ILIAS  Release_4_4_x_branch Revision 61816
 All Data Structures Namespaces Files Functions Variables Groups Pages
class.ilPermissionGUI.php
Go to the documentation of this file.
1 <?php
2 /* Copyright (c) 1998-2009 ILIAS open source, Extended GPL, see docs/LICENSE */
3 
4 include_once './Services/AccessControl/classes/class.ilPermission2GUI.php';
5 
19 class ilPermissionGUI extends ilPermission2GUI
20 {
21  protected $current_obj = null;
22 
28  public function __construct($a_gui_obj)
29  {
30  parent::__construct($a_gui_obj);
31  }
32 
37  public function executeCommand()
38  {
39  global $rbacsystem, $ilErr;
40 
41  // access to all functions in this class are only allowed if edit_permission is granted
42  if (!$rbacsystem->checkAccess("edit_permission",$this->gui_obj->object->getRefId()))
43  {
44  $ilErr->raiseError($this->lng->txt("permission_denied"),$ilErr->MESSAGE);
45  }
46 
47  $next_class = $this->ctrl->getNextClass($this);
48 
49  switch($next_class)
50  {
51  case "ilobjrolegui":
52  $this->ctrl->setReturn($this,'perm');
53  include_once("Services/AccessControl/classes/class.ilObjRoleGUI.php");
54  $this->gui_obj = new ilObjRoleGUI("",(int) $_GET["obj_id"], false, false);
55  $this->gui_obj->setBackTarget($this->lng->txt("perm_settings"),$this->ctrl->getLinkTarget($this, "perm"));
56  $ret = $this->ctrl->forwardCommand($this->gui_obj);
57  break;
58 
59  case 'ildidactictemplategui':
60  $this->ctrl->setReturn($this,'perm');
61  include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateGUI.php';
62  $did = new ilDidacticTemplateGUI($this->gui_obj);
63  $this->ctrl->forwardCommand($did);
64  break;
65 
66  case 'ilrepositorysearchgui':
67  // used for owner autocomplete
68  include_once('./Services/Search/classes/class.ilRepositorySearchGUI.php');
69  $rep_search = new ilRepositorySearchGUI();
70  $this->ctrl->forwardCommand($rep_search);
71  break;
72 
73  default:
74  $cmd = $this->ctrl->getCmd();
75  $this->$cmd();
76  break;
77  }
78 
79  return true;
80  }
81 
82 
87  public function getCurrentObject()
88  {
89  return $this->gui_obj->object;
90  }
91 
95  protected function confirmTemplateSwitch()
96  {
97  include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateGUI.php';
98  $this->ctrl->setReturn($this,'perm');
99  $this->ctrl->setCmdClass('ildidactictemplategui');
100  $dtpl_gui = new ilDidacticTemplateGUI($this->gui_obj);
101  $this->ctrl->forwardCommand($dtpl_gui,'confirmTemplateSwitch');
102  }
103 
104 
109  public function perm(ilTable2GUI $table = NULL )
110  {
111  global $objDefinition, $ilToolbar;
112 
113  include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateGUI.php';
114  $dtpl = new ilDidacticTemplateGUI($this->gui_obj);
115  if($dtpl->appendToolbarSwitch(
116  $ilToolbar,
117  $this->getCurrentObject()->getType(),
118  $this->getCurrentObject()->getRefId()
119  ))
120  {
121  $ilToolbar->addSeparator();
122  }
123 
124  if($objDefinition->hasLocalRoles($this->getCurrentObject()->getType()) and
125  !$this->isAdministrationObject()
126  )
127  {
128  $ilToolbar->setFormAction($this->ctrl->getFormAction($this));
129 
130  if(!$this->isAdminRoleFolder())
131  {
132  $ilToolbar->addButton($this->lng->txt('rbac_add_new_local_role'),$this->ctrl->getLinkTarget($this,'displayAddRoleForm'));
133  }
134  $ilToolbar->addButton($this->lng->txt('rbac_import_role'),$this->ctrl->getLinkTarget($this,'displayImportRoleForm'));
135  }
136 
137  $this->__initSubTabs("perm");
138 
139  if(!$table instanceof ilTable2GUI)
140  {
141  include_once './Services/AccessControl/classes/class.ilObjectRolePermissionTableGUI.php';
142  $table = new ilObjectRolePermissionTableGUI($this,'perm',$this->getCurrentObject()->getRefId());
143  }
144  $table->parse();
145  $this->tpl->setContent($table->getHTML());
146  }
147 
148 
149 
154  protected function isAdminRoleFolder()
155  {
156  return $this->getCurrentObject()->getRefId() == ROLE_FOLDER_ID;
157  }
158 
159  protected function isAdministrationObject()
160  {
161  return $this->getCurrentObject()->getType() == 'adm';
162  }
163 
168  protected function isInAdministration()
169  {
170  return (bool) $GLOBALS['tree']->isGrandChild(SYSTEM_FOLDER_ID,$this->getCurrentObject()->getRefId());
171  }
172 
173 
178  protected function applyFilter()
179  {
180  include_once './Services/AccessControl/classes/class.ilObjectRolePermissionTableGUI.php';
181  $table = new ilObjectRolePermissionTableGUI($this,'perm',$this->getCurrentObject()->getRefId());
182  $table->resetOffset();
183  $table->writeFilterToSession();
184  return $this->perm($table);
185  }
186 
191  protected function resetFilter()
192  {
193  include_once './Services/AccessControl/classes/class.ilObjectRolePermissionTableGUI.php';
194  $table = new ilObjectRolePermissionTableGUI($this,'perm',$this->getCurrentObject()->getRefId());
195  $table->resetOffset();
196  $table->resetFilter();
197 
198  return $this->perm($table);
199  }
200 
206  public function applyRoleFilter($a_roles, $a_filter_id)
207  {
208  global $rbacreview;
209 
210  // Always delete administrator role from view
211  if(isset($a_roles[SYSTEM_ROLE_ID]))
212  {
213  unset($a_roles[SYSTEM_ROLE_ID]);
214  }
215 
216  switch ($a_filter_id)
217  {
218  // all roles in context
219  case ilObjectRolePermissionTableGUI::ROLE_FILTER_ALL:
220 
221  return $a_roles;
222 
223  // only global roles
224  case ilObjectRolePermissionTableGUI::ROLE_FILTER_GLOBAL:
225 
226  $arr_global_roles = $rbacreview->getGlobalRoles();
227  $arr_remove_roles = array_diff(array_keys($a_roles),$arr_global_roles);
228 
229  foreach ($arr_remove_roles as $role_id)
230  {
231  unset($a_roles[$role_id]);
232  }
233  return $a_roles;
234 
235  // only local roles (all local roles in context that are not defined at ROLE_FOLDER_ID)
236  case ilObjectRolePermissionTableGUI::ROLE_FILTER_LOCAL:
237  $arr_global_roles = $rbacreview->getGlobalRoles();
238 
239  foreach ($arr_global_roles as $role_id)
240  {
241  unset($a_roles[$role_id]);
242  }
243 
244  return $a_roles;
245  break;
246 
247  // only roles which use a local policy
248  case ilObjectRolePermissionTableGUI::ROLE_FILTER_LOCAL_POLICY:
249  $role_folder = $rbacreview->getRoleFolderOfObject($this->gui_obj->object->getRefId());
250 
251  if (!$role_folder)
252  {
253  return array();
254  }
255 
256  $arr_local_roles = $rbacreview->getRolesOfRoleFolder($role_folder["ref_id"]);
257  $arr_remove_roles = array_diff(array_keys($a_roles),$arr_local_roles);
258 
259  foreach ($arr_remove_roles as $role_id)
260  {
261  unset($a_roles[$role_id]);
262  }
263 
264  return $a_roles;
265 
266  // only true local role defined at current position
267  case ilObjectRolePermissionTableGUI::ROLE_FILTER_LOCAL_OBJECT:
268 
269  $role_folder = $rbacreview->getRoleFolderOfObject($this->gui_obj->object->getRefId());
270 
271  if (!$role_folder)
272  {
273  return array();
274  }
275 
276  $arr_local_roles = $rbacreview->getRolesOfRoleFolder($role_folder["ref_id"],false);
277  $arr_remove_roles = array_diff(array_keys($a_roles),$arr_local_roles);
278 
279  foreach ($arr_remove_roles as $role_id)
280  {
281  unset($a_roles[$role_id]);
282  }
283 
284  return $a_roles;
285 
286  default:
287  return $a_roles;
288  }
289  }
290 
295  protected function savePermissions()
296  {
297  global $rbacreview,$objDefinition,$rbacadmin;
298 
299  include_once './Services/AccessControl/classes/class.ilObjectRolePermissionTableGUI.php';
300  $table = new ilObjectRolePermissionTableGUI($this,'perm',$this->getCurrentObject()->getRefId());
301 
302  $roles = $this->applyRoleFilter(
303  $rbacreview->getParentRoleIds($this->getCurrentObject()->getRefId()),
304  $table->getFilterItemByPostVar('role')->getValue()
305  );
306 
307  // Log history
308  include_once "Services/AccessControl/classes/class.ilRbacLog.php";
309  $log_old = ilRbacLog::gatherFaPa($this->getCurrentObject()->getRefId(),array_keys((array) $roles));
310 
311 
312  # all possible create permissions
313  $possible_ops_ids = $rbacreview->getOperationsByTypeAndClass(
314  $this->getCurrentObject()->getType(),
315  'create'
316  );
317 
318  # createable (activated) create permissions
319  $create_types = $objDefinition->getCreatableSubObjects(
320  $this->getCurrentObject()->getType()
321  );
322  $createable_ops_ids = ilRbacReview::lookupCreateOperationIds(array_keys((array) $create_types));
323 
324  foreach((array) $roles as $role => $role_data)
325  {
326  if($role_data['protected'])
327  {
328  continue;
329  }
330 
331  $new_ops = array_keys((array) $_POST['perm'][$role]);
332  $old_ops = $rbacreview->getRoleOperationsOnObject(
333  $role,
334  $this->getCurrentObject()->getRefId()
335  );
336 
337  // Add operations which were enabled and are not activated.
338  foreach($possible_ops_ids as $create_ops_id)
339  {
340  if(in_array($create_ops_id,$createable_ops_ids))
341  {
342  continue;
343  }
344  if(in_array($create_ops_id,$old_ops))
345  {
346  $new_ops[] = $create_ops_id;
347  }
348  }
349 
350  $rbacadmin->revokePermission(
351  $this->getCurrentObject()->getRefId(),
352  $role
353  );
354 
355  $rbacadmin->grantPermission(
356  $role,
357  array_unique($new_ops),
358  $this->getCurrentObject()->getRefId()
359  );
360  }
361 
362  // Handle local policies.
363  $rolf_id = $this->initRoleFolder(count((array) $_POST['inherit']) ? true : false);
364  $relevant_roles = array_intersect(
365  $rbacreview->getRolesOfRoleFolder($rolf_id),
366  array_keys($roles)
367  );
368 
369  if(ilPermissionGUI::hasContainerCommands($this->getCurrentObject()->getType()))
370  {
371  foreach($roles as $role)
372  {
373  // No action for local roles
374  if($role['parent'] == $rolf_id and $role['assign'] == 'y')
375  {
376  continue;
377  }
378  // Nothing for protected roles
379  if($role['protected'])
380  {
381  continue;
382  }
383  // Stop local policy
384  if($role['parent'] == $rolf_id and !isset($_POST['inherit'][$role['obj_id']]))
385  {
386  $role_obj = ilObjectFactory::getInstanceByObjId($role['obj_id']);
387  $role_obj->setParent($rolf_id);
388  $role_obj->delete();
389  continue;
390  }
391  // Add local policy
392  if($role['parent'] != $rolf_id and isset($_POST['inherit'][$role['obj_id']]))
393  {
394  $rbacadmin->copyRoleTemplatePermissions(
395  $role['obj_id'],
396  $role['parent'],
397  $rolf_id,
398  $role['obj_id']
399  );
400  $rbacadmin->assignRoleToFolder($role['obj_id'],$rolf_id,'n');
401  }
402  }
403  }
404 
405  // Protect permissions
406  if(ilPermissionGUI::hasContainerCommands($this->getCurrentObject()->getType()))
407  {
408  foreach($roles as $role)
409  {
410  if($rbacreview->isAssignable($role['obj_id'], $rolf_id))
411  {
412  if(isset($_POST['protect'][$role['obj_id']]) and
413  !$rbacreview->isProtected($rolf_id, $role['obj_id']))
414  {
415  $rbacadmin->setProtected($rolf_id, $role['obj_id'], 'y');
416  }
417  elseif(!isset($_POST['protect'][$role['obj_id']]) and
418  $rbacreview->isProtected($rolf_id, $role['obj_id']))
419  {
420  $rbacadmin->setProtected($rolf_id, $role['obj_id'], 'n');
421  }
422  }
423  }
424  }
425 
426  $log_new = ilRbacLog::gatherFaPa($this->getCurrentObject()->getRefId(),array_keys((array) $roles));
427  $log = ilRbacLog::diffFaPa($log_old, $log_new);
428  ilRbacLog::add(ilRbacLog::EDIT_PERMISSIONS, $this->getCurrentObject()->getRefId(), $log);
429 
430  if(count((array) $_POST['block']))
431  {
432  return $this->showConfirmBlockRole(array_keys($_POST['block']));
433  }
434 
435 
436  ilUtil::sendSuccess($this->lng->txt('settings_saved'),true);
437  #$this->ctrl->redirect($this,'perm');
438  $this->perm();
439  }
440 
446  protected function showConfirmBlockRole($a_roles)
447  {
448  ilUtil::sendInfo($this->lng->txt('role_confirm_block_role_info'));
449 
450  include_once './Services/Utilities/classes/class.ilConfirmationGUI.php';
451  $confirm = new ilConfirmationGUI();
452  $confirm->setFormAction($this->ctrl->getFormAction($this));
453  $confirm->setHeaderText($this->lng->txt('role_confirm_block_role_header'));
454  $confirm->setConfirm($this->lng->txt('role_block_role'), 'blockRoles');
455  $confirm->setCancel($this->lng->txt('cancel'), 'perm');
456 
457  foreach($a_roles as $role_id)
458  {
459  include_once './Services/AccessControl/classes/class.ilObjRole.php';
460  $confirm->addItem(
461  'roles[]',
462  $role_id,
463  ilObjRole::_getTranslation(ilObject::_lookupTitle($role_id)));
464  }
465 
466  $this->tpl->setContent($confirm->getHTML());
467 
468  }
469 
474  protected function blockRoles()
475  {
476  global $rbacadmin,$rbacreview;
477 
478  $rolf = $rbacreview->getRoleFolderIdOfObject($this->getCurrentObject()->getRefId());
479 
480  $p_roles = $rbacreview->getParentRoleIds($this->getCurrentObject()->getRefId());
481 
482  $roles = $_POST['roles'];
483  foreach($roles as $role)
484  {
485  // Set assign to 'y' only if it is a local role
486  $assign = $rbacreview->isAssignable($role, $rolf) ? 'y' : 'n';
487 
488  // Delete permissions
489  $rbacadmin->revokeSubtreePermissions($this->getCurrentObject()->getRefId(), $role);
490 
491  // Delete template permissions
492  $rbacadmin->deleteSubtreeTemplates($this->getCurrentObject()->getRefId(), $role);
493 
494 
495  $rbacadmin->assignRoleToFolder(
496  $role,
497  $rolf,
498  $assign
499  );
500  }
501 
502  ilUtil::sendInfo($this->lng->txt('settings_saved'));
503  $this->ctrl->redirect($this,'perm');
504  }
505 
511  protected function initRoleFolder($a_create = false)
512  {
513  global $rbacreview;
514 
515  $rolf_id = $rbacreview->getRoleFolderIdOfObject($this->getCurrentObject()->getRefId());
516 
517  if($rolf_id)
518  {
519  return $rolf_id;
520  }
521  $rolf = $this->getCurrentObject()->createRoleFolder();
522  return $rolf->getRefId();
523  }
524 
530  public static function hasContainerCommands($a_type)
531  {
532  global $objDefinition;
533 
534  return $objDefinition->isContainer($a_type) and $a_type != 'root' and $a_type != 'adm' and $a_type != 'rolf';
535  }
536 
541  protected function displayImportRoleForm(ilPropertyFormGUI $form = null)
542  {
543  $GLOBALS['ilTabs']->clearTargets();
544 
545  if(!$form)
546  {
547  $form = $this->initImportForm();
548  }
549  $GLOBALS['tpl']->setContent($form->getHTML());
550  }
551 
555  protected function doImportRole()
556  {
557  global $rbacreview;
558 
559  $form = $this->initImportForm();
560  if($form->checkInput())
561  {
562  try {
563 
564  include_once './Services/Export/classes/class.ilImport.php';
565 
566  // For global roles set import id to parent of current ref_id (adm)
567  if($this->isAdminRoleFolder())
568  {
569  $parent_ref = $GLOBALS['tree']->getParentId($this->getCurrentObject()->getRefId());
570  }
571  else
572  {
573  $parent_ref = $this->getCurrentObject()->getRefId();
574  }
575 
576  $imp = new ilImport($parent_ref);
577  $imp->getMapping()->addMapping(
578  'Services/AccessControl',
579  'rolf',
580  0,
581  $rbacreview->getRoleFolderIdOfObject($parent_ref)
582  );
583 
584  $imp->importObject(
585  null,
586  $_FILES["importfile"]["tmp_name"],
587  $_FILES["importfile"]["name"],
588  'role'
589  );
590  ilUtil::sendSuccess($this->lng->txt('rbac_role_imported'),true);
591  $this->ctrl->redirect($this,'perm');
592  return;
593  }
594  catch(Exception $e)
595  {
596  ilUtil::sendFailure($e->getMessage());
597  $form->setValuesByPost();
598  $this->displayImportRoleForm($form);
599  return;
600  }
601  }
602  $form->setValuesByPost();
603  ilUtil::sendFailure($this->lng->txt('err_check_input'));
604  $this->displayImportRoleForm($form);
605  }
606 
610  protected function initImportForm()
611  {
612  include_once './Services/Form/classes/class.ilPropertyFormGUI.php';
613  $form = new ilPropertyFormGUI();
614  $form->setFormAction($this->ctrl->getFormAction($this));
615  $form->setTitle($this->lng->txt('rbac_import_role'));
616  $form->addCommandButton('doImportRole', $this->lng->txt('import'));
617  $form->addCommandButton('perm', $this->lng->txt('cancel'));
618 
619  $zip = new ilFileInputGUI($this->lng->txt('import_file'),'importfile');
620  $zip->setSuffixes(array('zip'));
621  $form->addItem($zip);
622 
623  return $form;
624  }
625 
632  protected function initRoleForm()
633  {
634  global $rbacreview,$objDefinition;
635 
636  include_once './Services/Form/classes/class.ilPropertyFormGUI.php';
637  $form = new ilPropertyFormGUI();
638  $form->setFormAction($this->ctrl->getFormAction($this));
639  $form->setTitle($this->lng->txt('role_new'));
640  $form->addCommandButton('addrole',$this->lng->txt('role_new'));
641  $form->addCommandButton('perm', $this->lng->txt('cancel'));
642 
643  $title = new ilTextInputGUI($this->lng->txt('title'),'title');
644  $title->setValidationRegexp('/^(?!il_).*$/');
645  $title->setValidationFailureMessage($this->lng->txt('msg_role_reserved_prefix'));
646  $title->setSize(40);
647  $title->setMaxLength(70);
648  $title->setRequired(true);
649  $form->addItem($title);
650 
651  $desc = new ilTextAreaInputGUI($this->lng->txt('description'),'desc');
652  $desc->setCols(40);
653  $desc->setRows(3);
654  $form->addItem($desc);
655 
656  $pro = new ilCheckboxInputGUI($this->lng->txt('role_protect_permissions'),'pro');
657  $pro->setInfo($this->lng->txt('role_protect_permissions_desc'));
658  $pro->setValue(1);
659  $form->addItem($pro);
660 
661  $pd = new ilCheckboxInputGUI($this->lng->txt('rbac_role_add_to_desktop'),'desktop');
662  $pd->setInfo($this->lng->txt('rbac_role_add_to_desktop_info'));
663  $pd->setValue(1);
664  $form->addItem($pd);
665 
666 
667  if(!$this->isInAdministration())
668  {
669  $rights = new ilRadioGroupInputGUI($this->lng->txt("rbac_role_rights_copy"), 'rights');
670  $option = new ilRadioOption($this->lng->txt("rbac_role_rights_copy_empty"), 0);
671  $rights->addOption($option);
672 
673  $parent_role_ids = $rbacreview->getParentRoleIds($this->gui_obj->object->getRefId(),true);
674  $ids = array();
675  foreach($parent_role_ids as $id => $tmp)
676  {
677  $ids[] = $id;
678  }
679 
680  // Sort ids
681  $sorted_ids = ilUtil::_sortIds($ids,'object_data','type DESC,title','obj_id');
682 
683  // Sort roles by title
684  $sorted_roles = ilUtil::sortArray(array_values($parent_role_ids), 'title', ASC);
685  $key = 0;
686 
687  foreach($sorted_ids as $id)
688  {
689  $par = $parent_role_ids[$id];
690  if ($par["obj_id"] != SYSTEM_ROLE_ID)
691  {
692  include_once './Services/AccessControl/classes/class.ilObjRole.php';
693  $option = new ilRadioOption(($par["type"] == 'role' ? $this->lng->txt('obj_role') : $this->lng->txt('obj_rolt')).": ".ilObjRole::_getTranslation($par["title"]), $par["obj_id"]);
694  $option->setInfo($par["desc"]);
695  $rights->addOption($option);
696  }
697  $key++;
698  }
699  $form->addItem($rights);
700  }
701 
702  // Local policy only for containers
703  if($objDefinition->isContainer($this->getCurrentObject()->getType()))
704  {
705  $check = new ilCheckboxInputGui($this->lng->txt("rbac_role_rights_copy_change_existing"), 'existing');
706  $check->setInfo($this->lng->txt('rbac_change_existing_objects_desc_new_role'));
707  $form->addItem($check);
708 
709  }
710 
711  return $form;
712  }
713 
717  protected function displayAddRoleForm()
718  {
719  $GLOBALS['ilTabs']->clearTargets();
720 
721  $form = $this->initRoleForm();
722  $this->tpl->setContent($form->getHTML());
723  }
724 
725 }
726 ?>