::removeUser(): No usr_id given!";
76  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
77  }
78 
79  $query = "DELETE FROM rbac_ua WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer');
80  $res = $ilDB->manipulate($query);
81 
82  return true;
83  }
84 
92  function deleteRole($a_rol_id,$a_ref_id)
93  {
94  global $lng,$ilDB;
95 
96  if (!isset($a_rol_id) or !isset($a_ref_id))
97  {
98  $message = get_class($this)."::deleteRole(): Missing parameter! role_id: ".$a_rol_id." ref_id of role folder: ".$a_ref_id;
99  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
100  }
101 
102  // exclude system role from rbac
103  if ($a_rol_id == SYSTEM_ROLE_ID)
104  {
105  $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"),$this->ilErr->MESSAGE);
106  }
107 
108  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
109  $mapping = ilLDAPRoleGroupMapping::_getInstance();
110  $mapping->deleteRole($a_rol_id);
111 
112 
113  // TODO: check assigned users before deletion
114  // This is done in ilObjRole. Should be better moved to this place?
115 
116  // delete user assignements
117  $query = "DELETE FROM rbac_ua ".
118  "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer');
119  $res = $ilDB->manipulate($query);
120 
121  // delete permission assignments
122  $query = "DELETE FROM rbac_pa ".
123  "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
124  $res = $ilDB->manipulate($query);
125 
126  //delete rbac_templates and rbac_fa
127  $this->deleteLocalRole($a_rol_id);
128 
129  return true;
130  }
131 
138  function deleteTemplate($a_obj_id)
139  {
140  global $ilDB;
141 
142  if (!isset($a_obj_id))
143  {
144  $message = get_class($this)."::deleteTemplate(): No obj_id given!";
145  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
146  }
147 
148  $query = 'DELETE FROM rbac_templates '.
149  'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
150  $res = $ilDB->manipulate($query);
151 
152  $query = 'DELETE FROM rbac_fa '.
153  'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
154  $res = $ilDB->manipulate($query);
155 
156  return true;
157  }
158 
166  function deleteLocalRole($a_rol_id,$a_ref_id = 0)
167  {
168  global $ilDB;
169 
170  if (!isset($a_rol_id))
171  {
172  $message = get_class($this)."::deleteLocalRole(): Missing parameter! role_id: '".$a_rol_id."'";
173  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
174  }
175 
176  // exclude system role from rbac
177  if ($a_rol_id == SYSTEM_ROLE_ID)
178  {
179  return true;
180  }
181 
182  if ($a_ref_id != 0)
183  {
184  $clause = 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' ';
185  }
186 
187  $query = 'DELETE FROM rbac_fa '.
188  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
189  $clause;
190  $res = $ilDB->manipulate($query);
191 
192  $query = 'DELETE FROM rbac_templates '.
193  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
194  $clause;
195  $res = $ilDB->manipulate($query);
196  return true;
197  }
198 
199 
209  function assignUser($a_rol_id,$a_usr_id,$a_default = false)
210  {
211  global $ilDB,$rbacreview;
212 
213  if (!isset($a_rol_id) or !isset($a_usr_id))
214  {
215  $message = get_class($this)."::assignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
216  #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
217  }
218 
219  // check if already assigned user id and role_id
220  $alreadyAssigned = $rbacreview->isAssigned($a_usr_id,$a_rol_id);
221 
222  // enhanced: only if we haven't had this role for this user
223  if (!$alreadyAssigned)
224  {
225  $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
226  "VALUES (".$ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_rol_id,'integer').")";
227  $res = $ilDB->manipulate($query);
228 
229  include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
230 
231  $role_desk_item_obj =& new ilRoleDesktopItem($a_rol_id);
232 
233  if(is_object($tmp_user = ilObjectFactory::getInstanceByObjId($a_usr_id,false)))
234  {
235  foreach($role_desk_item_obj->getAll() as $item_data)
236  {
237  if(!$tmp_user->isDesktopItem($item_data['item_id'],$item_data['item_type']))
238  {
239  $tmp_user->addDesktopItem($item_data['item_id'],$item_data['item_type']);
240  }
241  }
242  }
243  }
244 
245  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
246  $mapping = ilLDAPRoleGroupMapping::_getInstance();
247  $mapping->assign($a_rol_id,$a_usr_id);
248 
249  return true;
250  }
251 
259  function deassignUser($a_rol_id,$a_usr_id)
260  {
261  global $ilDB;
262 
263  if (!isset($a_rol_id) or !isset($a_usr_id))
264  {
265  $message = get_class($this)."::deassignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
266  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
267  }
268 
269  $query = "DELETE FROM rbac_ua ".
270  "WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer')." ".
271  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
272  $res = $ilDB->manipulate($query);
273 
274  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
275  $mapping = ilLDAPRoleGroupMapping::_getInstance();
276  $mapping->deassign($a_rol_id,$a_usr_id);
277 
278  return true;
279  }
280 
289  function grantPermission($a_rol_id,$a_ops,$a_ref_id)
290  {
291  global $ilDB;
292 
293  if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id))
294  {
295  $this->ilErr->raiseError(get_class($this)."::grantPermission(): Missing parameter! ".
296  "role_id: ".$a_rol_id." ref_id: ".$a_ref_id." operations: ",$this->ilErr->WARNING);
297  }
298 
299  if (!is_array($a_ops))
300  {
301  $this->ilErr->raiseError(get_class($this)."::grantPermission(): Wrong datatype for operations!",
302  $this->ilErr->WARNING);
303  }
304 
305  /*
306  if (count($a_ops) == 0)
307  {
308  return false;
309  }
310  */
311  // exclude system role from rbac
312  if ($a_rol_id == SYSTEM_ROLE_ID)
313  {
314  return true;
315  }
316 
317  // convert all values to integer
318  foreach ($a_ops as $key => $operation)
319  {
320  $a_ops[$key] = (int) $operation;
321  }
322 
323  // Serialization des ops_id Arrays
324  $ops_ids = serialize($a_ops);
325 
326  $query = 'DELETE FROM rbac_pa '.
327  'WHERE rol_id = %s '.
328  'AND ref_id = %s';
329  $res = $ilDB->queryF($query,array('integer','integer'),
330  array($a_rol_id,$a_ref_id));
331 
332  if(!count($a_ops))
333  {
334  return false;
335  }
336 
337  $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) ".
338  "VALUES ".
339  "(".$ilDB->quote($a_rol_id,'integer').",".$ilDB->quote($ops_ids,'text').",".$ilDB->quote($a_ref_id,'integer').")";
340  $res = $ilDB->manipulate($query);
341 
342  return true;
343  }
344 
354  function revokePermission($a_ref_id,$a_rol_id = 0,$a_keep_protected = true)
355  {
356  global $rbacreview,$log,$ilDB;
357 
358  if (!isset($a_ref_id))
359  {
360  $message = get_class($this)."::revokePermission(): Missing parameter! ref_id: ".$a_ref_id;
361  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
362  }
363 #$log->write("ilRBACadmin::revokePermission(), 0");
364 
365  // bypass protected status of roles
366  if ($a_keep_protected != true)
367  {
368  // exclude system role from rbac
369  if ($a_rol_id == SYSTEM_ROLE_ID)
370  {
371  return true;
372  }
373 
374  if ($a_rol_id)
375  {
376  $and1 = " AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
377  }
378  else
379  {
380  $and1 = "";
381  }
382 
383  $query = "DELETE FROM rbac_pa ".
384  "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer').
385  $and1;
386 
387  $res = $ilDB->manipulate($query);
388 
389  return true;
390  }
391 
392  // consider protected status of roles
393 
394  // in any case, get all roles in scope first
395  $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
396 
397  if (!$a_rol_id)
398  {
399 #$log->write("ilRBACadmin::revokePermission(), 1");
400 
401  $role_ids = array();
402 
403  foreach ($roles_in_scope as $role)
404  {
405  if ($role['protected'] == true)
406  {
407  continue;
408  }
409 
410  $role_ids[] = $role['obj_id'];
411  }
412 
413  // return if no role in array
414  if (!$role_ids)
415  {
416  return true;
417  }
418 
419  $query = 'DELETE FROM rbac_pa '.
420  'WHERE '.$ilDB->in('rol_id',$role_ids,false,'integer').' '.
421  'AND ref_id = '.$ilDB->quote($a_ref_id,'integer');
422  $res = $ilDB->manipulate($query);
423  }
424  else
425  {
426 #$log->write("ilRBACadmin::revokePermission(), 2");
427  // exclude system role from rbac
428  if ($a_rol_id == SYSTEM_ROLE_ID)
429  {
430  return true;
431  }
432 
433  // exclude protected permission settings from revoking
434  if ($roles_in_scope[$a_rol_id]['protected'] == true)
435  {
436  return true;
437  }
438 
439  $query = "DELETE FROM rbac_pa ".
440  "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer')." ".
441  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
442  $res = $ilDB->manipulate($query);
443  }
444 
445  return true;
446  }
447 
454  public function revokeSubtreePermissions($a_ref_id,$a_role_id)
455  {
456  global $ilDB;
457 
458  $query = "DELETE FROM rbac_pa ".
459  "WHERE ref_id IN ".
460  "(SELECT child FROM tree WHERE ".
461  "lft >= (SELECT lft FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) AND ".
462  "rgt <= (SELECT rgt FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) ".
463  ") ".
464  "AND rol_id = ".$ilDB->quote($a_role_id,'integer');
465 
466  $ilDB->manipulate($query);
467  return true;
468  }
469 
476  public function deleteSubtreeTemplates($a_ref_id,$a_rol_id)
477  {
478  global $ilDB;
479 
480  $query = "DELETE FROM rbac_templates ".
481  "WHERE parent IN ".
482  "(SELECT child FROM tree WHERE ".
483  "lft >= (SELECT lft FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) AND ".
484  "rgt <= (SELECT rgt FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) ".
485  ") ".
486  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
487 
488  $ilDB->manipulate($query);
489 
490  $query = "DELETE FROM rbac_fa ".
491  "WHERE parent IN ".
492  "(SELECT child FROM tree WHERE ".
493  "lft >= (SELECT lft FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) AND ".
494  "rgt <= (SELECT rgt FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) ".
495  ") ".
496  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
497 
498 
499  $ilDB->manipulate($query);
500 
501  return true;
502  }
503 
511  function revokePermissionList($a_ref_ids,$a_rol_id)
512  {
513  global $ilDB;
514 
515  if (!isset($a_ref_ids) or !is_array($a_ref_ids))
516  {
517  $message = get_class($this)."::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: ".var_dump($a_ref_ids);
518  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
519  }
520 
521  if (!isset($a_rol_id))
522  {
523  $message = get_class($this)."::revokePermissionList(): Missing parameter! rol_id: ".$a_rol_id;
524  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
525  }
526 
527  // exclude system role from rbac
528  if ($a_rol_id == SYSTEM_ROLE_ID)
529  {
530  return true;
531  }
532 
533  $query = "DELETE FROM rbac_pa ".
534  "WHERE ".$ilDB->in('ref_id',$a_ref_ids,false,'integer').' '.
535  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
536  $res = $ilDB->manipulate($query);
537 
538  return true;
539  }
540 
551  public function copyRolePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected = true)
552  {
553  global $tree,$rbacreview;
554 
555  // Copy template permissions
556  $this->copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected);
557 
558  $source_obj = $tree->getParentId($a_source_parent);
559  $target_obj = $tree->getParentId($a_dest_parent);
560  $ops = $rbacreview->getRoleOperationsOnObject($a_source_id,$source_obj);
561 
562  $this->revokePermission($target_obj,$a_dest_id);
563  $this->grantPermission($a_dest_id,$ops,$target_obj);
564  return true;
565  }
566 
577  function copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected = true)
578  {
579  global $rbacreview,$ilDB;
580 
581  if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent))
582  {
583  $message = __METHOD__.": Missing parameter! source_id: ".$a_source_id.
584  " source_parent_id: ".$a_source_parent.
585  " dest_id : ".$a_dest_id.
586  " dest_parent_id: ".$a_dest_parent;
587  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
588  }
589 
590  // exclude system role from rbac
591  if ($a_dest_id == SYSTEM_ROLE_ID)
592  {
593  return true;
594  }
595 
596  $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
597  'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
598  $res = $ilDB->manipulate($query);
599 
600  $query = 'SELECT * FROM rbac_templates '.
601  'WHERE rol_id = '.$ilDB->quote($a_source_id,'integer').' '.
602  'AND parent = '.$ilDB->quote($a_source_parent,'integer');
603  $res = $ilDB->query($query);
604  while ($row = $ilDB->fetchObject($res))
605  {
606  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
607  'VALUES ('.
608  $ilDB->quote($a_dest_id,'integer').",".
609  $ilDB->quote($row->type,'text').",".
610  $ilDB->quote($row->ops_id,'integer').",".
611  $ilDB->quote($a_dest_parent,'integer').")";
612  $ilDB->manipulate($query);
613  }
614 
615  // copy also protection status if applicable
616  if ($a_consider_protected == true)
617  {
618  if ($rbacreview->isProtected($a_source_parent,$a_source_id))
619  {
620  $this->setProtected($a_dest_parent,$a_dest_id,'y');
621  }
622  }
623 
624  return true;
625  }
639  function copyRolePermissionIntersection($a_source1_id,$a_source1_parent,$a_source2_id,$a_source2_parent,$a_dest_parent,$a_dest_id)
640  {
641  global $rbacreview,$ilDB;
642 
643  if (!isset($a_source1_id) or !isset($a_source1_parent)
644  or !isset($a_source2_id) or !isset($a_source2_parent)
645  or !isset($a_dest_id) or !isset($a_dest_parent))
646  {
647  $message = get_class($this)."::copyRolePermissionIntersection(): Missing parameter! source1_id: ".$a_source1_id.
648  " source1_parent: ".$a_source1_parent.
649  " source2_id: ".$a_source2_id.
650  " source2_parent: ".$a_source2_parent.
651  " dest_id: ".$a_dest_id.
652  " dest_parent_id: ".$a_dest_parent;
653  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
654  }
655 
656  // exclude system role from rbac
657  if ($a_dest_id == SYSTEM_ROLE_ID)
658  {
659  return true;
660  }
661 
662  if ($rbacreview->isProtected($a_source2_parent,$a_source2_id))
663  {
664  return true;
665  }
666 
667  $query = "SELECT s1.type, s1.ops_id ".
668  "FROM rbac_templates s1, rbac_templates s2 ".
669  "WHERE s1.rol_id = ".$ilDB->quote($a_source1_id,'integer')." ".
670  "AND s1.parent = ".$ilDB->quote($a_source1_parent,'integer')." ".
671  "AND s2.rol_id = ".$ilDB->quote($a_source2_id,'integer')." ".
672  "AND s2.parent = ".$ilDB->quote($a_source2_parent,'integer')." ".
673  "AND s1.type = s2.type ".
674  "AND s1.ops_id = s2.ops_id";
675  $res = $ilDB->query($query);
676 
677  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
678  'VALUES (?,?,?,?)';
679  $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
680  while($row = $ilDB->fetchObject($res))
681  {
682  $ilDB->execute($sta,array(
683  $a_dest_id,
684  $row->type,
685  $row->ops_id,
686  $a_dest_parent));
687  }
688 
689  return true;
690  }
691 
702  function deleteRolePermission($a_rol_id,$a_ref_id,$a_type = false)
703  {
704  global $ilDB;
705 
706  if (!isset($a_rol_id) or !isset($a_ref_id))
707  {
708  $message = get_class($this)."::deleteRolePermission(): Missing parameter! role_id: ".$a_rol_id." ref_id: ".$a_ref_id;
709  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
710  }
711 
712  // exclude system role from rbac
713  if ($a_rol_id == SYSTEM_ROLE_ID)
714  {
715  return true;
716  }
717 
718  if ($a_type !== false)
719  {
720  $and_type = " AND type=".$ilDB->quote($a_type,'text')." ";
721  }
722 
723  $query = 'DELETE FROM rbac_templates '.
724  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
725  'AND parent = '.$ilDB->quote($a_ref_id,'integer').' '.
726  $and_type;
727 
728  $res = $ilDB->manipulate($query);
729 
730  return true;
731  }
732 
743  function setRolePermission($a_rol_id,$a_type,$a_ops,$a_ref_id)
744  {
745  global $ilDB;
746 
747  if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id))
748  {
749  $message = get_class($this)."::setRolePermission(): Missing parameter!".
750  " role_id: ".$a_rol_id.
751  " type: ".$a_type.
752  " operations: ".$a_ops.
753  " ref_id: ".$a_ref_id;
754  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
755  }
756 
757  if (!is_string($a_type) or empty($a_type))
758  {
759  $message = get_class($this)."::setRolePermission(): a_type is no string or empty!";
760  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
761  }
762 
763  if (!is_array($a_ops) or empty($a_ops))
764  {
765  $message = get_class($this)."::setRolePermission(): a_ops is no array or empty!";
766  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
767  }
768 
769  // exclude system role from rbac
770  if ($a_rol_id == SYSTEM_ROLE_ID)
771  {
772  return true;
773  }
774 
775  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
776  'VALUES (?,?,?,?)';
777  $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
778  foreach ($a_ops as $op)
779  {
780  $res = $ilDB->execute($sta,array(
781  $a_rol_id,
782  $a_type,
783  $op,
784  $a_ref_id
785  ));
786  }
787 
788  return true;
789  }
790 
804  function assignRoleToFolder($a_rol_id,$a_parent,$a_assign = "y")
805  {
806  global $ilDB;
807 
808  if (!isset($a_rol_id) or !isset($a_parent))
809  {
810  $message = get_class($this)."::assignRoleToFolder(): Missing Parameter!".
811  " role_id: ".$a_rol_id.
812  " parent_id: ".$a_parent.
813  " assign: ".$a_assign;
814  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
815  }
816 
817  // exclude system role from rbac
818  if ($a_rol_id == SYSTEM_ROLE_ID)
819  {
820  return true;
821  }
822 
823  // if a wrong value is passed, always set assign to "n"
824  if ($a_assign != "y")
825  {
826  $a_assign = "n";
827  }
828 
829  $query = sprintf('INSERT INTO rbac_fa (rol_id, parent, assign, protected) '.
830  'VALUES (%s,%s,%s,%s)',
831  $ilDB->quote($a_rol_id,'integer'),
832  $ilDB->quote($a_parent,'integer'),
833  $ilDB->quote($a_assign,'text'),
834  $ilDB->quote('n','text'));
835  $res = $ilDB->manipulate($query);
836 
837  return true;
838  }
839 
848  function assignOperationToObject($a_type_id,$a_ops_id)
849  {
850  global $ilDB;
851 
852  if (!isset($a_type_id) or !isset($a_ops_id))
853  {
854  $message = get_class($this)."::assignOperationToObject(): Missing parameter!".
855  "type_id: ".$a_type_id.
856  "ops_id: ".$a_ops_id;
857  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
858  }
859 
860  $query = "INSERT INTO rbac_ta (typ_id, ops_id) ".
861  "VALUES(".$ilDB->quote($a_type_id,'integer').",".$ilDB->quote($a_ops_id,'integer').")";
862  $res = $ilDB->manipulate($query);
863  return true;
864  }
865 
874  function deassignOperationFromObject($a_type_id,$a_ops_id)
875  {
876  global $ilDB;
877 
878  if (!isset($a_type_id) or !isset($a_ops_id))
879  {
880  $message = get_class($this)."::deassignPermissionFromObject(): Missing parameter!".
881  "type_id: ".$a_type_id.
882  "ops_id: ".$a_ops_id;
883  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
884  }
885 
886  $query = "DELETE FROM rbac_ta ".
887  "WHERE typ_id = ".$ilDB->quote($a_type_id,'integer')." ".
888  "AND ops_id = ".$ilDB->quote($a_ops_id,'integer');
889  $res = $ilDB->manipulate($query);
890 
891  return true;
892  }
893 
894  function setProtected($a_ref_id,$a_role_id,$a_value)
895  {
896  global $ilDB;
897 
898  // ref_id not used yet. protected permission acts 'global' for each role,
899  // regardless of any broken inheritance before
900  $query = 'UPDATE rbac_fa '.
901  'SET protected = '.$ilDB->quote($a_value,'text').' '.
902  'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer');
903  $res = $ilDB->manipulate($query);
904  return true;
905  }
906 
917  public function copyLocalRoles($a_source_id,$a_target_id)
918  {
919  global $rbacreview,$ilLog,$ilObjDataCache;
920 
921  $source_rolf = $rbacreview->getRoleFolderIdOfObject($a_source_id);
922  $target_rolf = $rbacreview->getRoleFolderIdOfObject($a_target_id);
923 
924  if(!$source_rolf)
925  {
926  // Nothing to do
927  return true;
928  }
929  $real_local = array();
930  foreach($rbacreview->getRolesOfRoleFolder($source_rolf,false) as $role_data)
931  {
932  $title = $ilObjDataCache->lookupTitle($role_data);
933  if(substr($title,0,3) == 'il_')
934  {
935  continue;
936  }
937  $real_local[] = $role_data;
938  }
939  if(!count($real_local))
940  {
941  return true;
942  }
943  // Create role folder
944  if(!$target_rolf)
945  {
946  $tmp_obj = ilObjectFactory::getInstanceByRefId($a_target_id,false);
947  if(!is_object($tmp_obj))
948  {
949  return false;
950  }
951  $rolf = $tmp_obj->createRoleFolder();
952  $target_rolf = $rolf->getRefId();
953  $ilLog->write(__METHOD__.': Created new role folder with id '.$rolf->getRefId());
954  }
955  foreach($real_local as $role)
956  {
957  include_once ("./Services/AccessControl/classes/class.ilObjRole.php");
958  $orig = new ilObjRole($role);
959  $orig->read();
960 
961  $ilLog->write(__METHOD__.': Start copying of role '.$orig->getTitle());
962  $roleObj = new ilObjRole();
963  $roleObj->setTitle($orig->getTitle());
964  $roleObj->setDescription($orig->getDescription());
965  $roleObj->setImportId($orig->getImportId());
966  $roleObj->create();
967 
968  $this->assignRoleToFolder($roleObj->getId(),$target_rolf,"y");
969  $this->copyRolePermissions($role,$source_rolf,$target_rolf,$roleObj->getId(),true);
970  $ilLog->write(__METHOD__.': Added new local role, id '.$roleObj->getId());
971  }
972 
973  }
974 
986  public function adjustMovedObjectPermissions($a_ref_id,$a_old_parent)
987  {
988  global $rbacreview,$tree,$ilLog;
989 
990  $new_parent = $tree->getParentId($a_ref_id);
991  $old_context_roles = $rbacreview->getParentRoleIds($a_old_parent,false);
992  $new_context_roles = $rbacreview->getParentRoleIds($new_parent,false);
993 
994  $for_addition = $for_deletion = array();
995  foreach($new_context_roles as $new_role_id => $new_role)
996  {
997  if(!isset($old_context_roles[$new_role_id]))
998  {
999  $for_addition[$new_role_id] = $new_role;
1000  }
1001  elseif($new_role['parent'] != $old_context_roles[$new_role_id]['parent'])
1002  {
1003  // handle stopped inheritance
1004  $for_deletion[$new_role_id] = $new_role;
1005  $for_addition[$new_role_id] = $new_role;
1006  }
1007  }
1008  foreach($old_context_roles as $old_role_id => $old_role)
1009  {
1010  if(!isset($new_context_roles[$old_role_id]))
1011  {
1012  $for_deletion[$old_role_id] = $old_role;
1013  }
1014  }
1015 
1016  if(!count($for_deletion) and !count($for_addition))
1017  {
1018  return true;
1019  }
1020 
1021  include_once "Services/AccessControl/classes/class.ilRbacLog.php";
1022  $rbac_log_active = ilRbacLog::isActive();
1023  if($rbac_log_active)
1024  {
1025  $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
1026  }
1027 
1028  foreach($nodes = $tree->getSubTree($node_data = $tree->getNodeData($a_ref_id),true) as $node_data)
1029  {
1030  $node_id = $node_data['child'];
1031 
1032  if($rbac_log_active)
1033  {
1034  $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
1035  }
1036 
1037  // If $node_data['type'] is not set, this means there is a tree entry without
1038  // object_reference and/or object_data entry
1039  // Continue in this case
1040  if(!$node_data['type'])
1041  {
1042  $ilLog->write(__METHOD__.': No type give. Choosing next tree entry.');
1043  continue;
1044  }
1045 
1046  if(!$node_id)
1047  {
1048  $ilLog->write(__METHOD__.': Missing subtree node_id');
1049  continue;
1050  }
1051 
1052  foreach($for_deletion as $role_id => $role_data)
1053  {
1054  if($rolf_id = $rbacreview->getRoleFolderIdOfObject($node_id))
1055  {
1056  $this->deleteLocalRole($role_id,$rolf_id);
1057  }
1058  $this->revokePermission($node_id,$role_id,false);
1059 //var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
1060  }
1061  foreach($for_addition as $role_id => $role_data)
1062  {
1063  $this->grantPermission(
1064  $role_id,
1065  $ops = $rbacreview->getOperationsOfRole($role_id,$node_data['type'],$role_data['parent']),
1066  $node_id);
1067 //var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
1068  }
1069 
1070  if($rbac_log_active)
1071  {
1072  $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
1073  $log = ilRbacLog::diffFaPa($log_old, $log_new);
1074  ilRbacLog::add(ilRbacLog::MOVE_OBJECT, $node_id, $log);
1075  }
1076  }
1077 
1078  }
1079 } // END class.ilRbacAdmin
1080 ?>