ILIAS  Release_5_0_x_branch Revision 61816
 All Data Structures Namespaces Files Functions Variables Groups Pages
class.ilRbacAdmin.php
Go to the documentation of this file.
1 <?php
2 /* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
3 
4 
18 class ilRbacAdmin
19 {
24  public function __construct()
25  {
26  global $ilDB,$ilErr,$ilias;
27 
28  // set db & error handler
29  (isset($ilDB)) ? $this->ilDB =& $ilDB : $this->ilDB =& $ilias->db;
30 
31  if (!isset($ilErr))
32  {
33  $ilErr = new ilErrorHandling();
34  $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK,array($ilErr,'errorHandler'));
35  }
36  else
37  {
38  $this->ilErr =& $ilErr;
39  }
40  }
41 
49  public function removeUser($a_usr_id)
50  {
51  global $ilDB;
52 
53  if (!isset($a_usr_id))
54  {
55  $message = get_class($this)."::removeUser(): No usr_id given!";
56  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
57  }
58 
59  $query = "DELETE FROM rbac_ua WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer');
60  $res = $ilDB->manipulate($query);
61 
62  return true;
63  }
64 
72  public function deleteRole($a_rol_id,$a_ref_id)
73  {
74  global $lng,$ilDB;
75 
76  if (!isset($a_rol_id) or !isset($a_ref_id))
77  {
78  $message = get_class($this)."::deleteRole(): Missing parameter! role_id: ".$a_rol_id." ref_id of role folder: ".$a_ref_id;
79  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
80  }
81 
82  // exclude system role from rbac
83  if ($a_rol_id == SYSTEM_ROLE_ID)
84  {
85  $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"),$this->ilErr->MESSAGE);
86  }
87 
88  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
89  $mapping = ilLDAPRoleGroupMapping::_getInstance();
90  $mapping->deleteRole($a_rol_id);
91 
92 
93  // TODO: check assigned users before deletion
94  // This is done in ilObjRole. Should be better moved to this place?
95 
96  // delete user assignements
97  $query = "DELETE FROM rbac_ua ".
98  "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer');
99  $res = $ilDB->manipulate($query);
100 
101  // delete permission assignments
102  $query = "DELETE FROM rbac_pa ".
103  "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
104  $res = $ilDB->manipulate($query);
105 
106  //delete rbac_templates and rbac_fa
107  $this->deleteLocalRole($a_rol_id);
108 
109  return true;
110  }
111 
118  public function deleteTemplate($a_obj_id)
119  {
120  global $ilDB;
121 
122  if (!isset($a_obj_id))
123  {
124  $message = get_class($this)."::deleteTemplate(): No obj_id given!";
125  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
126  }
127 
128  $query = 'DELETE FROM rbac_templates '.
129  'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
130  $res = $ilDB->manipulate($query);
131 
132  $query = 'DELETE FROM rbac_fa '.
133  'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
134  $res = $ilDB->manipulate($query);
135 
136  return true;
137  }
138 
146  public function deleteLocalRole($a_rol_id,$a_ref_id = 0)
147  {
148  global $ilDB;
149 
150  if (!isset($a_rol_id))
151  {
152  $message = get_class($this)."::deleteLocalRole(): Missing parameter! role_id: '".$a_rol_id."'";
153  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
154  }
155 
156  // exclude system role from rbac
157  if ($a_rol_id == SYSTEM_ROLE_ID)
158  {
159  return true;
160  }
161 
162  if ($a_ref_id != 0)
163  {
164  $clause = 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' ';
165  }
166 
167  $query = 'DELETE FROM rbac_fa '.
168  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
169  $clause;
170  $res = $ilDB->manipulate($query);
171 
172  $query = 'DELETE FROM rbac_templates '.
173  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
174  $clause;
175  $res = $ilDB->manipulate($query);
176  return true;
177  }
178 
185  public function assignUserLimited($a_role_id, $a_usr_id, $a_limit, $a_limited_roles = array())
186  {
187  global $ilDB;
188 
189  $GLOBALS['ilDB']->lockTables(
190  array(
191  0 => array('name' => 'rbac_ua', 'type' => ilDB::LOCK_WRITE)
192  )
193  );
194 
195  $limit_query = 'SELECT COUNT(*) num FROM rbac_ua '.
196  'WHERE '.$GLOBALS['ilDB']->in('rol_id',(array) $a_limited_roles,FALSE,'integer');
197  $res = $GLOBALS['ilDB']->query($limit_query);
198  $row = $res->fetchRow(DB_FETCHMODE_OBJECT);
199  if($row->num >= $a_limit)
200  {
201  $GLOBALS['ilDB']->unlockTables();
202  return FALSE;
203  }
204 
205  $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
206  "VALUES (".
207  $ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_role_id,'integer').
208  ")";
209  $res = $ilDB->manipulate($query);
210 
211  $GLOBALS['ilDB']->unlockTables();
212  $GLOBALS['rbacreview']->setAssignedCacheEntry($a_role_id,$a_usr_id,TRUE);
213 
214  $this->addDesktopItem($a_role_id,$a_usr_id);
215 
216  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
217  $mapping = ilLDAPRoleGroupMapping::_getInstance();
218  $mapping->assign($a_role_id,$a_usr_id);
219  return TRUE;
220  }
221 
227  protected function addDesktopItem($a_rol_id, $a_usr_id)
228  {
229  include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
230  $role_desk_item_obj = new ilRoleDesktopItem($a_rol_id);
231  foreach($role_desk_item_obj->getAll() as $item_data)
232  {
233  include_once './Services/User/classes/class.ilObjUser.php';
234  ilObjUser::_addDesktopItem($a_usr_id, $item_data['item_id'], $item_data['item_type']);
235  }
236  }
237 
238 
248  public function assignUser($a_rol_id,$a_usr_id)
249  {
250  global $ilDB,$rbacreview;
251 
252  if (!isset($a_rol_id) or !isset($a_usr_id))
253  {
254  $message = get_class($this)."::assignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
255  #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
256  }
257 
258  // check if already assigned user id and role_id
259  $alreadyAssigned = $rbacreview->isAssigned($a_usr_id,$a_rol_id);
260 
261  // enhanced: only if we haven't had this role for this user
262  if (!$alreadyAssigned)
263  {
264  $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
265  "VALUES (".$ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_rol_id,'integer').")";
266  $res = $ilDB->manipulate($query);
267 
268  $this->addDesktopItem($a_rol_id, $a_usr_id);
269 
270  $rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,true);
271  }
272 
273  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
274  $mapping = ilLDAPRoleGroupMapping::_getInstance();
275  $mapping->assign($a_rol_id,$a_usr_id);
276 
277  return true;
278  }
279 
287  public function deassignUser($a_rol_id,$a_usr_id)
288  {
289  global $ilDB, $rbacreview;
290 
291  if (!isset($a_rol_id) or !isset($a_usr_id))
292  {
293  $message = get_class($this)."::deassignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
294  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
295  }
296 
297  $query = "DELETE FROM rbac_ua ".
298  "WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer')." ".
299  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
300  $res = $ilDB->manipulate($query);
301 
302  $rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,false);
303 
304  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
305  $mapping = ilLDAPRoleGroupMapping::_getInstance();
306  $mapping->deassign($a_rol_id,$a_usr_id);
307 
308  return true;
309  }
310 
319  public function grantPermission($a_rol_id,$a_ops,$a_ref_id)
320  {
321  global $ilDB;
322 
323  if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id))
324  {
325  $this->ilErr->raiseError(get_class($this)."::grantPermission(): Missing parameter! ".
326  "role_id: ".$a_rol_id." ref_id: ".$a_ref_id." operations: ",$this->ilErr->WARNING);
327  }
328 
329  if (!is_array($a_ops))
330  {
331  $this->ilErr->raiseError(get_class($this)."::grantPermission(): Wrong datatype for operations!",
332  $this->ilErr->WARNING);
333  }
334 
335  /*
336  if (count($a_ops) == 0)
337  {
338  return false;
339  }
340  */
341  // exclude system role from rbac
342  if ($a_rol_id == SYSTEM_ROLE_ID)
343  {
344  return true;
345  }
346 
347  // convert all values to integer
348  foreach ($a_ops as $key => $operation)
349  {
350  $a_ops[$key] = (int) $operation;
351  }
352 
353  // Serialization des ops_id Arrays
354  $ops_ids = serialize($a_ops);
355 
356  $query = 'DELETE FROM rbac_pa '.
357  'WHERE rol_id = %s '.
358  'AND ref_id = %s';
359  $res = $ilDB->queryF($query,array('integer','integer'),
360  array($a_rol_id,$a_ref_id));
361 
362  if(!count($a_ops))
363  {
364  return false;
365  }
366 
367  $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) ".
368  "VALUES ".
369  "(".$ilDB->quote($a_rol_id,'integer').",".$ilDB->quote($ops_ids,'text').",".$ilDB->quote($a_ref_id,'integer').")";
370  $res = $ilDB->manipulate($query);
371 
372  return true;
373  }
374 
384  public function revokePermission($a_ref_id,$a_rol_id = 0,$a_keep_protected = true)
385  {
386  global $rbacreview,$log,$ilDB,$ilLog;
387 
388  if (!isset($a_ref_id))
389  {
390  $ilLog->logStack();
391  $message = get_class($this)."::revokePermission(): Missing parameter! ref_id: ".$a_ref_id;
392  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
393  }
394 #$log->write("ilRBACadmin::revokePermission(), 0");
395 
396  // bypass protected status of roles
397  if ($a_keep_protected != true)
398  {
399  // exclude system role from rbac
400  if ($a_rol_id == SYSTEM_ROLE_ID)
401  {
402  return true;
403  }
404 
405  if ($a_rol_id)
406  {
407  $and1 = " AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
408  }
409  else
410  {
411  $and1 = "";
412  }
413 
414  $query = "DELETE FROM rbac_pa ".
415  "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer').
416  $and1;
417 
418  $res = $ilDB->manipulate($query);
419 
420  return true;
421  }
422 
423  // consider protected status of roles
424 
425  // in any case, get all roles in scope first
426  $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
427 
428  if (!$a_rol_id)
429  {
430 #$log->write("ilRBACadmin::revokePermission(), 1");
431 
432  $role_ids = array();
433 
434  foreach ($roles_in_scope as $role)
435  {
436  if ($role['protected'] == true)
437  {
438  continue;
439  }
440 
441  $role_ids[] = $role['obj_id'];
442  }
443 
444  // return if no role in array
445  if (!$role_ids)
446  {
447  return true;
448  }
449 
450  $query = 'DELETE FROM rbac_pa '.
451  'WHERE '.$ilDB->in('rol_id',$role_ids,false,'integer').' '.
452  'AND ref_id = '.$ilDB->quote($a_ref_id,'integer');
453  $res = $ilDB->manipulate($query);
454  }
455  else
456  {
457 #$log->write("ilRBACadmin::revokePermission(), 2");
458  // exclude system role from rbac
459  if ($a_rol_id == SYSTEM_ROLE_ID)
460  {
461  return true;
462  }
463 
464  // exclude protected permission settings from revoking
465  if ($roles_in_scope[$a_rol_id]['protected'] == true)
466  {
467  return true;
468  }
469 
470  $query = "DELETE FROM rbac_pa ".
471  "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer')." ".
472  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
473  $res = $ilDB->manipulate($query);
474  }
475 
476  return true;
477  }
478 
485  public function revokeSubtreePermissions($a_ref_id,$a_role_id)
486  {
487  global $ilDB;
488 
489  $query = 'DELETE FROM rbac_pa '.
490  'WHERE ref_id IN '.
491  '( '.$GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
492  'AND rol_id = '.$ilDB->quote($a_role_id,'integer');
493 
494  $ilDB->manipulate($query);
495  return true;
496  }
497 
504  public function deleteSubtreeTemplates($a_ref_id,$a_rol_id)
505  {
506  global $ilDB;
507 
508  $query = 'DELETE FROM rbac_templates '.
509  'WHERE parent IN ( '.
510  $GLOBALS['tree']->getSubTreeQuery($a_ref_id, array('child')).' ) '.
511  'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
512 
513  $ilDB->manipulate($query);
514 
515  $query = 'DELETE FROM rbac_fa '.
516  'WHERE parent IN ( '.
517  $GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
518  'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
519 
520  $ilDB->manipulate($query);
521 
522  return true;
523  }
524 
532  public function revokePermissionList($a_ref_ids,$a_rol_id)
533  {
534  global $ilDB;
535 
536  if (!isset($a_ref_ids) or !is_array($a_ref_ids))
537  {
538  $message = get_class($this)."::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: ".var_dump($a_ref_ids);
539  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
540  }
541 
542  if (!isset($a_rol_id))
543  {
544  $message = get_class($this)."::revokePermissionList(): Missing parameter! rol_id: ".$a_rol_id;
545  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
546  }
547 
548  // exclude system role from rbac
549  if ($a_rol_id == SYSTEM_ROLE_ID)
550  {
551  return true;
552  }
553 
554  $query = "DELETE FROM rbac_pa ".
555  "WHERE ".$ilDB->in('ref_id',$a_ref_ids,false,'integer').' '.
556  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
557  $res = $ilDB->manipulate($query);
558 
559  return true;
560  }
561 
572  public function copyRolePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected = true)
573  {
574  global $tree,$rbacreview;
575 
576  // Copy template permissions
577  $this->copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected);
578 
579  $ops = $rbacreview->getRoleOperationsOnObject($a_source_id,$a_source_parent);
580 
581  $this->revokePermission($a_dest_parent,$a_dest_id);
582  $this->grantPermission($a_dest_id,$ops,$a_dest_parent);
583  return true;
584  }
585 
596  public function copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected = true)
597  {
598  global $rbacreview,$ilDB;
599 
600  if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent))
601  {
602  $message = __METHOD__.": Missing parameter! source_id: ".$a_source_id.
603  " source_parent_id: ".$a_source_parent.
604  " dest_id : ".$a_dest_id.
605  " dest_parent_id: ".$a_dest_parent;
606  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
607  }
608 
609  // exclude system role from rbac
610  if ($a_dest_id == SYSTEM_ROLE_ID)
611  {
612  return true;
613  }
614 
615  // Read operations
616  $query = 'SELECT * FROM rbac_templates '.
617  'WHERE rol_id = '.$ilDB->quote($a_source_id,'integer').' '.
618  'AND parent = '.$ilDB->quote($a_source_parent,'integer');
619  $res = $ilDB->query($query);
620  $operations = array();
621  $rownum = 0;
622  while ($row = $ilDB->fetchObject($res))
623  {
624  $operations[$rownum]['type'] = $row->type;
625  $operations[$rownum]['ops_id'] = $row->ops_id;
626  $rownum++;
627  }
628 
629  // Delete target permissions
630  $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
631  'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
632  $res = $ilDB->manipulate($query);
633 
634  foreach($operations as $row => $op)
635  {
636  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
637  'VALUES ('.
638  $ilDB->quote($a_dest_id,'integer').",".
639  $ilDB->quote($op['type'],'text').",".
640  $ilDB->quote($op['ops_id'],'integer').",".
641  $ilDB->quote($a_dest_parent,'integer').")";
642  $ilDB->manipulate($query);
643  }
644 
645  // copy also protection status if applicable
646  if ($a_consider_protected == true)
647  {
648  if ($rbacreview->isProtected($a_source_parent,$a_source_id))
649  {
650  $this->setProtected($a_dest_parent,$a_dest_id,'y');
651  }
652  }
653 
654  return true;
655  }
669  public function copyRolePermissionIntersection($a_source1_id,$a_source1_parent,$a_source2_id,$a_source2_parent,$a_dest_parent,$a_dest_id)
670  {
671  global $rbacreview,$ilDB;
672 
673  if (!isset($a_source1_id) or !isset($a_source1_parent)
674  or !isset($a_source2_id) or !isset($a_source2_parent)
675  or !isset($a_dest_id) or !isset($a_dest_parent))
676  {
677  $message = get_class($this)."::copyRolePermissionIntersection(): Missing parameter! source1_id: ".$a_source1_id.
678  " source1_parent: ".$a_source1_parent.
679  " source2_id: ".$a_source2_id.
680  " source2_parent: ".$a_source2_parent.
681  " dest_id: ".$a_dest_id.
682  " dest_parent_id: ".$a_dest_parent;
683  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
684  }
685 
686  // exclude system role from rbac
687  if ($a_dest_id == SYSTEM_ROLE_ID)
688  {
689  return true;
690  }
691 
692  if ($rbacreview->isProtected($a_source2_parent,$a_source2_id))
693  {
694  $GLOBALS['ilLog']->write(__METHOD__.': Role is protected');
695  return true;
696  }
697 
698  $query = "SELECT s1.type, s1.ops_id ".
699  "FROM rbac_templates s1, rbac_templates s2 ".
700  "WHERE s1.rol_id = ".$ilDB->quote($a_source1_id,'integer')." ".
701  "AND s1.parent = ".$ilDB->quote($a_source1_parent,'integer')." ".
702  "AND s2.rol_id = ".$ilDB->quote($a_source2_id,'integer')." ".
703  "AND s2.parent = ".$ilDB->quote($a_source2_parent,'integer')." ".
704  "AND s1.type = s2.type ".
705  "AND s1.ops_id = s2.ops_id";
706  $res = $ilDB->query($query);
707  $operations = array();
708  $rowNum = 0;
709  while($row = $res->fetchRow(DB_FETCHMODE_OBJECT))
710  {
711  $operations[$rowNum]['type'] = $row->type;
712  $operations[$rowNum]['ops_id'] = $row->ops_id;
713 
714  $rowNum++;
715  }
716 
717  // Delete template permissions of target
718  $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
719  'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
720  $res = $ilDB->manipulate($query);
721 
722  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
723  'VALUES (?,?,?,?)';
724  $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
725  foreach($operations as $key => $set)
726  {
727  $ilDB->execute($sta,array(
728  $a_dest_id,
729  $set['type'],
730  $set['ops_id'],
731  $a_dest_parent));
732  }
733  return true;
734  }
735 
747  public function copyRolePermissionUnion(
748  $a_source1_id,
749  $a_source1_parent,
750  $a_source2_id,
751  $a_source2_parent,
752  $a_dest_id,
753  $a_dest_parent)
754  {
755  global $ilDB, $rbacreview;
756 
757 
758  $s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id,$a_source1_parent);
759  $s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id,$a_source2_parent);
760 
761  $this->deleteRolePermission($a_dest_id, $a_dest_parent);
762 
763  $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s1_ops,TRUE));
764  $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s2_ops,TRUE));
765 
766  foreach($s1_ops as $type => $ops)
767  {
768  foreach($ops as $op)
769  {
770  // insert all permission of source 1
771  // #15469
772  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
773  'VALUES( '.
774  $ilDB->quote($a_dest_id,'integer').', '.
775  $ilDB->quote($type,'text').', '.
776  $ilDB->quote($op,'integer').', '.
777  $ilDB->quote($a_dest_parent,'integer').' '.
778  ')';
779  $ilDB->manipulate($query);
780  }
781  }
782 
783  // and the other direction...
784  foreach($s2_ops as $type => $ops)
785  {
786  foreach($ops as $op)
787  {
788  if(!isset($s1_ops[$type]) or !in_array($op, $s1_ops[$type]))
789  {
790  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
791  'VALUES( '.
792  $ilDB->quote($a_dest_id,'integer').', '.
793  $ilDB->quote($type,'text').', '.
794  $ilDB->quote($op,'integer').', '.
795  $ilDB->quote($a_dest_parent,'integer').' '.
796  ')';
797  $ilDB->manipulate($query);
798  }
799  }
800  }
801 
802  return true;
803  }
804 
812  public function copyRolePermissionSubtract($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
813  {
814  global $rbacreview, $ilDB;
815 
816  $s1_ops = $rbacreview->getAllOperationsOfRole($a_source_id,$a_source_parent);
817  $d_ops = $rbacreview->getAllOperationsOfRole($a_dest_id,$a_dest_parent);
818 
819  foreach($s1_ops as $type => $ops)
820  {
821  foreach($ops as $op)
822  {
823  if(isset($d_ops[$type]) and in_array($op, $d_ops[$type]))
824  {
825  $query = 'DELETE FROM rbac_templates '.
826  'WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
827  'AND type = '.$ilDB->quote($type,'text').' '.
828  'AND ops_id = '.$ilDB->quote($op,'integer').' '.
829  'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
830  $ilDB->manipulate($query);
831  }
832  }
833  }
834  return true;
835  }
836 
837 
848  public function deleteRolePermission($a_rol_id,$a_ref_id,$a_type = false)
849  {
850  global $ilDB;
851 
852  if (!isset($a_rol_id) or !isset($a_ref_id))
853  {
854  $message = get_class($this)."::deleteRolePermission(): Missing parameter! role_id: ".$a_rol_id." ref_id: ".$a_ref_id;
855  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
856  }
857 
858  // exclude system role from rbac
859  if ($a_rol_id == SYSTEM_ROLE_ID)
860  {
861  return true;
862  }
863 
864  if ($a_type !== false)
865  {
866  $and_type = " AND type=".$ilDB->quote($a_type,'text')." ";
867  }
868 
869  $query = 'DELETE FROM rbac_templates '.
870  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
871  'AND parent = '.$ilDB->quote($a_ref_id,'integer').' '.
872  $and_type;
873 
874  $res = $ilDB->manipulate($query);
875 
876  return true;
877  }
878 
889  public function setRolePermission($a_rol_id,$a_type,$a_ops,$a_ref_id)
890  {
891  global $ilDB;
892 
893  if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id))
894  {
895  $message = get_class($this)."::setRolePermission(): Missing parameter!".
896  " role_id: ".$a_rol_id.
897  " type: ".$a_type.
898  " operations: ".$a_ops.
899  " ref_id: ".$a_ref_id;
900  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
901  }
902 
903  if (!is_string($a_type) or empty($a_type))
904  {
905  $message = get_class($this)."::setRolePermission(): a_type is no string or empty!";
906  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
907  }
908 
909  if (!is_array($a_ops) or empty($a_ops))
910  {
911  $message = get_class($this)."::setRolePermission(): a_ops is no array or empty!";
912  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
913  }
914 
915  // exclude system role from rbac
916  if ($a_rol_id == SYSTEM_ROLE_ID)
917  {
918  return true;
919  }
920 
921  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
922  'VALUES (?,?,?,?)';
923  $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
924  foreach ($a_ops as $op)
925  {
926  $res = $ilDB->execute($sta,array(
927  $a_rol_id,
928  $a_type,
929  $op,
930  $a_ref_id
931  ));
932  }
933 
934  return true;
935  }
936 
950  public function assignRoleToFolder($a_rol_id,$a_parent,$a_assign = "y")
951  {
952  global $ilDB,$rbacreview;
953 
954  if (!isset($a_rol_id) or !isset($a_parent))
955  {
956  $message = get_class($this)."::assignRoleToFolder(): Missing Parameter!".
957  " role_id: ".$a_rol_id.
958  " parent_id: ".$a_parent.
959  " assign: ".$a_assign;
960  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
961  }
962 
963  // exclude system role from rbac
964  if ($a_rol_id == SYSTEM_ROLE_ID)
965  {
966  return true;
967  }
968 
969  // if a wrong value is passed, always set assign to "n"
970  if ($a_assign != "y")
971  {
972  $a_assign = "n";
973  }
974 
975  $query = sprintf('INSERT INTO rbac_fa (rol_id, parent, assign, protected) '.
976  'VALUES (%s,%s,%s,%s)',
977  $ilDB->quote($a_rol_id,'integer'),
978  $ilDB->quote($a_parent,'integer'),
979  $ilDB->quote($a_assign,'text'),
980  $ilDB->quote('n','text'));
981  $res = $ilDB->manipulate($query);
982 
983  return true;
984  }
985 
994  public function assignOperationToObject($a_type_id,$a_ops_id)
995  {
996  global $ilDB;
997 
998  if (!isset($a_type_id) or !isset($a_ops_id))
999  {
1000  $message = get_class($this)."::assignOperationToObject(): Missing parameter!".
1001  "type_id: ".$a_type_id.
1002  "ops_id: ".$a_ops_id;
1003  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1004  }
1005 
1006  $query = "INSERT INTO rbac_ta (typ_id, ops_id) ".
1007  "VALUES(".$ilDB->quote($a_type_id,'integer').",".$ilDB->quote($a_ops_id,'integer').")";
1008  $res = $ilDB->manipulate($query);
1009  return true;
1010  }
1011 
1020  function deassignOperationFromObject($a_type_id,$a_ops_id)
1021  {
1022  global $ilDB;
1023 
1024  if (!isset($a_type_id) or !isset($a_ops_id))
1025  {
1026  $message = get_class($this)."::deassignPermissionFromObject(): Missing parameter!".
1027  "type_id: ".$a_type_id.
1028  "ops_id: ".$a_ops_id;
1029  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1030  }
1031 
1032  $query = "DELETE FROM rbac_ta ".
1033  "WHERE typ_id = ".$ilDB->quote($a_type_id,'integer')." ".
1034  "AND ops_id = ".$ilDB->quote($a_ops_id,'integer');
1035  $res = $ilDB->manipulate($query);
1036 
1037  return true;
1038  }
1039 
1048  public function setProtected($a_ref_id,$a_role_id,$a_value)
1049  {
1050  global $ilDB;
1051 
1052  // ref_id not used yet. protected permission acts 'global' for each role,
1053  // regardless of any broken inheritance before
1054  $query = 'UPDATE rbac_fa '.
1055  'SET protected = '.$ilDB->quote($a_value,'text').' '.
1056  'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer');
1057  $res = $ilDB->manipulate($query);
1058  return true;
1059  }
1060 
1071  public function copyLocalRoles($a_source_id,$a_target_id)
1072  {
1073  global $rbacreview,$ilLog,$ilObjDataCache;
1074 
1075  $real_local = array();
1076  foreach($rbacreview->getRolesOfRoleFolder($a_source_id,false) as $role_data)
1077  {
1078  $title = $ilObjDataCache->lookupTitle($role_data);
1079  if(substr($title,0,3) == 'il_')
1080  {
1081  continue;
1082  }
1083  $real_local[] = $role_data;
1084  }
1085  if(!count($real_local))
1086  {
1087  return true;
1088  }
1089  // Create role folder
1090  foreach($real_local as $role)
1091  {
1092  include_once ("./Services/AccessControl/classes/class.ilObjRole.php");
1093  $orig = new ilObjRole($role);
1094  $orig->read();
1095 
1096  $ilLog->write(__METHOD__.': Start copying of role '.$orig->getTitle());
1097  $roleObj = new ilObjRole();
1098  $roleObj->setTitle($orig->getTitle());
1099  $roleObj->setDescription($orig->getDescription());
1100  $roleObj->setImportId($orig->getImportId());
1101  $roleObj->create();
1102 
1103  $this->assignRoleToFolder($roleObj->getId(),$a_target_id,"y");
1104  $this->copyRolePermissions($role,$a_source_id,$a_target_id,$roleObj->getId(),true);
1105  $ilLog->write(__METHOD__.': Added new local role, id '.$roleObj->getId());
1106  }
1107 
1108  }
1109 
1120  public function initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
1121  {
1122  global $rbacreview;
1123 
1124  if($rbacreview->isProtected($a_role_parent, $a_role_id))
1125  {
1126  // Assign object permissions
1127  $new_ops = $rbacreview->getOperationsOfRole(
1128  $a_role_id,
1129  ilObject::_lookupType($a_ref_id, true),
1130  $a_role_parent
1131  );
1132 
1133  // set new permissions for object
1134  $this->grantPermission(
1135  $a_role_id,
1136  (array) $new_ops,
1137  $a_ref_id
1138  );
1139  return;
1140  }
1141  if(!$a_template_id)
1142  {
1143  return;
1144  }
1145  // create template permission intersection
1146  $this->copyRolePermissionIntersection(
1147  $a_template_id,
1148  $a_template_parent,
1149  $a_role_id,
1150  $a_role_parent,
1151  $a_ref_id,
1152  $a_role_id
1153  );
1154 
1155  // assign role to folder
1156  $this->assignRoleToFolder(
1157  $a_role_id,
1158  $a_ref_id,
1159  'n'
1160  );
1161 
1162  // Assign object permissions
1163  $new_ops = $rbacreview->getOperationsOfRole(
1164  $a_role_id,
1165  ilObject::_lookupType($a_ref_id, true),
1166  $a_ref_id
1167  );
1168 
1169  // set new permissions for object
1170  $this->grantPermission(
1171  $a_role_id,
1172  (array) $new_ops,
1173  $a_ref_id
1174  );
1175 
1176  return;
1177  }
1178 
1190  public function adjustMovedObjectPermissions($a_ref_id,$a_old_parent)
1191  {
1192  global $rbacreview,$tree,$ilLog;
1193 
1194  $new_parent = $tree->getParentId($a_ref_id);
1195  $old_context_roles = $rbacreview->getParentRoleIds($a_old_parent,false);
1196  $new_context_roles = $rbacreview->getParentRoleIds($new_parent,false);
1197 
1198  $for_addition = $for_deletion = array();
1199  foreach($new_context_roles as $new_role_id => $new_role)
1200  {
1201  if(!isset($old_context_roles[$new_role_id]))
1202  {
1203  $for_addition[$new_role_id] = $new_role;
1204  }
1205  elseif($new_role['parent'] != $old_context_roles[$new_role_id]['parent'])
1206  {
1207  // handle stopped inheritance
1208  $for_deletion[$new_role_id] = $new_role;
1209  $for_addition[$new_role_id] = $new_role;
1210  }
1211  }
1212  foreach($old_context_roles as $old_role_id => $old_role)
1213  {
1214  if(!isset($new_context_roles[$old_role_id]))
1215  {
1216  $for_deletion[$old_role_id] = $old_role;
1217  }
1218  }
1219 
1220  if(!count($for_deletion) and !count($for_addition))
1221  {
1222  return true;
1223  }
1224 
1225  include_once "Services/AccessControl/classes/class.ilRbacLog.php";
1226  $rbac_log_active = ilRbacLog::isActive();
1227  if($rbac_log_active)
1228  {
1229  $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
1230  }
1231 
1232  foreach($nodes = $tree->getSubTree($tree->getNodeData($a_ref_id),true) as $node_data)
1233  {
1234  $node_id = $node_data['child'];
1235 
1236  if($rbac_log_active)
1237  {
1238  $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
1239  }
1240 
1241  // If $node_data['type'] is not set, this means there is a tree entry without
1242  // object_reference and/or object_data entry
1243  // Continue in this case
1244  if(!$node_data['type'])
1245  {
1246  $ilLog->write(__METHOD__.': No type give. Choosing next tree entry.');
1247  continue;
1248  }
1249 
1250  if(!$node_id)
1251  {
1252  $ilLog->write(__METHOD__.': Missing subtree node_id');
1253  continue;
1254  }
1255 
1256  foreach($for_deletion as $role_id => $role_data)
1257  {
1258  $this->deleteLocalRole($role_id,$node_id);
1259  $this->revokePermission($node_id,$role_id,false);
1260 //var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
1261  }
1262  foreach($for_addition as $role_id => $role_data)
1263  {
1264  switch($node_data['type'])
1265  {
1266  case 'grp':
1267  include_once './Modules/Group/classes/class.ilObjGroup.php';
1268  $tpl_id = ilObjGroup::lookupGroupStatusTemplateId($node_data['obj_id']);
1269  $this->initIntersectionPermissions(
1270  $node_data['child'],
1271  $role_id,
1272  $role_data['parent'],
1273  $tpl_id,
1274  ROLE_FOLDER_ID
1275  );
1276  break;
1277 
1278  case 'crs':
1279  include_once './Modules/Course/classes/class.ilObjCourse.php';
1280  $tpl_id = ilObjCourse::lookupCourseNonMemberTemplatesId();
1281  $this->initIntersectionPermissions(
1282  $node_data['child'],
1283  $role_id,
1284  $role_data['parent'],
1285  $tpl_id,
1286  ROLE_FOLDER_ID
1287  );
1288  break;
1289 
1290 
1291  default:
1292  $this->grantPermission(
1293  $role_id,
1294  $ops = $rbacreview->getOperationsOfRole($role_id,$node_data['type'],$role_data['parent']),
1295  $node_id);
1296  break;
1297 
1298 
1299  }
1300 
1301 
1302 //var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
1303  }
1304 
1305  if($rbac_log_active)
1306  {
1307  $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
1308  $log = ilRbacLog::diffFaPa($log_old, $log_new);
1309  ilRbacLog::add(ilRbacLog::MOVE_OBJECT, $node_id, $log);
1310  }
1311  }
1312 
1313  }
1314 
1315 
1322  public function copyEffectiveRolePermissions($a_source_ref_id, $target_ref_id, $a_subtree_id)
1323  {
1324  global $rbacreview;
1325 
1326  $parent_roles = $rbacreview->getParentRoleIds($a_source_ref_id, FALSE);
1327  $GLOBALS['ilLog']->write(__METHOD__.': '. print_r($parent_roles,TRUE));
1328 
1329 
1330 
1331  }
1332 
1333 
1334 
1335 
1336 } // END class.ilRbacAdmin
1337 ?>