ILIAS  Release_4_3_x_branch Revision 61807
 All Data Structures Namespaces Files Functions Variables Groups Pages
ilWebAccessChecker Class Reference

Class ilWebAccessChecker. More...

+ Collaboration diagram for ilWebAccessChecker:

Public Member Functions

 ilWebAccessChecker ()
 Constructor public.
 determineUser ()
 Determine the current user(s)
 checkAccess ()
 Check access rights of the requested file public.
 checkAccessMob ($obj_id)
 Check access to media object.
 setDisposition ($a_disposition)
 Set the delivery mode for the file.
 getDisposition ()
 Get the delivery mode for the file.
 setSendMimetype ($a_send_mimetype)
 Set the sending of the mime type.
 getSendMimetype ()
 Get if mimetype should be sent for a virtual delivery.
 setCheckIp ($a_check_ip)
 Set the checking of the IP address if no valid session is found.
 getCheckIp ()
 Set the checking of the IP address of no valid session is found.
 sendFile ()
 Send the requested file as if directly delivered from the web server public.
 sendError ()
 Send an error response for the requested file public.
 getMimeType ($default= 'application/octet-stream')
 Get the mime type of the requested file.

Data Fields

 $disposition = "inline"
 $check_ip = false
 $check_users = array()
 $send_mimetype = true
 $mimetype = null

Private Member Functions

 checkAccessLM ($obj_id, $obj_type, $page=0)
 check access for ILIAS learning modules (obsolete, if checking of page conditions is not activated!)
 checkAccessObject ($obj_id, $obj_type= '')
 Check access rights for an object by its object id.
 checkAccessTestQuestion ($obj_id, $usage_id=0)
 Check access rights for a test question This checks also tests with random selection of questions.
 checkAccessGlossaryTerm ($obj_id, $page_id)
 Check access rights for glossary terms This checks also learning modules linking the term.
 checkAccessPortfolioPage ($obj_id, $page_id)
 Check access rights for portfolio pages.
 checkAccessBlogPage ($obj_id, $page_id)
 Check access rights for blog pages.
 checkAccessUserImage ($usr_id)
 Check access rights for user images.

Detailed Description

Class ilWebAccessChecker.

Checks the access rights of a directly requested content file. Called from an alias or rewrite rule

  • determines the related learning module and checks the permission
  • either delivers the accessed file (without redirect)
  • or shows an error screen (if too less rights)
Fred Neumann
class.ilWebAccessChecker.php 49734 2014-04-29 11:39:16Z jluetzen

Definition at line 56 of file class.ilWebAccessChecker.php.

Member Function Documentation

ilWebAccessChecker::checkAccess ( )

Check access rights of the requested file public.

Definition at line 274 of file class.ilWebAccessChecker.php.

References $ilLog, $ilUser, checkAccessMob(), checkAccessObject(), checkAccessUserImage(), and determineUser().

global $ilLog, $ilUser, $ilObjDataCache;
// an error already occurred at class initialisation
if ($this->errorcode)
return false;
// do this here because ip based checking may be set after construction
// check for type by subdirectory
$pos1 = strpos($this->subpath, "lm_data/lm_") + 11;
$pos2 = strpos($this->subpath, "mobs/mm_") + 8;
$pos3 = strpos($this->subpath, "usr_images/") + 11;
$obj_id = 0;
$type = 'none';
// trying to access data within a learning module folder
if ($pos1 > 11)
$type = 'lm';
$seperator = strpos($this->subpath, '/', $pos1);
$obj_id = substr($this->subpath, $pos1, ($seperator > 0 ? $seperator : strlen($this->subpath))-$pos1);
//trying to access media data
else if ($pos2 > 8)
$type = 'mob';
$seperator = strpos($this->subpath, '/', $pos2);
$obj_id = substr($this->subpath, $pos2, ($seperator > 0 ? $seperator : strlen($this->subpath))-$pos2);
// trying to access a user image
elseif ($pos3 > 11)
$type = 'user_image';
// user images may be:
// upload_123pic, upload_123
// usr_123.jpg, usr_123_small.jpg, usr_123_xsmall.jpg, usr_123_xxsmall.jpg
$seperator = strpos($this->subpath, '_', $pos3);
$obj_id = (int) substr($this->subpath, $seperator + 1);
if (!$obj_id || $type == 'none')
$this->errorcode = 404;
$this->errortext = $this->lng->txt("obj_not_found");
return false;
// SCORM or HTML learning module
case 'lm':
if ($this->checkAccessObject($obj_id))
return true;
// media object
case 'mob':
if ($this->checkAccessMob($obj_id))
return true;
// image in user profile
case 'user_image':
if ($this->checkAccessUserImage($obj_id))
return true;
// none of the checks above gives access
$this->errorcode = 403;
$this->errortext = $this->lng->txt('msg_no_perm_read');
return false;

+ Here is the call graph for this function:

ilWebAccessChecker::checkAccessBlogPage (   $obj_id,

Check access rights for blog pages.

intobject id (glossary)
intpage id (definition)
boolean access given (true/false)

Definition at line 712 of file class.ilWebAccessChecker.php.

References checkAccessObject().

include_once "Services/PersonalWorkspace/classes/class.ilWorkspaceTree.php";
$tree = new ilWorkspaceTree(0);
$node_id = $tree->lookupNodeId($obj_id);
// repository
return $this->checkAccessObject($obj_id);
// workspace
include_once "Services/PersonalWorkspace/classes/class.ilWorkspaceAccessHandler.php";
foreach ($this->check_users as $user_id)
$access_handler = new ilWorkspaceAccessHandler($tree);
if ($access_handler->checkAccessOfUser($tree, $user_id, "read", "view", $node_id, "blog"))
return true;
return false;

+ Here is the call graph for this function:

ilWebAccessChecker::checkAccessGlossaryTerm (   $obj_id,

Check access rights for glossary terms This checks also learning modules linking the term.

intobject id (glossary)
intpage id (definition)
boolean access given (true/false)

Definition at line 635 of file class.ilWebAccessChecker.php.

References ilInternalLink\_getSourcesOfTarget(), ilLMObject\_lookupContObjID(), ilGlossaryDefinition\_lookupTermId(), and checkAccessObject().

// give access if glossary is readable
if ($this->checkAccessObject($obj_id))
return true;
$sources = ilInternalLink::_getSourcesOfTarget('git',$term_id, 0);
if ($sources)
foreach ($sources as $src)
switch ($src['type'])
// Give access if term is linked by a learning module with read access.
// The term including media is shown by the learning module presentation!
case 'lm:pg':
$src_obj_id = ilLMObject::_lookupContObjID($src['id']);
if ($this->checkAccessObject($src_obj_id, 'lm'))
return true;
// Don't yet give access if the term is linked by another glossary
// The link will lead to the origin glossary which is already checked
case 'gdf:pg':
$src_term_id = ilGlossaryDefinition::_lookupTermId($src['id']);
$src_obj_id = ilGlossaryTerm::_lookGlossaryID($src_term_id);
if ($this->checkAccessObject($src_obj_id, 'glo'))
return true;

+ Here is the call graph for this function:

ilWebAccessChecker::checkAccessLM (   $obj_id,
  $page = 0 

check access for ILIAS learning modules (obsolete, if checking of page conditions is not activated!)

intobject id
stringobject type
intpage id

Definition at line 524 of file class.ilWebAccessChecker.php.

References $lng, and ilObject\_getAllReferences().

global $lng;
//if (!$page)
$ref_ids = ilObject::_getAllReferences($obj_id);
foreach($ref_ids as $ref_id)
foreach ($this->check_users as $user_id)
if ($this->ilAccess->checkAccessOfUser($user_id, "read", "view", $ref_id, $obj_type, $obj_id))
return true;
return false;
// $ref_ids = ilObject::_getAllReferences($obj_id);
// foreach($ref_ids as $ref_id)
// {
// if ($this->ilAccess->checkAccess("read", "", $ref_id))
// {
// require_once 'Modules/LearningModule/classes/class.ilObjLearningModule.php';
// $lm = new ilObjLearningModule($obj_id,false);
// if ($lm->_checkPreconditionsOfPage($ref_id, $obj_id, $page))
// return true;
// }
// }
// return false;

+ Here is the call graph for this function:

ilWebAccessChecker::checkAccessMob (   $obj_id)

Check access to media object.


Definition at line 365 of file class.ilWebAccessChecker.php.

References ilObjMediaObject\getParentObjectIdForUsage(), ilMediaPoolPage\lookupUsages(), and ilObjMediaObject\lookupUsages().

Referenced by checkAccess().

$usages = ilObjMediaObject::lookupUsages($obj_id);
foreach($usages as $usage)
// for content snippets we must get their usages and check them
if ($usage["type"] == "mep:pg")
$usages2 = ilMediaPoolPage::lookupUsages($usage["id"]);
foreach($usages2 as $usage2)
if ($this->checkAccessMobUsage($usage2, $oid2))
return true;
else // none content snippets just go the usual way
if ($this->checkAccessMobUsage($usage, $oid))
return true;
return false;

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilWebAccessChecker::checkAccessObject (   $obj_id,
  $obj_type = '' 

Check access rights for an object by its object id.

intobject id
boolean access given (true/false)

Definition at line 566 of file class.ilWebAccessChecker.php.

References $ilAccess, ilObject\_getAllReferences(), and ilObject\_lookupType().

Referenced by checkAccess(), checkAccessBlogPage(), checkAccessGlossaryTerm(), and checkAccessTestQuestion().

global $ilAccess;
if (!$obj_type)
$obj_type = ilObject::_lookupType($obj_id);
$ref_ids = ilObject::_getAllReferences($obj_id);
foreach($ref_ids as $ref_id)
foreach ($this->check_users as $user_id)
if ($ilAccess->checkAccessOfUser($user_id, "read", "view", $ref_id, $obj_type, $obj_id))
return true;
return false;

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilWebAccessChecker::checkAccessPortfolioPage (   $obj_id,

Check access rights for portfolio pages.

intobject id (glossary)
intpage id (definition)
boolean access given (true/false)

Definition at line 691 of file class.ilWebAccessChecker.php.

include_once "Services/Portfolio/classes/class.ilPortfolioAccessHandler.php";
$access_handler = new ilPortfolioAccessHandler();
foreach ($this->check_users as $user_id)
if ($access_handler->checkAccessOfUser($user_id, "read", "view", $obj_id, "prtf"))
return true;
return false;
ilWebAccessChecker::checkAccessTestQuestion (   $obj_id,
  $usage_id = 0 

Check access rights for a test question This checks also tests with random selection of questions.

intobject id (question pool or test)
intusage id (not yet used)
boolean access given (true/false)

Definition at line 598 of file class.ilWebAccessChecker.php.

References $ilAccess, $tests, ilObjTestAccess\_getRandomTestsForQuestionPool(), ilObject\_lookupType(), and checkAccessObject().

global $ilAccess;
// give access if direct usage is readable
if ($this->checkAccessObject($obj_id))
return true;
$obj_type = ilObject::_lookupType($obj_id);
if ($obj_type == 'qpl')
// give access if question pool is used by readable test
// for random selection of questions
foreach ($tests as $test_id)
if ($this->checkAccessObject($test_id, 'tst'))
return true;
return false;

+ Here is the call graph for this function:

ilWebAccessChecker::checkAccessUserImage (   $usr_id)

Check access rights for user images.

Due to privacy this will be checked for a truly identified user (IP based checking is not recommended user images)

boolean access given (true/false)

Definition at line 748 of file class.ilWebAccessChecker.php.

References $ilSetting, $ilUser, $usr_id, and ilObjUser\_lookupPref().

Referenced by checkAccess().

// check if own image is viewed
if ($usr_id == $ilUser->getId())
return true;
// check if image is in the public profile
$public_upload = ilObjUser::_lookupPref($usr_id, 'public_upload');
if ($public_upload != 'y')
return false;
// check the publication status of the profile
$public_profile = ilObjUser::_lookupPref($usr_id, 'public_profile');
if ($public_profile == 'g'
and $ilSetting->get('enable_global_profiles')
and $ilSetting->get('pub_section'))
// globally public
return true;
elseif (($public_profile == 'y' or $public_profile == 'g')
and $ilUser->getId() != ANONYMOUS_USER_ID)
// public for logged in users
return true;
// not public
return false;

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilWebAccessChecker::determineUser ( )

Determine the current user(s)

Definition at line 213 of file class.ilWebAccessChecker.php.

References $_SESSION, $GLOBALS, $ilUser, ilSession\_getUsersWithIp(), and getCheckIp().

Referenced by checkAccess().

global $ilUser;
// a valid user session is found
if ($_SESSION["AccountId"])
$this->check_users = array($_SESSION["AccountId"]);
// no session cookie was delivered
// user identification by ip address is allowed
elseif ($GLOBALS['WEB_ACCESS_WITHOUT_SESSION'] and $this->getCheckIp())
$this->check_users = ilSession::_getUsersWithIp($_SERVER['REMOTE_ADDR']);
if (count($this->check_users) == 0)
// no user was found for the ip address
$this->check_users = array(ANONYMOUS_USER_ID);
elseif (count($this->check_users) == 1)
// exactly one user is found with an active session
$_SESSION["AccountId"] = current($this->check_users);
// more than one user found for the ip address
// take the anonymous user for the session
// take the anonymous user as fallback
$this->check_users = array(ANONYMOUS_USER_ID);

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilWebAccessChecker::getCheckIp ( )

Set the checking of the IP address of no valid session is found.


Definition at line 871 of file class.ilWebAccessChecker.php.

References $check_ip.

Referenced by determineUser().


+ Here is the caller graph for this function:

ilWebAccessChecker::getDisposition ( )

Get the delivery mode for the file.

string "inline", "attachment" or "virtual" public

Definition at line 811 of file class.ilWebAccessChecker.php.

References $disposition.

Referenced by sendFile().


+ Here is the caller graph for this function:

ilWebAccessChecker::getMimeType (   $default = 'application/octet-stream')

Get the mime type of the requested file.

stringdefault type
string mime type public

Definition at line 1057 of file class.ilWebAccessChecker.php.

References $mimetype.

Referenced by sendFile().

// take a previously set mimetype
if (isset($this->mimetype))
$mime = '';
// alex: changed due to bug
/* if (extension_loaded('Fileinfo'))
$finfo = finfo_open(FILEINFO_MIME);
$mime = finfo_file($finfo, $this->file);
if ($pos = strpos($mime, ' '))
$mime = substr($mime, 0, $pos);
$mime = ilMimeTypeUtil::getMimeType($this->file);
//$mime = ilObjMediaObject::getMimeType($this->file);
// }
// set and return the mime type
$this->mimetype = $mime ? $mime : $default;

+ Here is the caller graph for this function:

ilWebAccessChecker::getSendMimetype ( )

Get if mimetype should be sent for a virtual delivery.


Definition at line 844 of file class.ilWebAccessChecker.php.

References $send_mimetype.

Referenced by sendFile().


+ Here is the caller graph for this function:

ilWebAccessChecker::ilWebAccessChecker ( )

Constructor public.

Definition at line 144 of file class.ilWebAccessChecker.php.

References $_GET, $ilAccess, $ilLog, $ilUser, $lng, ILIAS_ABSOLUTE_PATH, ILIAS_WEB_DIR, setCheckIp(), setDisposition(), and setSendMimetype().

$this->lng =& $lng;
$this->ilAccess =& $ilAccess;
$this->params = array();
// get the requested file and its type
$uri = parse_url($_SERVER["REQUEST_URI"]);
parse_str($uri["query"], $this->params);
$pattern = ILIAS_WEB_DIR . "/" . CLIENT_ID;
$this->subpath = urldecode(substr($uri["path"], strpos($uri["path"], $pattern)));
$this->file = realpath(ILIAS_ABSOLUTE_PATH . "/". $this->subpath);
// build url path for virtual function
$this->virtual_path = str_replace($pattern, "virtual-" . $pattern, $uri["path"]);
// set the parameters provided with the checker call
if (isset($_GET['disposition']))
if (isset($_GET['check_ip']))
if (isset($_GET['send_mimetype']))
// debugging
/*echo "<pre>";
echo "REQUEST_URI: ". $_SERVER["REQUEST_URI"]. "\n";
echo "Parsed URI: ". $uri["path"]. "\n";
echo "PHP_SELF: ". $_SERVER["PHP_SELF"]. "\n";
echo "SCRIPT_NAME: ". $_SERVER["SCRIPT_NAME"]. "\n";
echo "ILIAS_WEB_DIR: ". ILIAS_WEB_DIR. "\n";
echo "CLIENT_ID: ". CLIENT_ID. "\n";
echo "subpath: ". $this->subpath. "\n";
echo "file: ". $this->file. "\n";
echo "disposition: ". $this->disposition. "\n";
echo "ckeck_ip: ". $this->check_ip. "\n";
echo "send_mimetype: ". $this->send_mimetype. "\n";
echo "</pre>";
echo phpinfo();
if (!file_exists($this->file))
$this->errorcode = 404;
$this->errortext = $this->lng->txt("url_not_found");
return false;

+ Here is the call graph for this function:

ilWebAccessChecker::sendError ( )

Send an error response for the requested file public.

Definition at line 995 of file class.ilWebAccessChecker.php.

References $ilSetting, $ilUser, $lng, $tpl, exit, and ilUtil\getImagePath().

global $ilSetting, $ilUser, $tpl, $lng, $tree;
switch ($this->errorcode)
case 404:
header("HTTP/1.0 404 Not Found");
case 403:
header("HTTP/1.0 403 Forbidden");
// set the page base to the ILIAS directory
// to get correct references for images and css files
$tpl->setVariable('BASE', ILIAS_HTTP_PATH . '/error.php');
$tpl->addBlockFile("CONTENT", "content", "tpl.error.html");
// Check if user is logged in
$anonymous = ($ilUser->getId() == ANONYMOUS_USER_ID);
if ($anonymous)
// Provide a link to the login screen for anonymous users
$tpl->SetVariable("TXT_LINK", $lng->txt('login_to_ilias'));
$tpl->SetVariable("LINK", ILIAS_HTTP_PATH. '/login.php?cmd=force_login&client_id='.CLIENT_ID);
// Provide a link to the repository for authentified users
$nd = $tree->getNodeData(ROOT_FOLDER_ID);
$txt = $nd['title'] == 'ILIAS' ? $lng->txt('repository') : $nd['title'];
$tpl->SetVariable("TXT_LINK", $txt);
$tpl->SetVariable("LINK", ILIAS_HTTP_PATH. '/ilias.php?baseClass=ilRepositoryGUI&amp;client_id='.CLIENT_ID);
$tpl->setVariable("SRC_IMAGE", ilUtil::getImagePath("mess_failure.png"));

+ Here is the call graph for this function:

ilWebAccessChecker::sendFile ( )

Send the requested file as if directly delivered from the web server public.

Definition at line 881 of file class.ilWebAccessChecker.php.

References ilUtil\deliverFile(), exit, getDisposition(), getMimeType(), getSendMimetype(), and ilUtil\readFile().

//$system_use_xsendfile = true;
$xsendfile_available = false;
//if (function_exists('apache_get_modules'))
// $modules = apache_get_modules();
// $xsendfile_available = in_array('mod_xsendfile', $modules);
//$xsendfile_available = $system_use_xsendfile & $xsendfile_available;
// delivery via apache virtual function
if ($this->getDisposition() == "virtual")
// delivery for download dialogue
elseif ($this->getDisposition() == "attachment")
if ($xsendfile_available)
header('x-sendfile: ' . $this->file);
header("Content-Type: application/octet-stream");
ilUtil::deliverFile($this->file, basename($this->file));
// inline delivery
if (!isset($_SERVER["HTTPS"]))
header("Cache-Control: no-cache, must-revalidate");
header("Pragma: no-cache");
if ($this->getSendMimetype())
header("Content-Type: " . $this->getMimeType());
header("Content-Length: ".(string)(filesize($this->file)));
if (isset($_SERVER["HTTPS"]))
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header("Connection: close");
if ($xsendfile_available)
header('x-sendfile: ' . $this->file);
if ($this->getSendMimetype())
header("Content-Type: " . $this->getMimeType());
ilUtil::readFile( $this->file);

+ Here is the call graph for this function:

ilWebAccessChecker::setCheckIp (   $a_check_ip)

Set the checking of the IP address if no valid session is found.


Definition at line 855 of file class.ilWebAccessChecker.php.

Referenced by ilWebAccessChecker().

if (in_array(strtolower($a_check_ip), array('','0','off','false')))
$this->check_ip = false;
elseif (in_array(strtolower($a_check_ip), array('1','on','true')))
$this->check_ip = true;

+ Here is the caller graph for this function:

ilWebAccessChecker::setDisposition (   $a_disposition)

Set the delivery mode for the file.

string"inline", "attachment" or "virtual" public

Definition at line 794 of file class.ilWebAccessChecker.php.

Referenced by ilWebAccessChecker().

if (in_array(strtolower($a_disposition), array('inline','attachment','virtual')))
$this->disposition = strtolower($a_disposition);
$this->disposition = 'inline';

+ Here is the caller graph for this function:

ilWebAccessChecker::setSendMimetype (   $a_send_mimetype)

Set the sending of the mime type.

string(boolean switch or mimetype) public

Definition at line 821 of file class.ilWebAccessChecker.php.

Referenced by ilWebAccessChecker().

if (in_array(strtolower($a_send_mimetype), array('','0','off','false')))
$this->mimetype = null;
$this->send_mimetype = false;
elseif (in_array(strtolower($a_send_mimetype), array('1','on','true')))
$this->mimetype = null;
$this->send_mimetype = true;
$this->mimetype = $a_send_mimetype;
$this->send_mimetype = true;

+ Here is the caller graph for this function:

Field Documentation

ilWebAccessChecker::$check_ip = false

Definition at line 95 of file class.ilWebAccessChecker.php.

Referenced by getCheckIp().

ilWebAccessChecker::$check_users = array()

Definition at line 105 of file class.ilWebAccessChecker.php.

ilWebAccessChecker::$disposition = "inline"

Definition at line 88 of file class.ilWebAccessChecker.php.

Referenced by getDisposition().


Definition at line 129 of file class.ilWebAccessChecker.php.


Definition at line 137 of file class.ilWebAccessChecker.php.


Definition at line 73 of file class.ilWebAccessChecker.php.


Definition at line 58 of file class.ilWebAccessChecker.php.

Referenced by checkAccessLM(), ilWebAccessChecker(), and sendError().

ilWebAccessChecker::$mimetype = null

Definition at line 121 of file class.ilWebAccessChecker.php.

Referenced by getMimeType().


Definition at line 80 of file class.ilWebAccessChecker.php.

ilWebAccessChecker::$send_mimetype = true

Definition at line 112 of file class.ilWebAccessChecker.php.

Referenced by getSendMimetype().


Definition at line 66 of file class.ilWebAccessChecker.php.

The documentation for this class was generated from the following file: