ILIAS  Release_4_4_x_branch Revision 61816
 All Data Structures Namespaces Files Functions Variables Groups Pages
class.ilRbacAdmin.php
Go to the documentation of this file.
1 <?php
2 /*
3  +-----------------------------------------------------------------------------+
4  | ILIAS open source |
5  +-----------------------------------------------------------------------------+
6  | Copyright (c) 1998-2001 ILIAS open source, University of Cologne |
7  | |
8  | This program is free software; you can redistribute it and/or |
9  | modify it under the terms of the GNU General Public License |
10  | as published by the Free Software Foundation; either version 2 |
11  | of the License, or (at your option) any later version. |
12  | |
13  | This program is distributed in the hope that it will be useful, |
14  | but WITHOUT ANY WARRANTY; without even the implied warranty of |
15  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16  | GNU General Public License for more details. |
17  | |
18  | You should have received a copy of the GNU General Public License |
19  | along with this program; if not, write to the Free Software |
20  | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
21  +-----------------------------------------------------------------------------+
22 */
23 
24 
38 class ilRbacAdmin
39 {
44  function ilRbacAdmin()
45  {
46  global $ilDB,$ilErr,$ilias;
47 
48  // set db & error handler
49  (isset($ilDB)) ? $this->ilDB =& $ilDB : $this->ilDB =& $ilias->db;
50 
51  if (!isset($ilErr))
52  {
53  $ilErr = new ilErrorHandling();
54  $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK,array($ilErr,'errorHandler'));
55  }
56  else
57  {
58  $this->ilErr =& $ilErr;
59  }
60  }
61 
69  function removeUser($a_usr_id)
70  {
71  global $ilDB;
72 
73  if (!isset($a_usr_id))
74  {
75  $message = get_class($this)."::removeUser(): No usr_id given!";
76  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
77  }
78 
79  $query = "DELETE FROM rbac_ua WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer');
80  $res = $ilDB->manipulate($query);
81 
82  return true;
83  }
84 
92  function deleteRole($a_rol_id,$a_ref_id)
93  {
94  global $lng,$ilDB;
95 
96  if (!isset($a_rol_id) or !isset($a_ref_id))
97  {
98  $message = get_class($this)."::deleteRole(): Missing parameter! role_id: ".$a_rol_id." ref_id of role folder: ".$a_ref_id;
99  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
100  }
101 
102  // exclude system role from rbac
103  if ($a_rol_id == SYSTEM_ROLE_ID)
104  {
105  $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"),$this->ilErr->MESSAGE);
106  }
107 
108  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
109  $mapping = ilLDAPRoleGroupMapping::_getInstance();
110  $mapping->deleteRole($a_rol_id);
111 
112 
113  // TODO: check assigned users before deletion
114  // This is done in ilObjRole. Should be better moved to this place?
115 
116  // delete user assignements
117  $query = "DELETE FROM rbac_ua ".
118  "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer');
119  $res = $ilDB->manipulate($query);
120 
121  // delete permission assignments
122  $query = "DELETE FROM rbac_pa ".
123  "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
124  $res = $ilDB->manipulate($query);
125 
126  //delete rbac_templates and rbac_fa
127  $this->deleteLocalRole($a_rol_id);
128 
129  return true;
130  }
131 
138  function deleteTemplate($a_obj_id)
139  {
140  global $ilDB;
141 
142  if (!isset($a_obj_id))
143  {
144  $message = get_class($this)."::deleteTemplate(): No obj_id given!";
145  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
146  }
147 
148  $query = 'DELETE FROM rbac_templates '.
149  'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
150  $res = $ilDB->manipulate($query);
151 
152  $query = 'DELETE FROM rbac_fa '.
153  'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
154  $res = $ilDB->manipulate($query);
155 
156  return true;
157  }
158 
166  function deleteLocalRole($a_rol_id,$a_ref_id = 0)
167  {
168  global $ilDB;
169 
170  if (!isset($a_rol_id))
171  {
172  $message = get_class($this)."::deleteLocalRole(): Missing parameter! role_id: '".$a_rol_id."'";
173  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
174  }
175 
176  // exclude system role from rbac
177  if ($a_rol_id == SYSTEM_ROLE_ID)
178  {
179  return true;
180  }
181 
182  if ($a_ref_id != 0)
183  {
184  $clause = 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' ';
185  }
186 
187  $query = 'DELETE FROM rbac_fa '.
188  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
189  $clause;
190  $res = $ilDB->manipulate($query);
191 
192  $query = 'DELETE FROM rbac_templates '.
193  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
194  $clause;
195  $res = $ilDB->manipulate($query);
196  return true;
197  }
198 
199 
209  function assignUser($a_rol_id,$a_usr_id,$a_default = false)
210  {
211  global $ilDB,$rbacreview;
212 
213  if (!isset($a_rol_id) or !isset($a_usr_id))
214  {
215  $message = get_class($this)."::assignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
216  #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
217  }
218 
219  // check if already assigned user id and role_id
220  $alreadyAssigned = $rbacreview->isAssigned($a_usr_id,$a_rol_id);
221 
222  // enhanced: only if we haven't had this role for this user
223  if (!$alreadyAssigned)
224  {
225  $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
226  "VALUES (".$ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_rol_id,'integer').")";
227  $res = $ilDB->manipulate($query);
228 
229  include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
230  $role_desk_item_obj = new ilRoleDesktopItem($a_rol_id);
231  foreach($role_desk_item_obj->getAll() as $item_data)
232  {
233  include_once './Services/User/classes/class.ilObjUser.php';
234  ilObjUser::_addDesktopItem($a_usr_id, $item_data['item_id'], $item_data['item_type']);
235  }
236 
237  }
238 
239  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
240  $mapping = ilLDAPRoleGroupMapping::_getInstance();
241  $mapping->assign($a_rol_id,$a_usr_id);
242 
243  return true;
244  }
245 
253  function deassignUser($a_rol_id,$a_usr_id)
254  {
255  global $ilDB;
256 
257  if (!isset($a_rol_id) or !isset($a_usr_id))
258  {
259  $message = get_class($this)."::deassignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
260  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
261  }
262 
263  $query = "DELETE FROM rbac_ua ".
264  "WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer')." ".
265  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
266  $res = $ilDB->manipulate($query);
267 
268  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
269  $mapping = ilLDAPRoleGroupMapping::_getInstance();
270  $mapping->deassign($a_rol_id,$a_usr_id);
271 
272  return true;
273  }
274 
283  function grantPermission($a_rol_id,$a_ops,$a_ref_id)
284  {
285  global $ilDB;
286 
287  if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id))
288  {
289  $this->ilErr->raiseError(get_class($this)."::grantPermission(): Missing parameter! ".
290  "role_id: ".$a_rol_id." ref_id: ".$a_ref_id." operations: ",$this->ilErr->WARNING);
291  }
292 
293  if (!is_array($a_ops))
294  {
295  $this->ilErr->raiseError(get_class($this)."::grantPermission(): Wrong datatype for operations!",
296  $this->ilErr->WARNING);
297  }
298 
299  /*
300  if (count($a_ops) == 0)
301  {
302  return false;
303  }
304  */
305  // exclude system role from rbac
306  if ($a_rol_id == SYSTEM_ROLE_ID)
307  {
308  return true;
309  }
310 
311  // convert all values to integer
312  foreach ($a_ops as $key => $operation)
313  {
314  $a_ops[$key] = (int) $operation;
315  }
316 
317  // Serialization des ops_id Arrays
318  $ops_ids = serialize($a_ops);
319 
320  $query = 'DELETE FROM rbac_pa '.
321  'WHERE rol_id = %s '.
322  'AND ref_id = %s';
323  $res = $ilDB->queryF($query,array('integer','integer'),
324  array($a_rol_id,$a_ref_id));
325 
326  if(!count($a_ops))
327  {
328  return false;
329  }
330 
331  $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) ".
332  "VALUES ".
333  "(".$ilDB->quote($a_rol_id,'integer').",".$ilDB->quote($ops_ids,'text').",".$ilDB->quote($a_ref_id,'integer').")";
334  $res = $ilDB->manipulate($query);
335 
336  return true;
337  }
338 
348  function revokePermission($a_ref_id,$a_rol_id = 0,$a_keep_protected = true)
349  {
350  global $rbacreview,$log,$ilDB,$ilLog;
351 
352  if (!isset($a_ref_id))
353  {
354  $ilLog->logStack();
355  $message = get_class($this)."::revokePermission(): Missing parameter! ref_id: ".$a_ref_id;
356  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
357  }
358 #$log->write("ilRBACadmin::revokePermission(), 0");
359 
360  // bypass protected status of roles
361  if ($a_keep_protected != true)
362  {
363  // exclude system role from rbac
364  if ($a_rol_id == SYSTEM_ROLE_ID)
365  {
366  return true;
367  }
368 
369  if ($a_rol_id)
370  {
371  $and1 = " AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
372  }
373  else
374  {
375  $and1 = "";
376  }
377 
378  $query = "DELETE FROM rbac_pa ".
379  "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer').
380  $and1;
381 
382  $res = $ilDB->manipulate($query);
383 
384  return true;
385  }
386 
387  // consider protected status of roles
388 
389  // in any case, get all roles in scope first
390  $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
391 
392  if (!$a_rol_id)
393  {
394 #$log->write("ilRBACadmin::revokePermission(), 1");
395 
396  $role_ids = array();
397 
398  foreach ($roles_in_scope as $role)
399  {
400  if ($role['protected'] == true)
401  {
402  continue;
403  }
404 
405  $role_ids[] = $role['obj_id'];
406  }
407 
408  // return if no role in array
409  if (!$role_ids)
410  {
411  return true;
412  }
413 
414  $query = 'DELETE FROM rbac_pa '.
415  'WHERE '.$ilDB->in('rol_id',$role_ids,false,'integer').' '.
416  'AND ref_id = '.$ilDB->quote($a_ref_id,'integer');
417  $res = $ilDB->manipulate($query);
418  }
419  else
420  {
421 #$log->write("ilRBACadmin::revokePermission(), 2");
422  // exclude system role from rbac
423  if ($a_rol_id == SYSTEM_ROLE_ID)
424  {
425  return true;
426  }
427 
428  // exclude protected permission settings from revoking
429  if ($roles_in_scope[$a_rol_id]['protected'] == true)
430  {
431  return true;
432  }
433 
434  $query = "DELETE FROM rbac_pa ".
435  "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer')." ".
436  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
437  $res = $ilDB->manipulate($query);
438  }
439 
440  return true;
441  }
442 
449  public function revokeSubtreePermissions($a_ref_id,$a_role_id)
450  {
451  global $ilDB;
452 
453  /*
454  $query = "DELETE FROM rbac_pa ".
455  "WHERE ref_id IN ".
456  "(SELECT child FROM tree WHERE ".
457  "lft >= (SELECT lft FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) AND ".
458  "rgt <= (SELECT rgt FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) ".
459  ") ".
460  "AND rol_id = ".$ilDB->quote($a_role_id,'integer');
461  */
462 
463  $query = 'DELETE FROM rbac_pa '.
464  'WHERE ref_id IN '.
465  '( '.$GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
466  'AND rol_id = '.$ilDB->quote($a_role_id,'integer');
467 
468  $ilDB->manipulate($query);
469  return true;
470  }
471 
478  public function deleteSubtreeTemplates($a_ref_id,$a_rol_id)
479  {
480  global $ilDB;
481 
482  /*
483  $query = "DELETE FROM rbac_templates ".
484  "WHERE parent IN ".
485  "(SELECT child FROM tree WHERE ".
486  "lft >= (SELECT lft FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) AND ".
487  "rgt <= (SELECT rgt FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) ".
488  ") ".
489  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
490  */
491 
492  $query = 'DELETE FROM rbac_templates '.
493  'WHERE parent IN ( '.
494  $GLOBALS['tree']->getSubTreeQuery($a_ref_id, array('child')).' ) '.
495  'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
496 
497  $GLOBALS['ilLog']->write($query);
498 
499  $ilDB->manipulate($query);
500 
501  /*
502  $query = "DELETE FROM rbac_fa ".
503  "WHERE parent IN ".
504  "(SELECT child FROM tree WHERE ".
505  "lft >= (SELECT lft FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) AND ".
506  "rgt <= (SELECT rgt FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) ".
507  ") ".
508  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
509  */
510  $query = 'DELETE FROM rbac_fa '.
511  'WHERE parent IN ( '.
512  $GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
513  'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
514 
515  $GLOBALS['ilLog']->write($query);
516 
517 
518  $ilDB->manipulate($query);
519 
520  return true;
521  }
522 
530  function revokePermissionList($a_ref_ids,$a_rol_id)
531  {
532  global $ilDB;
533 
534  if (!isset($a_ref_ids) or !is_array($a_ref_ids))
535  {
536  $message = get_class($this)."::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: ".var_dump($a_ref_ids);
537  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
538  }
539 
540  if (!isset($a_rol_id))
541  {
542  $message = get_class($this)."::revokePermissionList(): Missing parameter! rol_id: ".$a_rol_id;
543  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
544  }
545 
546  // exclude system role from rbac
547  if ($a_rol_id == SYSTEM_ROLE_ID)
548  {
549  return true;
550  }
551 
552  $query = "DELETE FROM rbac_pa ".
553  "WHERE ".$ilDB->in('ref_id',$a_ref_ids,false,'integer').' '.
554  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
555  $res = $ilDB->manipulate($query);
556 
557  return true;
558  }
559 
570  public function copyRolePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected = true)
571  {
572  global $tree,$rbacreview;
573 
574  // Copy template permissions
575  $this->copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected);
576 
577  $source_obj = $tree->getParentId($a_source_parent);
578  $target_obj = $tree->getParentId($a_dest_parent);
579  $ops = $rbacreview->getRoleOperationsOnObject($a_source_id,$source_obj);
580 
581  $this->revokePermission($target_obj,$a_dest_id);
582  $this->grantPermission($a_dest_id,$ops,$target_obj);
583  return true;
584  }
585 
596  function copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected = true)
597  {
598  global $rbacreview,$ilDB;
599 
600  if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent))
601  {
602  $message = __METHOD__.": Missing parameter! source_id: ".$a_source_id.
603  " source_parent_id: ".$a_source_parent.
604  " dest_id : ".$a_dest_id.
605  " dest_parent_id: ".$a_dest_parent;
606  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
607  }
608 
609  // exclude system role from rbac
610  if ($a_dest_id == SYSTEM_ROLE_ID)
611  {
612  return true;
613  }
614 
615  // Read operations
616  $query = 'SELECT * FROM rbac_templates '.
617  'WHERE rol_id = '.$ilDB->quote($a_source_id,'integer').' '.
618  'AND parent = '.$ilDB->quote($a_source_parent,'integer');
619  $res = $ilDB->query($query);
620  $operations = array();
621  $rownum = 0;
622  while ($row = $ilDB->fetchObject($res))
623  {
624  $operations[$rownum]['type'] = $row->type;
625  $operations[$rownum]['ops_id'] = $row->ops_id;
626  $rownum++;
627  }
628 
629  // Delete target permissions
630  $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
631  'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
632  $res = $ilDB->manipulate($query);
633 
634  foreach($operations as $row => $op)
635  {
636  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
637  'VALUES ('.
638  $ilDB->quote($a_dest_id,'integer').",".
639  $ilDB->quote($op['type'],'text').",".
640  $ilDB->quote($op['ops_id'],'integer').",".
641  $ilDB->quote($a_dest_parent,'integer').")";
642  $ilDB->manipulate($query);
643  }
644 
645  // copy also protection status if applicable
646  if ($a_consider_protected == true)
647  {
648  if ($rbacreview->isProtected($a_source_parent,$a_source_id))
649  {
650  $this->setProtected($a_dest_parent,$a_dest_id,'y');
651  }
652  }
653 
654  return true;
655  }
669  function copyRolePermissionIntersection($a_source1_id,$a_source1_parent,$a_source2_id,$a_source2_parent,$a_dest_parent,$a_dest_id)
670  {
671  global $rbacreview,$ilDB;
672 
673  if (!isset($a_source1_id) or !isset($a_source1_parent)
674  or !isset($a_source2_id) or !isset($a_source2_parent)
675  or !isset($a_dest_id) or !isset($a_dest_parent))
676  {
677  $message = get_class($this)."::copyRolePermissionIntersection(): Missing parameter! source1_id: ".$a_source1_id.
678  " source1_parent: ".$a_source1_parent.
679  " source2_id: ".$a_source2_id.
680  " source2_parent: ".$a_source2_parent.
681  " dest_id: ".$a_dest_id.
682  " dest_parent_id: ".$a_dest_parent;
683  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
684  }
685 
686  // exclude system role from rbac
687  if ($a_dest_id == SYSTEM_ROLE_ID)
688  {
689  return true;
690  }
691 
692  if ($rbacreview->isProtected($a_source2_parent,$a_source2_id))
693  {
694  $GLOBALS['ilLog']->write(__METHOD__.': Role is protected');
695  return true;
696  }
697 
698  $query = "SELECT s1.type, s1.ops_id ".
699  "FROM rbac_templates s1, rbac_templates s2 ".
700  "WHERE s1.rol_id = ".$ilDB->quote($a_source1_id,'integer')." ".
701  "AND s1.parent = ".$ilDB->quote($a_source1_parent,'integer')." ".
702  "AND s2.rol_id = ".$ilDB->quote($a_source2_id,'integer')." ".
703  "AND s2.parent = ".$ilDB->quote($a_source2_parent,'integer')." ".
704  "AND s1.type = s2.type ".
705  "AND s1.ops_id = s2.ops_id";
706  $res = $ilDB->query($query);
707  $operations = array();
708  $rowNum = 0;
709  while($row = $res->fetchRow(DB_FETCHMODE_OBJECT))
710  {
711  $operations[$rowNum]['type'] = $row->type;
712  $operations[$rowNum]['ops_id'] = $row->ops_id;
713 
714  $rowNum++;
715  }
716 
717  // Delete template permissions of target
718  $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
719  'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
720  $res = $ilDB->manipulate($query);
721 
722  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
723  'VALUES (?,?,?,?)';
724  $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
725  foreach($operations as $key => $set)
726  {
727  $ilDB->execute($sta,array(
728  $a_dest_id,
729  $set['type'],
730  $set['ops_id'],
731  $a_dest_parent));
732  }
733  return true;
734  }
735 
747  public function copyRolePermissionUnion(
748  $a_source1_id,
749  $a_source1_parent,
750  $a_source2_id,
751  $a_source2_parent,
752  $a_dest_id,
753  $a_dest_parent)
754  {
755  global $ilDB, $rbacreview;
756 
757 
758  $s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id,$a_source1_parent);
759  $s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id,$a_source2_parent);
760 
761  $this->deleteRolePermission($a_dest_id, $a_dest_parent);
762 
763  $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s1_ops,TRUE));
764  $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s2_ops,TRUE));
765 
766  foreach($s1_ops as $type => $ops)
767  {
768  foreach($ops as $op)
769  {
770  // insert all permission of source 1
771  // #15469
772  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
773  'VALUES( '.
774  $ilDB->quote($a_dest_id,'integer').', '.
775  $ilDB->quote($type,'text').', '.
776  $ilDB->quote($op,'integer').', '.
777  $ilDB->quote($a_dest_parent,'integer').' '.
778  ')';
779  $ilDB->manipulate($query);
780  }
781  }
782 
783  // and the other direction...
784  foreach($s2_ops as $type => $ops)
785  {
786  foreach($ops as $op)
787  {
788  if(!isset($s1_ops[$type]) or !in_array($op, $s1_ops[$type]))
789  {
790  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
791  'VALUES( '.
792  $ilDB->quote($a_dest_id,'integer').', '.
793  $ilDB->quote($type,'text').', '.
794  $ilDB->quote($op,'integer').', '.
795  $ilDB->quote($a_dest_parent,'integer').' '.
796  ')';
797  $ilDB->manipulate($query);
798  }
799  }
800  }
801 
802  return true;
803  }
804 
812  public function copyRolePermissionSubtract($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
813  {
814  global $rbacreview, $ilDB;
815 
816  $s1_ops = $rbacreview->getAllOperationsOfRole($a_source_id,$a_source_parent);
817  $d_ops = $rbacreview->getAllOperationsOfRole($a_dest_id,$a_dest_parent);
818 
819  foreach($s1_ops as $type => $ops)
820  {
821  foreach($ops as $op)
822  {
823  if(isset($d_ops[$type]) and in_array($op, $d_ops[$type]))
824  {
825  $query = 'DELETE FROM rbac_templates '.
826  'WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
827  'AND type = '.$ilDB->quote($type,'text').' '.
828  'AND ops_id = '.$ilDB->quote($op,'integer').' '.
829  'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
830  $ilDB->manipulate($query);
831  }
832  }
833  }
834  return true;
835  }
836 
837 
848  function deleteRolePermission($a_rol_id,$a_ref_id,$a_type = false)
849  {
850  global $ilDB;
851 
852  if (!isset($a_rol_id) or !isset($a_ref_id))
853  {
854  $message = get_class($this)."::deleteRolePermission(): Missing parameter! role_id: ".$a_rol_id." ref_id: ".$a_ref_id;
855  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
856  }
857 
858  // exclude system role from rbac
859  if ($a_rol_id == SYSTEM_ROLE_ID)
860  {
861  return true;
862  }
863 
864  if ($a_type !== false)
865  {
866  $and_type = " AND type=".$ilDB->quote($a_type,'text')." ";
867  }
868 
869  $query = 'DELETE FROM rbac_templates '.
870  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
871  'AND parent = '.$ilDB->quote($a_ref_id,'integer').' '.
872  $and_type;
873 
874  $res = $ilDB->manipulate($query);
875 
876  return true;
877  }
878 
889  function setRolePermission($a_rol_id,$a_type,$a_ops,$a_ref_id)
890  {
891  global $ilDB;
892 
893  if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id))
894  {
895  $message = get_class($this)."::setRolePermission(): Missing parameter!".
896  " role_id: ".$a_rol_id.
897  " type: ".$a_type.
898  " operations: ".$a_ops.
899  " ref_id: ".$a_ref_id;
900  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
901  }
902 
903  if (!is_string($a_type) or empty($a_type))
904  {
905  $message = get_class($this)."::setRolePermission(): a_type is no string or empty!";
906  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
907  }
908 
909  if (!is_array($a_ops) or empty($a_ops))
910  {
911  $message = get_class($this)."::setRolePermission(): a_ops is no array or empty!";
912  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
913  }
914 
915  // exclude system role from rbac
916  if ($a_rol_id == SYSTEM_ROLE_ID)
917  {
918  return true;
919  }
920 
921  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
922  'VALUES (?,?,?,?)';
923  $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
924  foreach ($a_ops as $op)
925  {
926  $res = $ilDB->execute($sta,array(
927  $a_rol_id,
928  $a_type,
929  $op,
930  $a_ref_id
931  ));
932  }
933 
934  return true;
935  }
936 
950  function assignRoleToFolder($a_rol_id,$a_parent,$a_assign = "y")
951  {
952  global $ilDB,$rbacreview;
953 
954  if (!isset($a_rol_id) or !isset($a_parent))
955  {
956  $message = get_class($this)."::assignRoleToFolder(): Missing Parameter!".
957  " role_id: ".$a_rol_id.
958  " parent_id: ".$a_parent.
959  " assign: ".$a_assign;
960  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
961  }
962 
963  // exclude system role from rbac
964  if ($a_rol_id == SYSTEM_ROLE_ID)
965  {
966  return true;
967  }
968 
969  // if a wrong value is passed, always set assign to "n"
970  if ($a_assign != "y")
971  {
972  $a_assign = "n";
973  }
974 
975  $query = sprintf('INSERT INTO rbac_fa (rol_id, parent, assign, protected) '.
976  'VALUES (%s,%s,%s,%s)',
977  $ilDB->quote($a_rol_id,'integer'),
978  $ilDB->quote($a_parent,'integer'),
979  $ilDB->quote($a_assign,'text'),
980  $ilDB->quote('n','text'));
981  $res = $ilDB->manipulate($query);
982 
983  return true;
984  }
985 
994  function assignOperationToObject($a_type_id,$a_ops_id)
995  {
996  global $ilDB;
997 
998  if (!isset($a_type_id) or !isset($a_ops_id))
999  {
1000  $message = get_class($this)."::assignOperationToObject(): Missing parameter!".
1001  "type_id: ".$a_type_id.
1002  "ops_id: ".$a_ops_id;
1003  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1004  }
1005 
1006  $query = "INSERT INTO rbac_ta (typ_id, ops_id) ".
1007  "VALUES(".$ilDB->quote($a_type_id,'integer').",".$ilDB->quote($a_ops_id,'integer').")";
1008  $res = $ilDB->manipulate($query);
1009  return true;
1010  }
1011 
1020  function deassignOperationFromObject($a_type_id,$a_ops_id)
1021  {
1022  global $ilDB;
1023 
1024  if (!isset($a_type_id) or !isset($a_ops_id))
1025  {
1026  $message = get_class($this)."::deassignPermissionFromObject(): Missing parameter!".
1027  "type_id: ".$a_type_id.
1028  "ops_id: ".$a_ops_id;
1029  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1030  }
1031 
1032  $query = "DELETE FROM rbac_ta ".
1033  "WHERE typ_id = ".$ilDB->quote($a_type_id,'integer')." ".
1034  "AND ops_id = ".$ilDB->quote($a_ops_id,'integer');
1035  $res = $ilDB->manipulate($query);
1036 
1037  return true;
1038  }
1039 
1048  function setProtected($a_ref_id,$a_role_id,$a_value)
1049  {
1050  global $ilDB;
1051 
1052  // ref_id not used yet. protected permission acts 'global' for each role,
1053  // regardless of any broken inheritance before
1054  $query = 'UPDATE rbac_fa '.
1055  'SET protected = '.$ilDB->quote($a_value,'text').' '.
1056  'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer');
1057  $res = $ilDB->manipulate($query);
1058  return true;
1059  }
1060 
1071  public function copyLocalRoles($a_source_id,$a_target_id)
1072  {
1073  global $rbacreview,$ilLog,$ilObjDataCache;
1074 
1075  $source_rolf = $rbacreview->getRoleFolderIdOfObject($a_source_id);
1076  $target_rolf = $rbacreview->getRoleFolderIdOfObject($a_target_id);
1077 
1078  if(!$source_rolf)
1079  {
1080  // Nothing to do
1081  return true;
1082  }
1083  $real_local = array();
1084  foreach($rbacreview->getRolesOfRoleFolder($source_rolf,false) as $role_data)
1085  {
1086  $title = $ilObjDataCache->lookupTitle($role_data);
1087  if(substr($title,0,3) == 'il_')
1088  {
1089  continue;
1090  }
1091  $real_local[] = $role_data;
1092  }
1093  if(!count($real_local))
1094  {
1095  return true;
1096  }
1097  // Create role folder
1098  if(!$target_rolf)
1099  {
1100  $tmp_obj = ilObjectFactory::getInstanceByRefId($a_target_id,false);
1101  if(!is_object($tmp_obj))
1102  {
1103  return false;
1104  }
1105  $rolf = $tmp_obj->createRoleFolder();
1106  $target_rolf = $rolf->getRefId();
1107  $ilLog->write(__METHOD__.': Created new role folder with id '.$rolf->getRefId());
1108  }
1109  foreach($real_local as $role)
1110  {
1111  include_once ("./Services/AccessControl/classes/class.ilObjRole.php");
1112  $orig = new ilObjRole($role);
1113  $orig->read();
1114 
1115  $ilLog->write(__METHOD__.': Start copying of role '.$orig->getTitle());
1116  $roleObj = new ilObjRole();
1117  $roleObj->setTitle($orig->getTitle());
1118  $roleObj->setDescription($orig->getDescription());
1119  $roleObj->setImportId($orig->getImportId());
1120  $roleObj->create();
1121 
1122  $this->assignRoleToFolder($roleObj->getId(),$target_rolf,"y");
1123  $this->copyRolePermissions($role,$source_rolf,$target_rolf,$roleObj->getId(),true);
1124  $ilLog->write(__METHOD__.': Added new local role, id '.$roleObj->getId());
1125  }
1126 
1127  }
1128 
1140  public function adjustMovedObjectPermissions($a_ref_id,$a_old_parent)
1141  {
1142  global $rbacreview,$tree,$ilLog;
1143 
1144  $new_parent = $tree->getParentId($a_ref_id);
1145  $old_context_roles = $rbacreview->getParentRoleIds($a_old_parent,false);
1146  $new_context_roles = $rbacreview->getParentRoleIds($new_parent,false);
1147 
1148  $for_addition = $for_deletion = array();
1149  foreach($new_context_roles as $new_role_id => $new_role)
1150  {
1151  if(!isset($old_context_roles[$new_role_id]))
1152  {
1153  $for_addition[$new_role_id] = $new_role;
1154  }
1155  elseif($new_role['parent'] != $old_context_roles[$new_role_id]['parent'])
1156  {
1157  // handle stopped inheritance
1158  $for_deletion[$new_role_id] = $new_role;
1159  $for_addition[$new_role_id] = $new_role;
1160  }
1161  }
1162  foreach($old_context_roles as $old_role_id => $old_role)
1163  {
1164  if(!isset($new_context_roles[$old_role_id]))
1165  {
1166  $for_deletion[$old_role_id] = $old_role;
1167  }
1168  }
1169 
1170  if(!count($for_deletion) and !count($for_addition))
1171  {
1172  return true;
1173  }
1174 
1175  include_once "Services/AccessControl/classes/class.ilRbacLog.php";
1176  $rbac_log_active = ilRbacLog::isActive();
1177  if($rbac_log_active)
1178  {
1179  $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
1180  }
1181 
1182  foreach($nodes = $tree->getSubTree($node_data = $tree->getNodeData($a_ref_id),true) as $node_data)
1183  {
1184  $node_id = $node_data['child'];
1185 
1186  if($rbac_log_active)
1187  {
1188  $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
1189  }
1190 
1191  // If $node_data['type'] is not set, this means there is a tree entry without
1192  // object_reference and/or object_data entry
1193  // Continue in this case
1194  if(!$node_data['type'])
1195  {
1196  $ilLog->write(__METHOD__.': No type give. Choosing next tree entry.');
1197  continue;
1198  }
1199 
1200  if(!$node_id)
1201  {
1202  $ilLog->write(__METHOD__.': Missing subtree node_id');
1203  continue;
1204  }
1205 
1206  foreach($for_deletion as $role_id => $role_data)
1207  {
1208  if($rolf_id = $rbacreview->getRoleFolderIdOfObject($node_id))
1209  {
1210  $this->deleteLocalRole($role_id,$rolf_id);
1211  }
1212  $this->revokePermission($node_id,$role_id,false);
1213 //var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
1214  }
1215  foreach($for_addition as $role_id => $role_data)
1216  {
1217  $this->grantPermission(
1218  $role_id,
1219  $ops = $rbacreview->getOperationsOfRole($role_id,$node_data['type'],$role_data['parent']),
1220  $node_id);
1221 //var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
1222  }
1223 
1224  if($rbac_log_active)
1225  {
1226  $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
1227  $log = ilRbacLog::diffFaPa($log_old, $log_new);
1228  ilRbacLog::add(ilRbacLog::MOVE_OBJECT, $node_id, $log);
1229  }
1230  }
1231 
1232  }
1233 
1234 
1241  public function copyEffectiveRolePermissions($a_source_ref_id, $target_ref_id, $a_subtree_id)
1242  {
1243  global $rbacreview;
1244 
1245  $parent_roles = $rbacreview->getParentRoleIds($a_source_ref_id, FALSE);
1246  $GLOBALS['ilLog']->write(__METHOD__.': '. print_r($parent_roles,TRUE));
1247 
1248 
1249 
1250  }
1251 
1252 
1253 
1254 
1255 } // END class.ilRbacAdmin
1256 ?>