ILIAS  Release_4_3_x_branch Revision 61807
 All Data Structures Namespaces Files Functions Variables Groups Pages
Public Member Functions
ilRbacAdmin Class Reference
Services/AccessControl

Class ilRbacAdmin Core functions for role based access control. More...

+ Collaboration diagram for ilRbacAdmin:

Public Member Functions

 ilRbacAdmin ()
 Constructor public.
 removeUser ($a_usr_id)
 deletes a user from rbac_ua all user <-> role relations are deleted public
 deleteRole ($a_rol_id, $a_ref_id)
 Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa public.
 deleteTemplate ($a_obj_id)
 Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa public.
 deleteLocalRole ($a_rol_id, $a_ref_id=0)
 Deletes a local role and entries in rbac_fa and rbac_templates public.
 assignUser ($a_rol_id, $a_usr_id, $a_default=false)
 Assigns an user to a role.
 deassignUser ($a_rol_id, $a_usr_id)
 Deassigns a user from a role.
 grantPermission ($a_rol_id, $a_ops, $a_ref_id)
 Grants a permission to an object and a specific role.
 revokePermission ($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
 Revokes permissions of an object of one role.
 revokeSubtreePermissions ($a_ref_id, $a_role_id)
 Revoke subtree permissions.
 deleteSubtreeTemplates ($a_ref_id, $a_rol_id)
 Delete all template permissions of subtree nodes.
 revokePermissionList ($a_ref_ids, $a_rol_id)
 Revokes permissions of a LIST of objects of ONE role.
 copyRolePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions and permission of one role to another.
 copyRoleTemplatePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions of one role to another.
 copyRolePermissionIntersection ($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
 Copies the intersection of the template permissions of two roles to a third role.
 copyRolePermissionUnion ($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_id, $a_dest_parent)
 <type> $ilDB
 deleteRolePermission ($a_rol_id, $a_ref_id, $a_type=false)
 Deletes all entries of a template.
 setRolePermission ($a_rol_id, $a_type, $a_ops, $a_ref_id)
 Inserts template permissions in rbac_templates for an specific object type.
 assignRoleToFolder ($a_rol_id, $a_parent, $a_assign="y")
 Assigns a role to an role folder A role folder is an object to store roles.
 assignOperationToObject ($a_type_id, $a_ops_id)
 Assign an existing operation to an object Update of rbac_ta.
 deassignOperationFromObject ($a_type_id, $a_ops_id)
 Deassign an existing operation from an object Update of rbac_ta public.
 setProtected ($a_ref_id, $a_role_id, $a_value)
 copyLocalRoles ($a_source_id, $a_target_id)
 Copy local roles This method creates a copy of all local role.
 adjustMovedObjectPermissions ($a_ref_id, $a_old_parent)
 Adjust permissions of moved objects.

Detailed Description

Class ilRbacAdmin Core functions for role based access control.

Creation and maintenance of Relations. The main relations of Rbac are user <-> role (UR) assignment relation and the permission <-> role (PR) assignment relation. This class contains methods to 'create' and 'delete' instances of the (UR) relation e.g.: assignUser(), deassignUser() Required methods for the PR relation are grantPermission(), revokePermission()

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
Id:
class.ilRbacAdmin.php 32886 2012-01-30 10:20:03Z smeyer

Definition at line 38 of file class.ilRbacAdmin.php.

Member Function Documentation

ilRbacAdmin::adjustMovedObjectPermissions (   $a_ref_id,
  $a_old_parent 
)

Adjust permissions of moved objects.

  • Delete permissions of parent roles that do not exist in new context
  • Delete role templates of parent roles that do not exist in new context
  • Add permissions for parent roles that did not exist in old context

public

Parameters
intref id of moved object
intref_id of old parent

Definition at line 1064 of file class.ilRbacAdmin.php.

References $ilLog, $log, ilRbacLog\add(), deleteLocalRole(), ilRbacLog\diffFaPa(), ilRbacLog\gatherFaPa(), grantPermission(), ilRbacLog\isActive(), ilRbacLog\MOVE_OBJECT, and revokePermission().

{
global $rbacreview,$tree,$ilLog;
$new_parent = $tree->getParentId($a_ref_id);
$old_context_roles = $rbacreview->getParentRoleIds($a_old_parent,false);
$new_context_roles = $rbacreview->getParentRoleIds($new_parent,false);
$for_addition = $for_deletion = array();
foreach($new_context_roles as $new_role_id => $new_role)
{
if(!isset($old_context_roles[$new_role_id]))
{
$for_addition[$new_role_id] = $new_role;
}
elseif($new_role['parent'] != $old_context_roles[$new_role_id]['parent'])
{
// handle stopped inheritance
$for_deletion[$new_role_id] = $new_role;
$for_addition[$new_role_id] = $new_role;
}
}
foreach($old_context_roles as $old_role_id => $old_role)
{
if(!isset($new_context_roles[$old_role_id]))
{
$for_deletion[$old_role_id] = $old_role;
}
}
if(!count($for_deletion) and !count($for_addition))
{
return true;
}
include_once "Services/AccessControl/classes/class.ilRbacLog.php";
$rbac_log_active = ilRbacLog::isActive();
if($rbac_log_active)
{
$role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
}
foreach($nodes = $tree->getSubTree($node_data = $tree->getNodeData($a_ref_id),true) as $node_data)
{
$node_id = $node_data['child'];
if($rbac_log_active)
{
$log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
}
// If $node_data['type'] is not set, this means there is a tree entry without
// object_reference and/or object_data entry
// Continue in this case
if(!$node_data['type'])
{
$ilLog->write(__METHOD__.': No type give. Choosing next tree entry.');
continue;
}
if(!$node_id)
{
$ilLog->write(__METHOD__.': Missing subtree node_id');
continue;
}
foreach($for_deletion as $role_id => $role_data)
{
if($rolf_id = $rbacreview->getRoleFolderIdOfObject($node_id))
{
$this->deleteLocalRole($role_id,$rolf_id);
}
$this->revokePermission($node_id,$role_id,false);
//var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
}
foreach($for_addition as $role_id => $role_data)
{
$this->grantPermission(
$role_id,
$ops = $rbacreview->getOperationsOfRole($role_id,$node_data['type'],$role_data['parent']),
$node_id);
//var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
}
if($rbac_log_active)
{
$log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
$log = ilRbacLog::diffFaPa($log_old, $log_new);
ilRbacLog::add(ilRbacLog::MOVE_OBJECT, $node_id, $log);
}
}
}

+ Here is the call graph for this function:

ilRbacAdmin::assignOperationToObject (   $a_type_id,
  $a_ops_id 
)

Assign an existing operation to an object Update of rbac_ta.

public

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 926 of file class.ilRbacAdmin.php.

References $query, and $res.

{
global $ilDB;
if (!isset($a_type_id) or !isset($a_ops_id))
{
$message = get_class($this)."::assignOperationToObject(): Missing parameter!".
"type_id: ".$a_type_id.
"ops_id: ".$a_ops_id;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
$query = "INSERT INTO rbac_ta (typ_id, ops_id) ".
"VALUES(".$ilDB->quote($a_type_id,'integer').",".$ilDB->quote($a_ops_id,'integer').")";
$res = $ilDB->manipulate($query);
return true;
}
ilRbacAdmin::assignRoleToFolder (   $a_rol_id,
  $a_parent,
  $a_assign = "y" 
)

Assigns a role to an role folder A role folder is an object to store roles.

Every role is assigned to minimum one role folder If the inheritance of a role is stopped, a new role template will created, and the role is assigned to minimum two role folders. All roles with stopped inheritance need the flag '$a_assign = false'

public

Parameters
integerobject id of role
integerref_id of role folder
stringassignable('y','n'); default: 'y'
Returns
boolean

Definition at line 882 of file class.ilRbacAdmin.php.

References $query, and $res.

Referenced by copyLocalRoles().

{
global $ilDB,$rbacreview;
if (!isset($a_rol_id) or !isset($a_parent))
{
$message = get_class($this)."::assignRoleToFolder(): Missing Parameter!".
" role_id: ".$a_rol_id.
" parent_id: ".$a_parent.
" assign: ".$a_assign;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
// exclude system role from rbac
if ($a_rol_id == SYSTEM_ROLE_ID)
{
return true;
}
// if a wrong value is passed, always set assign to "n"
if ($a_assign != "y")
{
$a_assign = "n";
}
$query = sprintf('INSERT INTO rbac_fa (rol_id, parent, assign, protected) '.
'VALUES (%s,%s,%s,%s)',
$ilDB->quote($a_rol_id,'integer'),
$ilDB->quote($a_parent,'integer'),
$ilDB->quote($a_assign,'text'),
$ilDB->quote('n','text'));
$res = $ilDB->manipulate($query);
return true;
}

+ Here is the caller graph for this function:

ilRbacAdmin::assignUser (   $a_rol_id,
  $a_usr_id,
  $a_default = false 
)

Assigns an user to a role.

Update of table rbac_ua TODO: remove deprecated 3rd parameter sometime public

Parameters
integerobject_id of role
integerobject_id of user
booleantrue means default role (optional
Returns
boolean

Definition at line 209 of file class.ilRbacAdmin.php.

References $query, $res, ilLDAPRoleGroupMapping\_getInstance(), and ilObjectFactory\getInstanceByObjId().

{
global $ilDB,$rbacreview;
if (!isset($a_rol_id) or !isset($a_usr_id))
{
$message = get_class($this)."::assignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
#$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
// check if already assigned user id and role_id
$alreadyAssigned = $rbacreview->isAssigned($a_usr_id,$a_rol_id);
// enhanced: only if we haven't had this role for this user
if (!$alreadyAssigned)
{
$query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
"VALUES (".$ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_rol_id,'integer').")";
$res = $ilDB->manipulate($query);
include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
$role_desk_item_obj =& new ilRoleDesktopItem($a_rol_id);
if(is_object($tmp_user = ilObjectFactory::getInstanceByObjId($a_usr_id,false)))
{
foreach($role_desk_item_obj->getAll() as $item_data)
{
if(!$tmp_user->isDesktopItem($item_data['item_id'],$item_data['item_type']))
{
$tmp_user->addDesktopItem($item_data['item_id'],$item_data['item_type']);
}
}
}
}
include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
$mapping = ilLDAPRoleGroupMapping::_getInstance();
$mapping->assign($a_rol_id,$a_usr_id);
return true;
}

+ Here is the call graph for this function:

ilRbacAdmin::copyLocalRoles (   $a_source_id,
  $a_target_id 
)

Copy local roles This method creates a copy of all local role.

Note: auto generated roles are excluded

public

Parameters
intsource id of object (not role folder)
inttarget id of object

Definition at line 995 of file class.ilRbacAdmin.php.

References $ilLog, $title, assignRoleToFolder(), copyRolePermissions(), and ilObjectFactory\getInstanceByRefId().

{
global $rbacreview,$ilLog,$ilObjDataCache;
$source_rolf = $rbacreview->getRoleFolderIdOfObject($a_source_id);
$target_rolf = $rbacreview->getRoleFolderIdOfObject($a_target_id);
if(!$source_rolf)
{
// Nothing to do
return true;
}
$real_local = array();
foreach($rbacreview->getRolesOfRoleFolder($source_rolf,false) as $role_data)
{
$title = $ilObjDataCache->lookupTitle($role_data);
if(substr($title,0,3) == 'il_')
{
continue;
}
$real_local[] = $role_data;
}
if(!count($real_local))
{
return true;
}
// Create role folder
if(!$target_rolf)
{
$tmp_obj = ilObjectFactory::getInstanceByRefId($a_target_id,false);
if(!is_object($tmp_obj))
{
return false;
}
$rolf = $tmp_obj->createRoleFolder();
$target_rolf = $rolf->getRefId();
$ilLog->write(__METHOD__.': Created new role folder with id '.$rolf->getRefId());
}
foreach($real_local as $role)
{
include_once ("./Services/AccessControl/classes/class.ilObjRole.php");
$orig = new ilObjRole($role);
$orig->read();
$ilLog->write(__METHOD__.': Start copying of role '.$orig->getTitle());
$roleObj = new ilObjRole();
$roleObj->setTitle($orig->getTitle());
$roleObj->setDescription($orig->getDescription());
$roleObj->setImportId($orig->getImportId());
$roleObj->create();
$this->assignRoleToFolder($roleObj->getId(),$target_rolf,"y");
$this->copyRolePermissions($role,$source_rolf,$target_rolf,$roleObj->getId(),true);
$ilLog->write(__METHOD__.': Added new local role, id '.$roleObj->getId());
}
}

+ Here is the call graph for this function:

ilRbacAdmin::copyRolePermissionIntersection (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_parent,
  $a_dest_id 
)

Copies the intersection of the template permissions of two roles to a third role.

public

Parameters
integer$a_source1_idrole_id source
integer$a_source1_parentparent_id source
integer$a_source2_idrole_id source
integer$a_source2_parentparent_id source
integer$a_dest_idrole_id destination
integer$a_dest_parentparent_id destination
Returns
boolean

Definition at line 651 of file class.ilRbacAdmin.php.

References $GLOBALS, $query, $res, $row, and DB_FETCHMODE_OBJECT.

{
global $rbacreview,$ilDB;
if (!isset($a_source1_id) or !isset($a_source1_parent)
or !isset($a_source2_id) or !isset($a_source2_parent)
or !isset($a_dest_id) or !isset($a_dest_parent))
{
$message = get_class($this)."::copyRolePermissionIntersection(): Missing parameter! source1_id: ".$a_source1_id.
" source1_parent: ".$a_source1_parent.
" source2_id: ".$a_source2_id.
" source2_parent: ".$a_source2_parent.
" dest_id: ".$a_dest_id.
" dest_parent_id: ".$a_dest_parent;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
// exclude system role from rbac
if ($a_dest_id == SYSTEM_ROLE_ID)
{
return true;
}
if ($rbacreview->isProtected($a_source2_parent,$a_source2_id))
{
$GLOBALS['ilLog']->write(__METHOD__.': Role is protected');
return true;
}
$query = "SELECT s1.type, s1.ops_id ".
"FROM rbac_templates s1, rbac_templates s2 ".
"WHERE s1.rol_id = ".$ilDB->quote($a_source1_id,'integer')." ".
"AND s1.parent = ".$ilDB->quote($a_source1_parent,'integer')." ".
"AND s2.rol_id = ".$ilDB->quote($a_source2_id,'integer')." ".
"AND s2.parent = ".$ilDB->quote($a_source2_parent,'integer')." ".
"AND s1.type = s2.type ".
"AND s1.ops_id = s2.ops_id";
$res = $ilDB->query($query);
$operations = array();
$rowNum = 0;
while($row = $res->fetchRow(DB_FETCHMODE_OBJECT))
{
$operations[$rowNum]['type'] = $row->type;
$operations[$rowNum]['ops_id'] = $row->ops_id;
$rowNum++;
}
// Delete template permissions of target
$query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
$res = $ilDB->manipulate($query);
$query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
'VALUES (?,?,?,?)';
$sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
foreach($operations as $key => $set)
{
$ilDB->execute($sta,array(
$a_dest_id,
$set['type'],
$set['ops_id'],
$a_dest_parent));
}
return true;
}
ilRbacAdmin::copyRolePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions and permission of one role to another.

public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 552 of file class.ilRbacAdmin.php.

References copyRoleTemplatePermissions(), grantPermission(), and revokePermission().

Referenced by copyLocalRoles().

{
global $tree,$rbacreview;
// Copy template permissions
$this->copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected);
$source_obj = $tree->getParentId($a_source_parent);
$target_obj = $tree->getParentId($a_dest_parent);
$ops = $rbacreview->getRoleOperationsOnObject($a_source_id,$source_obj);
$this->revokePermission($target_obj,$a_dest_id);
$this->grantPermission($a_dest_id,$ops,$target_obj);
return true;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilRbacAdmin::copyRolePermissionUnion (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_id,
  $a_dest_parent 
)

<type> $ilDB

Parameters
<type>$a_source1_id
<type>$a_source1_parent
<type>$a_source2_id
<type>$a_source2_parent
<type>$a_dest_id
<type>$a_dest_parent
Returns
<type>

Definition at line 729 of file class.ilRbacAdmin.php.

References $query, and copyRoleTemplatePermissions().

{
global $ilDB, $rbacreview;
$this->copyRoleTemplatePermissions(
$a_source1_id,
$a_source1_parent,
$a_dest_parent,
$a_dest_id
);
$s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id,$a_source1_parent);
$s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id,$a_source2_parent);
foreach($s2_ops as $type => $ops)
{
foreach($ops as $op)
{
if(!isset($s1_ops[$type]) or !in_array($op, $s1_ops[$type]))
{
$query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
'VALUES( '.
$ilDB->quote($a_dest_id,'integer').', '.
$ilDB->quote($type,'text').', '.
$ilDB->quote($op,'integer').', '.
$ilDB->quote($a_dest_parent,'integer').' '.
')';
$ilDB->manipulate($query);
}
}
}
return true;
}

+ Here is the call graph for this function:

ilRbacAdmin::copyRoleTemplatePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions of one role to another.

It's also possible to copy template permissions from/to RoleTemplateObject public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 578 of file class.ilRbacAdmin.php.

References $query, $res, $row, and setProtected().

Referenced by copyRolePermissions(), and copyRolePermissionUnion().

{
global $rbacreview,$ilDB;
if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent))
{
$message = __METHOD__.": Missing parameter! source_id: ".$a_source_id.
" source_parent_id: ".$a_source_parent.
" dest_id : ".$a_dest_id.
" dest_parent_id: ".$a_dest_parent;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
// exclude system role from rbac
if ($a_dest_id == SYSTEM_ROLE_ID)
{
return true;
}
// Read operations
$query = 'SELECT * FROM rbac_templates '.
'WHERE rol_id = '.$ilDB->quote($a_source_id,'integer').' '.
'AND parent = '.$ilDB->quote($a_source_parent,'integer');
$res = $ilDB->query($query);
$operations = array();
$rownum = 0;
while ($row = $ilDB->fetchObject($res))
{
$operations[$rownum]['type'] = $row->type;
$operations[$rownum]['ops_id'] = $row->ops_id;
$rownum++;
}
// Delete target permissions
$query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
$res = $ilDB->manipulate($query);
foreach($operations as $row => $op)
{
$query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
'VALUES ('.
$ilDB->quote($a_dest_id,'integer').",".
$ilDB->quote($op['type'],'text').",".
$ilDB->quote($op['ops_id'],'integer').",".
$ilDB->quote($a_dest_parent,'integer').")";
$ilDB->manipulate($query);
}
// copy also protection status if applicable
if ($a_consider_protected == true)
{
if ($rbacreview->isProtected($a_source_parent,$a_source_id))
{
$this->setProtected($a_dest_parent,$a_dest_id,'y');
}
}
return true;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilRbacAdmin::deassignOperationFromObject (   $a_type_id,
  $a_ops_id 
)

Deassign an existing operation from an object Update of rbac_ta public.

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 952 of file class.ilRbacAdmin.php.

References $query, and $res.

{
global $ilDB;
if (!isset($a_type_id) or !isset($a_ops_id))
{
$message = get_class($this)."::deassignPermissionFromObject(): Missing parameter!".
"type_id: ".$a_type_id.
"ops_id: ".$a_ops_id;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
$query = "DELETE FROM rbac_ta ".
"WHERE typ_id = ".$ilDB->quote($a_type_id,'integer')." ".
"AND ops_id = ".$ilDB->quote($a_ops_id,'integer');
$res = $ilDB->manipulate($query);
return true;
}
ilRbacAdmin::deassignUser (   $a_rol_id,
  $a_usr_id 
)

Deassigns a user from a role.

Update of table rbac_ua public

Parameters
integerobject id of role
integerobject id of user
Returns
boolean true on success

Definition at line 259 of file class.ilRbacAdmin.php.

References $query, $res, and ilLDAPRoleGroupMapping\_getInstance().

{
global $ilDB;
if (!isset($a_rol_id) or !isset($a_usr_id))
{
$message = get_class($this)."::deassignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
$query = "DELETE FROM rbac_ua ".
"WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer')." ".
"AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
$res = $ilDB->manipulate($query);
include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
$mapping = ilLDAPRoleGroupMapping::_getInstance();
$mapping->deassign($a_rol_id,$a_usr_id);
return true;
}

+ Here is the call graph for this function:

ilRbacAdmin::deleteLocalRole (   $a_rol_id,
  $a_ref_id = 0 
)

Deletes a local role and entries in rbac_fa and rbac_templates public.

Parameters
integerobject_id of role
integerref_id of role folder (optional)
Returns
boolean true on success

Definition at line 166 of file class.ilRbacAdmin.php.

References $query, and $res.

Referenced by adjustMovedObjectPermissions(), and deleteRole().

{
global $ilDB;
if (!isset($a_rol_id))
{
$message = get_class($this)."::deleteLocalRole(): Missing parameter! role_id: '".$a_rol_id."'";
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
// exclude system role from rbac
if ($a_rol_id == SYSTEM_ROLE_ID)
{
return true;
}
if ($a_ref_id != 0)
{
$clause = 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' ';
}
$query = 'DELETE FROM rbac_fa '.
'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
$clause;
$res = $ilDB->manipulate($query);
$query = 'DELETE FROM rbac_templates '.
'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
$clause;
$res = $ilDB->manipulate($query);
return true;
}

+ Here is the caller graph for this function:

ilRbacAdmin::deleteRole (   $a_rol_id,
  $a_ref_id 
)

Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa public.

Parameters
integerobj_id of role (role_id)
integerref_id of role folder (ref_id)
Returns
boolean true on success

Definition at line 92 of file class.ilRbacAdmin.php.

References $lng, $query, $res, ilLDAPRoleGroupMapping\_getInstance(), and deleteLocalRole().

{
global $lng,$ilDB;
if (!isset($a_rol_id) or !isset($a_ref_id))
{
$message = get_class($this)."::deleteRole(): Missing parameter! role_id: ".$a_rol_id." ref_id of role folder: ".$a_ref_id;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
// exclude system role from rbac
if ($a_rol_id == SYSTEM_ROLE_ID)
{
$this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"),$this->ilErr->MESSAGE);
}
include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
$mapping = ilLDAPRoleGroupMapping::_getInstance();
$mapping->deleteRole($a_rol_id);
// TODO: check assigned users before deletion
// This is done in ilObjRole. Should be better moved to this place?
// delete user assignements
$query = "DELETE FROM rbac_ua ".
"WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer');
$res = $ilDB->manipulate($query);
// delete permission assignments
$query = "DELETE FROM rbac_pa ".
"WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
$res = $ilDB->manipulate($query);
//delete rbac_templates and rbac_fa
$this->deleteLocalRole($a_rol_id);
return true;
}

+ Here is the call graph for this function:

ilRbacAdmin::deleteRolePermission (   $a_rol_id,
  $a_ref_id,
  $a_type = false 
)

Deletes all entries of a template.

If an object type is given for third parameter only the entries for that object type are deleted Update of table rbac_templates. public

Parameters
integerobject id of role
integerref_id of role folder
stringobject type (optional)
Returns
boolean

Definition at line 780 of file class.ilRbacAdmin.php.

References $query, and $res.

{
global $ilDB;
if (!isset($a_rol_id) or !isset($a_ref_id))
{
$message = get_class($this)."::deleteRolePermission(): Missing parameter! role_id: ".$a_rol_id." ref_id: ".$a_ref_id;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
// exclude system role from rbac
if ($a_rol_id == SYSTEM_ROLE_ID)
{
return true;
}
if ($a_type !== false)
{
$and_type = " AND type=".$ilDB->quote($a_type,'text')." ";
}
$query = 'DELETE FROM rbac_templates '.
'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
'AND parent = '.$ilDB->quote($a_ref_id,'integer').' '.
$and_type;
$res = $ilDB->manipulate($query);
return true;
}
ilRbacAdmin::deleteSubtreeTemplates (   $a_ref_id,
  $a_rol_id 
)

Delete all template permissions of subtree nodes.

Parameters
object$a_ref_id
object$a_rol_id
Returns

Definition at line 477 of file class.ilRbacAdmin.php.

References $query.

{
global $ilDB;
$query = "DELETE FROM rbac_templates ".
"WHERE parent IN ".
"(SELECT child FROM tree WHERE ".
"lft >= (SELECT lft FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) AND ".
"rgt <= (SELECT rgt FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) ".
") ".
"AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
$ilDB->manipulate($query);
$query = "DELETE FROM rbac_fa ".
"WHERE parent IN ".
"(SELECT child FROM tree WHERE ".
"lft >= (SELECT lft FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) AND ".
"rgt <= (SELECT rgt FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) ".
") ".
"AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
$ilDB->manipulate($query);
return true;
}
ilRbacAdmin::deleteTemplate (   $a_obj_id)

Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa public.

Parameters
integerobject_id of role template
Returns
boolean

Definition at line 138 of file class.ilRbacAdmin.php.

References $query, and $res.

{
global $ilDB;
if (!isset($a_obj_id))
{
$message = get_class($this)."::deleteTemplate(): No obj_id given!";
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
$query = 'DELETE FROM rbac_templates '.
'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
$res = $ilDB->manipulate($query);
$query = 'DELETE FROM rbac_fa '.
'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
$res = $ilDB->manipulate($query);
return true;
}
ilRbacAdmin::grantPermission (   $a_rol_id,
  $a_ops,
  $a_ref_id 
)

Grants a permission to an object and a specific role.

Update of table rbac_pa public

Parameters
integerobject id of role
arrayarray of operation ids
integerreference id of that object which is granted the permissions
Returns
boolean

Definition at line 289 of file class.ilRbacAdmin.php.

References $query, and $res.

Referenced by adjustMovedObjectPermissions(), and copyRolePermissions().

{
global $ilDB;
if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id))
{
$this->ilErr->raiseError(get_class($this)."::grantPermission(): Missing parameter! ".
"role_id: ".$a_rol_id." ref_id: ".$a_ref_id." operations: ",$this->ilErr->WARNING);
}
if (!is_array($a_ops))
{
$this->ilErr->raiseError(get_class($this)."::grantPermission(): Wrong datatype for operations!",
$this->ilErr->WARNING);
}
/*
if (count($a_ops) == 0)
{
return false;
}
*/
// exclude system role from rbac
if ($a_rol_id == SYSTEM_ROLE_ID)
{
return true;
}
// convert all values to integer
foreach ($a_ops as $key => $operation)
{
$a_ops[$key] = (int) $operation;
}
// Serialization des ops_id Arrays
$ops_ids = serialize($a_ops);
$query = 'DELETE FROM rbac_pa '.
'WHERE rol_id = %s '.
'AND ref_id = %s';
$res = $ilDB->queryF($query,array('integer','integer'),
array($a_rol_id,$a_ref_id));
if(!count($a_ops))
{
return false;
}
$query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) ".
"VALUES ".
"(".$ilDB->quote($a_rol_id,'integer').",".$ilDB->quote($ops_ids,'text').",".$ilDB->quote($a_ref_id,'integer').")";
$res = $ilDB->manipulate($query);
return true;
}

+ Here is the caller graph for this function:

ilRbacAdmin::ilRbacAdmin ( )

Constructor public.

Definition at line 44 of file class.ilRbacAdmin.php.

References $ilErr, if, and PEAR_ERROR_CALLBACK.

{
global $ilDB,$ilErr,$ilias;
// set db & error handler
(isset($ilDB)) ? $this->ilDB =& $ilDB : $this->ilDB =& $ilias->db;
if (!isset($ilErr))
{
$ilErr = new ilErrorHandling();
$ilErr->setErrorHandling(PEAR_ERROR_CALLBACK,array($ilErr,'errorHandler'));
}
else
{
$this->ilErr =& $ilErr;
}
}
ilRbacAdmin::removeUser (   $a_usr_id)

deletes a user from rbac_ua all user <-> role relations are deleted public

Parameters
integeruser_id
Returns
boolean true on success

Definition at line 69 of file class.ilRbacAdmin.php.

References $query, and $res.

{
global $ilDB;
if (!isset($a_usr_id))
{
$message = get_class($this)."::removeUser(): No usr_id given!";
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
$query = "DELETE FROM rbac_ua WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer');
$res = $ilDB->manipulate($query);
return true;
}
ilRbacAdmin::revokePermission (   $a_ref_id,
  $a_rol_id = 0,
  $a_keep_protected = true 
)

Revokes permissions of an object of one role.

Update of table rbac_pa. Revokes all permission for all roles for that object (with this reference). When a role_id is given this applies only to that role public

Parameters
integerreference id of object where permissions should be revoked
integerrole_id (optional: if you want to revoke permissions of object only for a specific role)
Returns
boolean

Definition at line 354 of file class.ilRbacAdmin.php.

References $ilLog, $log, $query, and $res.

Referenced by adjustMovedObjectPermissions(), and copyRolePermissions().

{
global $rbacreview,$log,$ilDB,$ilLog;
if (!isset($a_ref_id))
{
$ilLog->logStack();
$message = get_class($this)."::revokePermission(): Missing parameter! ref_id: ".$a_ref_id;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
#$log->write("ilRBACadmin::revokePermission(), 0");
// bypass protected status of roles
if ($a_keep_protected != true)
{
// exclude system role from rbac
if ($a_rol_id == SYSTEM_ROLE_ID)
{
return true;
}
if ($a_rol_id)
{
$and1 = " AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
}
else
{
$and1 = "";
}
$query = "DELETE FROM rbac_pa ".
"WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer').
$and1;
$res = $ilDB->manipulate($query);
return true;
}
// consider protected status of roles
// in any case, get all roles in scope first
$roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
if (!$a_rol_id)
{
#$log->write("ilRBACadmin::revokePermission(), 1");
$role_ids = array();
foreach ($roles_in_scope as $role)
{
if ($role['protected'] == true)
{
continue;
}
$role_ids[] = $role['obj_id'];
}
// return if no role in array
if (!$role_ids)
{
return true;
}
$query = 'DELETE FROM rbac_pa '.
'WHERE '.$ilDB->in('rol_id',$role_ids,false,'integer').' '.
'AND ref_id = '.$ilDB->quote($a_ref_id,'integer');
$res = $ilDB->manipulate($query);
}
else
{
#$log->write("ilRBACadmin::revokePermission(), 2");
// exclude system role from rbac
if ($a_rol_id == SYSTEM_ROLE_ID)
{
return true;
}
// exclude protected permission settings from revoking
if ($roles_in_scope[$a_rol_id]['protected'] == true)
{
return true;
}
$query = "DELETE FROM rbac_pa ".
"WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer')." ".
"AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
$res = $ilDB->manipulate($query);
}
return true;
}

+ Here is the caller graph for this function:

ilRbacAdmin::revokePermissionList (   $a_ref_ids,
  $a_rol_id 
)

Revokes permissions of a LIST of objects of ONE role.

Update of table rbac_pa. public

Parameters
arraylist of reference_ids to revoke permissions
integerrole_id
Returns
boolean

Definition at line 512 of file class.ilRbacAdmin.php.

References $query, and $res.

{
global $ilDB;
if (!isset($a_ref_ids) or !is_array($a_ref_ids))
{
$message = get_class($this)."::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: ".var_dump($a_ref_ids);
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
if (!isset($a_rol_id))
{
$message = get_class($this)."::revokePermissionList(): Missing parameter! rol_id: ".$a_rol_id;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
// exclude system role from rbac
if ($a_rol_id == SYSTEM_ROLE_ID)
{
return true;
}
$query = "DELETE FROM rbac_pa ".
"WHERE ".$ilDB->in('ref_id',$a_ref_ids,false,'integer').' '.
"AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
$res = $ilDB->manipulate($query);
return true;
}
ilRbacAdmin::revokeSubtreePermissions (   $a_ref_id,
  $a_role_id 
)

Revoke subtree permissions.

Parameters
object$a_ref_id
object$a_role_id
Returns

Definition at line 455 of file class.ilRbacAdmin.php.

References $query.

{
global $ilDB;
$query = "DELETE FROM rbac_pa ".
"WHERE ref_id IN ".
"(SELECT child FROM tree WHERE ".
"lft >= (SELECT lft FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) AND ".
"rgt <= (SELECT rgt FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) ".
") ".
"AND rol_id = ".$ilDB->quote($a_role_id,'integer');
$ilDB->manipulate($query);
return true;
}
ilRbacAdmin::setProtected (   $a_ref_id,
  $a_role_id,
  $a_value 
)

Definition at line 972 of file class.ilRbacAdmin.php.

References $query, and $res.

Referenced by copyRoleTemplatePermissions().

{
global $ilDB;
// ref_id not used yet. protected permission acts 'global' for each role,
// regardless of any broken inheritance before
$query = 'UPDATE rbac_fa '.
'SET protected = '.$ilDB->quote($a_value,'text').' '.
'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer');
$res = $ilDB->manipulate($query);
return true;
}

+ Here is the caller graph for this function:

ilRbacAdmin::setRolePermission (   $a_rol_id,
  $a_type,
  $a_ops,
  $a_ref_id 
)

Inserts template permissions in rbac_templates for an specific object type.

Update of table rbac_templates public

Parameters
integerrole_id
stringobject type
arrayoperation_ids
integerref_id of role folder object
Returns
boolean

Definition at line 821 of file class.ilRbacAdmin.php.

References $query, and $res.

{
global $ilDB;
if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id))
{
$message = get_class($this)."::setRolePermission(): Missing parameter!".
" role_id: ".$a_rol_id.
" type: ".$a_type.
" operations: ".$a_ops.
" ref_id: ".$a_ref_id;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
if (!is_string($a_type) or empty($a_type))
{
$message = get_class($this)."::setRolePermission(): a_type is no string or empty!";
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
if (!is_array($a_ops) or empty($a_ops))
{
$message = get_class($this)."::setRolePermission(): a_ops is no array or empty!";
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
// exclude system role from rbac
if ($a_rol_id == SYSTEM_ROLE_ID)
{
return true;
}
$query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
'VALUES (?,?,?,?)';
$sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
foreach ($a_ops as $op)
{
$res = $ilDB->execute($sta,array(
$a_rol_id,
$a_type,
$op,
$a_ref_id
));
}
return true;
}
The documentation for this class was generated from the following file: