ILIAS  Release_5_0_x_branch Revision 61816
 All Data Structures Namespaces Files Functions Variables Groups Pages
Public Member Functions | Protected Member Functions
ilRbacAdmin Class Reference
Services/AccessControl

Class ilRbacAdmin Core functions for role based access control. More...

+ Collaboration diagram for ilRbacAdmin:

Public Member Functions

 __construct ()
 Constructor public.
 removeUser ($a_usr_id)
 deletes a user from rbac_ua all user <-> role relations are deleted public
 deleteRole ($a_rol_id, $a_ref_id)
 Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa public.
 deleteTemplate ($a_obj_id)
 Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa public.
 deleteLocalRole ($a_rol_id, $a_ref_id=0)
 Deletes a local role and entries in rbac_fa and rbac_templates public.
 assignUserLimited ($a_role_id, $a_usr_id, $a_limit, $a_limited_roles=array())
 Assign user limited.
 assignUser ($a_rol_id, $a_usr_id)
 Assigns an user to a role.
 deassignUser ($a_rol_id, $a_usr_id)
 Deassigns a user from a role.
 grantPermission ($a_rol_id, $a_ops, $a_ref_id)
 Grants a permission to an object and a specific role.
 revokePermission ($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
 Revokes permissions of an object of one role.
 revokeSubtreePermissions ($a_ref_id, $a_role_id)
 Revoke subtree permissions.
 deleteSubtreeTemplates ($a_ref_id, $a_rol_id)
 Delete all template permissions of subtree nodes.
 revokePermissionList ($a_ref_ids, $a_rol_id)
 Revokes permissions of a LIST of objects of ONE role.
 copyRolePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions and permission of one role to another.
 copyRoleTemplatePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions of one role to another.
 copyRolePermissionIntersection ($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
 Copies the intersection of the template permissions of two roles to a third role.
 copyRolePermissionUnion ($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_id, $a_dest_parent)
 <type> $ilDB
 copyRolePermissionSubtract ($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
 Subtract role permissions.
 deleteRolePermission ($a_rol_id, $a_ref_id, $a_type=false)
 Deletes all entries of a template.
 setRolePermission ($a_rol_id, $a_type, $a_ops, $a_ref_id)
 Inserts template permissions in rbac_templates for an specific object type.
 assignRoleToFolder ($a_rol_id, $a_parent, $a_assign="y")
 Assigns a role to an role folder A role folder is an object to store roles.
 assignOperationToObject ($a_type_id, $a_ops_id)
 Assign an existing operation to an object Update of rbac_ta.
 deassignOperationFromObject ($a_type_id, $a_ops_id)
 Deassign an existing operation from an object Update of rbac_ta public.
 setProtected ($a_ref_id, $a_role_id, $a_value)
 Set protected $ilDB.
 copyLocalRoles ($a_source_id, $a_target_id)
 Copy local roles This method creates a copy of all local role.
 initIntersectionPermissions ($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
 Init intersection permissions.
 adjustMovedObjectPermissions ($a_ref_id, $a_old_parent)
 Adjust permissions of moved objects.
 copyEffectiveRolePermissions ($a_source_ref_id, $target_ref_id, $a_subtree_id)
 Copies all permission from source to target for all roles.

Protected Member Functions

 addDesktopItem ($a_rol_id, $a_usr_id)
 Add desktop item.

Detailed Description

Class ilRbacAdmin Core functions for role based access control.

Creation and maintenance of Relations. The main relations of Rbac are user <-> role (UR) assignment relation and the permission <-> role (PR) assignment relation. This class contains methods to 'create' and 'delete' instances of the (UR) relation e.g.: assignUser(), deassignUser() Required methods for the PR relation are grantPermission(), revokePermission()

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
Id:
class.ilRbacAdmin.php 61749 2016-04-04 11:40:13Z gitmgr

Definition at line 18 of file class.ilRbacAdmin.php.

Constructor & Destructor Documentation

ilRbacAdmin::__construct ( )

Constructor public.

Definition at line 24 of file class.ilRbacAdmin.php.

References $ilDB, $ilErr, if, and PEAR_ERROR_CALLBACK.

{
global $ilDB,$ilErr,$ilias;
// set db & error handler
(isset($ilDB)) ? $this->ilDB =& $ilDB : $this->ilDB =& $ilias->db;
if (!isset($ilErr))
{
$ilErr = new ilErrorHandling();
$ilErr->setErrorHandling(PEAR_ERROR_CALLBACK,array($ilErr,'errorHandler'));
}
else
{
$this->ilErr =& $ilErr;
}
}

Member Function Documentation

ilRbacAdmin::addDesktopItem (   $a_rol_id,
  $a_usr_id 
)
protected

Add desktop item.

Parameters
type$a_rol_id
type$a_usr_id

Definition at line 227 of file class.ilRbacAdmin.php.

References ilObjUser\_addDesktopItem().

Referenced by assignUser(), and assignUserLimited().

{
include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
$role_desk_item_obj = new ilRoleDesktopItem($a_rol_id);
foreach($role_desk_item_obj->getAll() as $item_data)
{
include_once './Services/User/classes/class.ilObjUser.php';
ilObjUser::_addDesktopItem($a_usr_id, $item_data['item_id'], $item_data['item_type']);
}
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilRbacAdmin::adjustMovedObjectPermissions (   $a_ref_id,
  $a_old_parent 
)

Adjust permissions of moved objects.

  • Delete permissions of parent roles that do not exist in new context
  • Delete role templates of parent roles that do not exist in new context
  • Add permissions for parent roles that did not exist in old context

public

Parameters
intref id of moved object
intref_id of old parent

Definition at line 1190 of file class.ilRbacAdmin.php.

References $ilLog, $log, ilRbacLog\add(), deleteLocalRole(), ilRbacLog\diffFaPa(), ilRbacLog\gatherFaPa(), grantPermission(), initIntersectionPermissions(), ilRbacLog\isActive(), ilObjCourse\lookupCourseNonMemberTemplatesId(), ilObjGroup\lookupGroupStatusTemplateId(), ilRbacLog\MOVE_OBJECT, and revokePermission().

{
global $rbacreview,$tree,$ilLog;
$new_parent = $tree->getParentId($a_ref_id);
$old_context_roles = $rbacreview->getParentRoleIds($a_old_parent,false);
$new_context_roles = $rbacreview->getParentRoleIds($new_parent,false);
$for_addition = $for_deletion = array();
foreach($new_context_roles as $new_role_id => $new_role)
{
if(!isset($old_context_roles[$new_role_id]))
{
$for_addition[$new_role_id] = $new_role;
}
elseif($new_role['parent'] != $old_context_roles[$new_role_id]['parent'])
{
// handle stopped inheritance
$for_deletion[$new_role_id] = $new_role;
$for_addition[$new_role_id] = $new_role;
}
}
foreach($old_context_roles as $old_role_id => $old_role)
{
if(!isset($new_context_roles[$old_role_id]))
{
$for_deletion[$old_role_id] = $old_role;
}
}
if(!count($for_deletion) and !count($for_addition))
{
return true;
}
include_once "Services/AccessControl/classes/class.ilRbacLog.php";
$rbac_log_active = ilRbacLog::isActive();
if($rbac_log_active)
{
$role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
}
foreach($nodes = $tree->getSubTree($tree->getNodeData($a_ref_id),true) as $node_data)
{
$node_id = $node_data['child'];
if($rbac_log_active)
{
$log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
}
// If $node_data['type'] is not set, this means there is a tree entry without
// object_reference and/or object_data entry
// Continue in this case
if(!$node_data['type'])
{
$ilLog->write(__METHOD__.': No type give. Choosing next tree entry.');
continue;
}
if(!$node_id)
{
$ilLog->write(__METHOD__.': Missing subtree node_id');
continue;
}
foreach($for_deletion as $role_id => $role_data)
{
$this->deleteLocalRole($role_id,$node_id);
$this->revokePermission($node_id,$role_id,false);
//var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
}
foreach($for_addition as $role_id => $role_data)
{
switch($node_data['type'])
{
case 'grp':
include_once './Modules/Group/classes/class.ilObjGroup.php';
$tpl_id = ilObjGroup::lookupGroupStatusTemplateId($node_data['obj_id']);
$this->initIntersectionPermissions(
$node_data['child'],
$role_id,
$role_data['parent'],
$tpl_id,
ROLE_FOLDER_ID
);
break;
case 'crs':
include_once './Modules/Course/classes/class.ilObjCourse.php';
$tpl_id = ilObjCourse::lookupCourseNonMemberTemplatesId();
$this->initIntersectionPermissions(
$node_data['child'],
$role_id,
$role_data['parent'],
$tpl_id,
ROLE_FOLDER_ID
);
break;
default:
$this->grantPermission(
$role_id,
$ops = $rbacreview->getOperationsOfRole($role_id,$node_data['type'],$role_data['parent']),
$node_id);
break;
}
//var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
}
if($rbac_log_active)
{
$log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
$log = ilRbacLog::diffFaPa($log_old, $log_new);
ilRbacLog::add(ilRbacLog::MOVE_OBJECT, $node_id, $log);
}
}
}

+ Here is the call graph for this function:

ilRbacAdmin::assignOperationToObject (   $a_type_id,
  $a_ops_id 
)

Assign an existing operation to an object Update of rbac_ta.

public

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 994 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

{
global $ilDB;
if (!isset($a_type_id) or !isset($a_ops_id))
{
$message = get_class($this)."::assignOperationToObject(): Missing parameter!".
"type_id: ".$a_type_id.
"ops_id: ".$a_ops_id;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
$query = "INSERT INTO rbac_ta (typ_id, ops_id) ".
"VALUES(".$ilDB->quote($a_type_id,'integer').",".$ilDB->quote($a_ops_id,'integer').")";
$res = $ilDB->manipulate($query);
return true;
}
ilRbacAdmin::assignRoleToFolder (   $a_rol_id,
  $a_parent,
  $a_assign = "y" 
)

Assigns a role to an role folder A role folder is an object to store roles.

Every role is assigned to minimum one role folder If the inheritance of a role is stopped, a new role template will created, and the role is assigned to minimum two role folders. All roles with stopped inheritance need the flag '$a_assign = false'

public

Parameters
integerobject id of role
integerref_id of role folder
stringassignable('y','n'); default: 'y'
Returns
boolean

Definition at line 950 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

Referenced by copyLocalRoles(), and initIntersectionPermissions().

{
global $ilDB,$rbacreview;
if (!isset($a_rol_id) or !isset($a_parent))
{
$message = get_class($this)."::assignRoleToFolder(): Missing Parameter!".
" role_id: ".$a_rol_id.
" parent_id: ".$a_parent.
" assign: ".$a_assign;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
// exclude system role from rbac
if ($a_rol_id == SYSTEM_ROLE_ID)
{
return true;
}
// if a wrong value is passed, always set assign to "n"
if ($a_assign != "y")
{
$a_assign = "n";
}
$query = sprintf('INSERT INTO rbac_fa (rol_id, parent, assign, protected) '.
'VALUES (%s,%s,%s,%s)',
$ilDB->quote($a_rol_id,'integer'),
$ilDB->quote($a_parent,'integer'),
$ilDB->quote($a_assign,'text'),
$ilDB->quote('n','text'));
$res = $ilDB->manipulate($query);
return true;
}

+ Here is the caller graph for this function:

ilRbacAdmin::assignUser (   $a_rol_id,
  $a_usr_id 
)

Assigns an user to a role.

Update of table rbac_ua TODO: remove deprecated 3rd parameter sometime public

Parameters
integerobject_id of role
integerobject_id of user
booleantrue means default role (optional
Returns
boolean

Definition at line 248 of file class.ilRbacAdmin.php.

References $ilDB, $query, $res, ilLDAPRoleGroupMapping\_getInstance(), and addDesktopItem().

{
global $ilDB,$rbacreview;
if (!isset($a_rol_id) or !isset($a_usr_id))
{
$message = get_class($this)."::assignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
#$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
// check if already assigned user id and role_id
$alreadyAssigned = $rbacreview->isAssigned($a_usr_id,$a_rol_id);
// enhanced: only if we haven't had this role for this user
if (!$alreadyAssigned)
{
$query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
"VALUES (".$ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_rol_id,'integer').")";
$res = $ilDB->manipulate($query);
$this->addDesktopItem($a_rol_id, $a_usr_id);
$rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,true);
}
include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
$mapping = ilLDAPRoleGroupMapping::_getInstance();
$mapping->assign($a_rol_id,$a_usr_id);
return true;
}

+ Here is the call graph for this function:

ilRbacAdmin::assignUserLimited (   $a_role_id,
  $a_usr_id,
  $a_limit,
  $a_limited_roles = array() 
)

Assign user limited.

Parameters
type$a_role_id
type$a_usr_id
type$a_limit

Definition at line 185 of file class.ilRbacAdmin.php.

References $GLOBALS, $ilDB, $query, $res, $row, ilLDAPRoleGroupMapping\_getInstance(), addDesktopItem(), DB_FETCHMODE_OBJECT, and ilDB\LOCK_WRITE.

{
global $ilDB;
$GLOBALS['ilDB']->lockTables(
array(
0 => array('name' => 'rbac_ua', 'type' => ilDB::LOCK_WRITE)
)
);
$limit_query = 'SELECT COUNT(*) num FROM rbac_ua '.
'WHERE '.$GLOBALS['ilDB']->in('rol_id',(array) $a_limited_roles,FALSE,'integer');
$res = $GLOBALS['ilDB']->query($limit_query);
$row = $res->fetchRow(DB_FETCHMODE_OBJECT);
if($row->num >= $a_limit)
{
$GLOBALS['ilDB']->unlockTables();
return FALSE;
}
$query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
"VALUES (".
$ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_role_id,'integer').
")";
$res = $ilDB->manipulate($query);
$GLOBALS['ilDB']->unlockTables();
$GLOBALS['rbacreview']->setAssignedCacheEntry($a_role_id,$a_usr_id,TRUE);
$this->addDesktopItem($a_role_id,$a_usr_id);
include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
$mapping = ilLDAPRoleGroupMapping::_getInstance();
$mapping->assign($a_role_id,$a_usr_id);
return TRUE;
}

+ Here is the call graph for this function:

ilRbacAdmin::copyEffectiveRolePermissions (   $a_source_ref_id,
  $target_ref_id,
  $a_subtree_id 
)

Copies all permission from source to target for all roles.

Parameters
type$a_source_ref_id
type$target_ref_id
type$a_subtree_id

Definition at line 1322 of file class.ilRbacAdmin.php.

References $GLOBALS.

{
global $rbacreview;
$parent_roles = $rbacreview->getParentRoleIds($a_source_ref_id, FALSE);
$GLOBALS['ilLog']->write(__METHOD__.': '. print_r($parent_roles,TRUE));
}
ilRbacAdmin::copyLocalRoles (   $a_source_id,
  $a_target_id 
)

Copy local roles This method creates a copy of all local role.

Note: auto generated roles are excluded

public

Parameters
intsource id of object (not role folder)
inttarget id of object

Definition at line 1071 of file class.ilRbacAdmin.php.

References $ilLog, assignRoleToFolder(), and copyRolePermissions().

{
global $rbacreview,$ilLog,$ilObjDataCache;
$real_local = array();
foreach($rbacreview->getRolesOfRoleFolder($a_source_id,false) as $role_data)
{
$title = $ilObjDataCache->lookupTitle($role_data);
if(substr($title,0,3) == 'il_')
{
continue;
}
$real_local[] = $role_data;
}
if(!count($real_local))
{
return true;
}
// Create role folder
foreach($real_local as $role)
{
include_once ("./Services/AccessControl/classes/class.ilObjRole.php");
$orig = new ilObjRole($role);
$orig->read();
$ilLog->write(__METHOD__.': Start copying of role '.$orig->getTitle());
$roleObj = new ilObjRole();
$roleObj->setTitle($orig->getTitle());
$roleObj->setDescription($orig->getDescription());
$roleObj->setImportId($orig->getImportId());
$roleObj->create();
$this->assignRoleToFolder($roleObj->getId(),$a_target_id,"y");
$this->copyRolePermissions($role,$a_source_id,$a_target_id,$roleObj->getId(),true);
$ilLog->write(__METHOD__.': Added new local role, id '.$roleObj->getId());
}
}

+ Here is the call graph for this function:

ilRbacAdmin::copyRolePermissionIntersection (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_parent,
  $a_dest_id 
)

Copies the intersection of the template permissions of two roles to a third role.

public

Parameters
integer$a_source1_idrole_id source
integer$a_source1_parentparent_id source
integer$a_source2_idrole_id source
integer$a_source2_parentparent_id source
integer$a_dest_idrole_id destination
integer$a_dest_parentparent_id destination
Returns
boolean

Definition at line 669 of file class.ilRbacAdmin.php.

References $GLOBALS, $ilDB, $query, $res, $row, and DB_FETCHMODE_OBJECT.

Referenced by initIntersectionPermissions().

{
global $rbacreview,$ilDB;
if (!isset($a_source1_id) or !isset($a_source1_parent)
or !isset($a_source2_id) or !isset($a_source2_parent)
or !isset($a_dest_id) or !isset($a_dest_parent))
{
$message = get_class($this)."::copyRolePermissionIntersection(): Missing parameter! source1_id: ".$a_source1_id.
" source1_parent: ".$a_source1_parent.
" source2_id: ".$a_source2_id.
" source2_parent: ".$a_source2_parent.
" dest_id: ".$a_dest_id.
" dest_parent_id: ".$a_dest_parent;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
// exclude system role from rbac
if ($a_dest_id == SYSTEM_ROLE_ID)
{
return true;
}
if ($rbacreview->isProtected($a_source2_parent,$a_source2_id))
{
$GLOBALS['ilLog']->write(__METHOD__.': Role is protected');
return true;
}
$query = "SELECT s1.type, s1.ops_id ".
"FROM rbac_templates s1, rbac_templates s2 ".
"WHERE s1.rol_id = ".$ilDB->quote($a_source1_id,'integer')." ".
"AND s1.parent = ".$ilDB->quote($a_source1_parent,'integer')." ".
"AND s2.rol_id = ".$ilDB->quote($a_source2_id,'integer')." ".
"AND s2.parent = ".$ilDB->quote($a_source2_parent,'integer')." ".
"AND s1.type = s2.type ".
"AND s1.ops_id = s2.ops_id";
$res = $ilDB->query($query);
$operations = array();
$rowNum = 0;
while($row = $res->fetchRow(DB_FETCHMODE_OBJECT))
{
$operations[$rowNum]['type'] = $row->type;
$operations[$rowNum]['ops_id'] = $row->ops_id;
$rowNum++;
}
// Delete template permissions of target
$query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
$res = $ilDB->manipulate($query);
$query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
'VALUES (?,?,?,?)';
$sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
foreach($operations as $key => $set)
{
$ilDB->execute($sta,array(
$a_dest_id,
$set['type'],
$set['ops_id'],
$a_dest_parent));
}
return true;
}

+ Here is the caller graph for this function:

ilRbacAdmin::copyRolePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions and permission of one role to another.

public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 572 of file class.ilRbacAdmin.php.

References copyRoleTemplatePermissions(), grantPermission(), and revokePermission().

Referenced by copyLocalRoles().

{
global $tree,$rbacreview;
// Copy template permissions
$this->copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected);
$ops = $rbacreview->getRoleOperationsOnObject($a_source_id,$a_source_parent);
$this->revokePermission($a_dest_parent,$a_dest_id);
$this->grantPermission($a_dest_id,$ops,$a_dest_parent);
return true;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilRbacAdmin::copyRolePermissionSubtract (   $a_source_id,
  $a_source_parent,
  $a_dest_id,
  $a_dest_parent 
)

Subtract role permissions.

Parameters
type$a_source_id
type$a_source_parent
type$a_dest_id
type$a_dest_parent

Definition at line 812 of file class.ilRbacAdmin.php.

References $ilDB, and $query.

{
global $rbacreview, $ilDB;
$s1_ops = $rbacreview->getAllOperationsOfRole($a_source_id,$a_source_parent);
$d_ops = $rbacreview->getAllOperationsOfRole($a_dest_id,$a_dest_parent);
foreach($s1_ops as $type => $ops)
{
foreach($ops as $op)
{
if(isset($d_ops[$type]) and in_array($op, $d_ops[$type]))
{
$query = 'DELETE FROM rbac_templates '.
'WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
'AND type = '.$ilDB->quote($type,'text').' '.
'AND ops_id = '.$ilDB->quote($op,'integer').' '.
'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
$ilDB->manipulate($query);
}
}
}
return true;
}
ilRbacAdmin::copyRolePermissionUnion (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_id,
  $a_dest_parent 
)

<type> $ilDB

Parameters
<type>$a_source1_id
<type>$a_source1_parent
<type>$a_source2_id
<type>$a_source2_parent
<type>$a_dest_id
<type>$a_dest_parent
Returns
<type>

Definition at line 747 of file class.ilRbacAdmin.php.

References $GLOBALS, $ilDB, $query, and deleteRolePermission().

{
global $ilDB, $rbacreview;
$s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id,$a_source1_parent);
$s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id,$a_source2_parent);
$this->deleteRolePermission($a_dest_id, $a_dest_parent);
$GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s1_ops,TRUE));
$GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s2_ops,TRUE));
foreach($s1_ops as $type => $ops)
{
foreach($ops as $op)
{
// insert all permission of source 1
// #15469
$query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
'VALUES( '.
$ilDB->quote($a_dest_id,'integer').', '.
$ilDB->quote($type,'text').', '.
$ilDB->quote($op,'integer').', '.
$ilDB->quote($a_dest_parent,'integer').' '.
')';
$ilDB->manipulate($query);
}
}
// and the other direction...
foreach($s2_ops as $type => $ops)
{
foreach($ops as $op)
{
if(!isset($s1_ops[$type]) or !in_array($op, $s1_ops[$type]))
{
$query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
'VALUES( '.
$ilDB->quote($a_dest_id,'integer').', '.
$ilDB->quote($type,'text').', '.
$ilDB->quote($op,'integer').', '.
$ilDB->quote($a_dest_parent,'integer').' '.
')';
$ilDB->manipulate($query);
}
}
}
return true;
}

+ Here is the call graph for this function:

ilRbacAdmin::copyRoleTemplatePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions of one role to another.

It's also possible to copy template permissions from/to RoleTemplateObject public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 596 of file class.ilRbacAdmin.php.

References $ilDB, $query, $res, $row, and setProtected().

Referenced by copyRolePermissions().

{
global $rbacreview,$ilDB;
if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent))
{
$message = __METHOD__.": Missing parameter! source_id: ".$a_source_id.
" source_parent_id: ".$a_source_parent.
" dest_id : ".$a_dest_id.
" dest_parent_id: ".$a_dest_parent;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
// exclude system role from rbac
if ($a_dest_id == SYSTEM_ROLE_ID)
{
return true;
}
// Read operations
$query = 'SELECT * FROM rbac_templates '.
'WHERE rol_id = '.$ilDB->quote($a_source_id,'integer').' '.
'AND parent = '.$ilDB->quote($a_source_parent,'integer');
$res = $ilDB->query($query);
$operations = array();
$rownum = 0;
while ($row = $ilDB->fetchObject($res))
{
$operations[$rownum]['type'] = $row->type;
$operations[$rownum]['ops_id'] = $row->ops_id;
$rownum++;
}
// Delete target permissions
$query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
$res = $ilDB->manipulate($query);
foreach($operations as $row => $op)
{
$query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
'VALUES ('.
$ilDB->quote($a_dest_id,'integer').",".
$ilDB->quote($op['type'],'text').",".
$ilDB->quote($op['ops_id'],'integer').",".
$ilDB->quote($a_dest_parent,'integer').")";
$ilDB->manipulate($query);
}
// copy also protection status if applicable
if ($a_consider_protected == true)
{
if ($rbacreview->isProtected($a_source_parent,$a_source_id))
{
$this->setProtected($a_dest_parent,$a_dest_id,'y');
}
}
return true;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilRbacAdmin::deassignOperationFromObject (   $a_type_id,
  $a_ops_id 
)

Deassign an existing operation from an object Update of rbac_ta public.

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 1020 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

{
global $ilDB;
if (!isset($a_type_id) or !isset($a_ops_id))
{
$message = get_class($this)."::deassignPermissionFromObject(): Missing parameter!".
"type_id: ".$a_type_id.
"ops_id: ".$a_ops_id;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
$query = "DELETE FROM rbac_ta ".
"WHERE typ_id = ".$ilDB->quote($a_type_id,'integer')." ".
"AND ops_id = ".$ilDB->quote($a_ops_id,'integer');
$res = $ilDB->manipulate($query);
return true;
}
ilRbacAdmin::deassignUser (   $a_rol_id,
  $a_usr_id 
)

Deassigns a user from a role.

Update of table rbac_ua public

Parameters
integerobject id of role
integerobject id of user
Returns
boolean true on success

Definition at line 287 of file class.ilRbacAdmin.php.

References $ilDB, $query, $res, and ilLDAPRoleGroupMapping\_getInstance().

{
global $ilDB, $rbacreview;
if (!isset($a_rol_id) or !isset($a_usr_id))
{
$message = get_class($this)."::deassignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
$query = "DELETE FROM rbac_ua ".
"WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer')." ".
"AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
$res = $ilDB->manipulate($query);
$rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,false);
include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
$mapping = ilLDAPRoleGroupMapping::_getInstance();
$mapping->deassign($a_rol_id,$a_usr_id);
return true;
}

+ Here is the call graph for this function:

ilRbacAdmin::deleteLocalRole (   $a_rol_id,
  $a_ref_id = 0 
)

Deletes a local role and entries in rbac_fa and rbac_templates public.

Parameters
integerobject_id of role
integerref_id of role folder (optional)
Returns
boolean true on success

Definition at line 146 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

Referenced by adjustMovedObjectPermissions(), and deleteRole().

{
global $ilDB;
if (!isset($a_rol_id))
{
$message = get_class($this)."::deleteLocalRole(): Missing parameter! role_id: '".$a_rol_id."'";
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
// exclude system role from rbac
if ($a_rol_id == SYSTEM_ROLE_ID)
{
return true;
}
if ($a_ref_id != 0)
{
$clause = 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' ';
}
$query = 'DELETE FROM rbac_fa '.
'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
$clause;
$res = $ilDB->manipulate($query);
$query = 'DELETE FROM rbac_templates '.
'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
$clause;
$res = $ilDB->manipulate($query);
return true;
}

+ Here is the caller graph for this function:

ilRbacAdmin::deleteRole (   $a_rol_id,
  $a_ref_id 
)

Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa public.

Parameters
integerobj_id of role (role_id)
integerref_id of role folder (ref_id)
Returns
boolean true on success

Definition at line 72 of file class.ilRbacAdmin.php.

References $ilDB, $lng, $query, $res, ilLDAPRoleGroupMapping\_getInstance(), and deleteLocalRole().

{
global $lng,$ilDB;
if (!isset($a_rol_id) or !isset($a_ref_id))
{
$message = get_class($this)."::deleteRole(): Missing parameter! role_id: ".$a_rol_id." ref_id of role folder: ".$a_ref_id;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
// exclude system role from rbac
if ($a_rol_id == SYSTEM_ROLE_ID)
{
$this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"),$this->ilErr->MESSAGE);
}
include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
$mapping = ilLDAPRoleGroupMapping::_getInstance();
$mapping->deleteRole($a_rol_id);
// TODO: check assigned users before deletion
// This is done in ilObjRole. Should be better moved to this place?
// delete user assignements
$query = "DELETE FROM rbac_ua ".
"WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer');
$res = $ilDB->manipulate($query);
// delete permission assignments
$query = "DELETE FROM rbac_pa ".
"WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
$res = $ilDB->manipulate($query);
//delete rbac_templates and rbac_fa
$this->deleteLocalRole($a_rol_id);
return true;
}

+ Here is the call graph for this function:

ilRbacAdmin::deleteRolePermission (   $a_rol_id,
  $a_ref_id,
  $a_type = false 
)

Deletes all entries of a template.

If an object type is given for third parameter only the entries for that object type are deleted Update of table rbac_templates. public

Parameters
integerobject id of role
integerref_id of role folder
stringobject type (optional)
Returns
boolean

Definition at line 848 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

Referenced by copyRolePermissionUnion().

{
global $ilDB;
if (!isset($a_rol_id) or !isset($a_ref_id))
{
$message = get_class($this)."::deleteRolePermission(): Missing parameter! role_id: ".$a_rol_id." ref_id: ".$a_ref_id;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
// exclude system role from rbac
if ($a_rol_id == SYSTEM_ROLE_ID)
{
return true;
}
if ($a_type !== false)
{
$and_type = " AND type=".$ilDB->quote($a_type,'text')." ";
}
$query = 'DELETE FROM rbac_templates '.
'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
'AND parent = '.$ilDB->quote($a_ref_id,'integer').' '.
$and_type;
$res = $ilDB->manipulate($query);
return true;
}

+ Here is the caller graph for this function:

ilRbacAdmin::deleteSubtreeTemplates (   $a_ref_id,
  $a_rol_id 
)

Delete all template permissions of subtree nodes.

Parameters
object$a_ref_id
object$a_rol_id
Returns

Definition at line 504 of file class.ilRbacAdmin.php.

References $GLOBALS, $ilDB, and $query.

{
global $ilDB;
$query = 'DELETE FROM rbac_templates '.
'WHERE parent IN ( '.
$GLOBALS['tree']->getSubTreeQuery($a_ref_id, array('child')).' ) '.
'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
$ilDB->manipulate($query);
$query = 'DELETE FROM rbac_fa '.
'WHERE parent IN ( '.
$GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
$ilDB->manipulate($query);
return true;
}
ilRbacAdmin::deleteTemplate (   $a_obj_id)

Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa public.

Parameters
integerobject_id of role template
Returns
boolean

Definition at line 118 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

{
global $ilDB;
if (!isset($a_obj_id))
{
$message = get_class($this)."::deleteTemplate(): No obj_id given!";
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
$query = 'DELETE FROM rbac_templates '.
'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
$res = $ilDB->manipulate($query);
$query = 'DELETE FROM rbac_fa '.
'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
$res = $ilDB->manipulate($query);
return true;
}
ilRbacAdmin::grantPermission (   $a_rol_id,
  $a_ops,
  $a_ref_id 
)

Grants a permission to an object and a specific role.

Update of table rbac_pa public

Parameters
integerobject id of role
arrayarray of operation ids
integerreference id of that object which is granted the permissions
Returns
boolean

Definition at line 319 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

Referenced by adjustMovedObjectPermissions(), copyRolePermissions(), and initIntersectionPermissions().

{
global $ilDB;
if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id))
{
$this->ilErr->raiseError(get_class($this)."::grantPermission(): Missing parameter! ".
"role_id: ".$a_rol_id." ref_id: ".$a_ref_id." operations: ",$this->ilErr->WARNING);
}
if (!is_array($a_ops))
{
$this->ilErr->raiseError(get_class($this)."::grantPermission(): Wrong datatype for operations!",
$this->ilErr->WARNING);
}
/*
if (count($a_ops) == 0)
{
return false;
}
*/
// exclude system role from rbac
if ($a_rol_id == SYSTEM_ROLE_ID)
{
return true;
}
// convert all values to integer
foreach ($a_ops as $key => $operation)
{
$a_ops[$key] = (int) $operation;
}
// Serialization des ops_id Arrays
$ops_ids = serialize($a_ops);
$query = 'DELETE FROM rbac_pa '.
'WHERE rol_id = %s '.
'AND ref_id = %s';
$res = $ilDB->queryF($query,array('integer','integer'),
array($a_rol_id,$a_ref_id));
if(!count($a_ops))
{
return false;
}
$query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) ".
"VALUES ".
"(".$ilDB->quote($a_rol_id,'integer').",".$ilDB->quote($ops_ids,'text').",".$ilDB->quote($a_ref_id,'integer').")";
$res = $ilDB->manipulate($query);
return true;
}

+ Here is the caller graph for this function:

ilRbacAdmin::initIntersectionPermissions (   $a_ref_id,
  $a_role_id,
  $a_role_parent,
  $a_template_id,
  $a_template_parent 
)

Init intersection permissions.

type $rbacreview

Parameters
type$a_ref_id
type$a_role_id
type$a_role_parent
type$a_template_id
type$a_template_parent
Returns
type

Definition at line 1120 of file class.ilRbacAdmin.php.

References ilObject\_lookupType(), assignRoleToFolder(), copyRolePermissionIntersection(), and grantPermission().

Referenced by adjustMovedObjectPermissions().

{
global $rbacreview;
if($rbacreview->isProtected($a_role_parent, $a_role_id))
{
// Assign object permissions
$new_ops = $rbacreview->getOperationsOfRole(
$a_role_id,
ilObject::_lookupType($a_ref_id, true),
$a_role_parent
);
// set new permissions for object
$this->grantPermission(
$a_role_id,
(array) $new_ops,
$a_ref_id
);
return;
}
if(!$a_template_id)
{
return;
}
// create template permission intersection
$this->copyRolePermissionIntersection(
$a_template_id,
$a_template_parent,
$a_role_id,
$a_role_parent,
$a_ref_id,
$a_role_id
);
// assign role to folder
$this->assignRoleToFolder(
$a_role_id,
$a_ref_id,
'n'
);
// Assign object permissions
$new_ops = $rbacreview->getOperationsOfRole(
$a_role_id,
ilObject::_lookupType($a_ref_id, true),
$a_ref_id
);
// set new permissions for object
$this->grantPermission(
$a_role_id,
(array) $new_ops,
$a_ref_id
);
return;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilRbacAdmin::removeUser (   $a_usr_id)

deletes a user from rbac_ua all user <-> role relations are deleted public

Parameters
integeruser_id
Returns
boolean true on success

Definition at line 49 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

{
global $ilDB;
if (!isset($a_usr_id))
{
$message = get_class($this)."::removeUser(): No usr_id given!";
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
$query = "DELETE FROM rbac_ua WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer');
$res = $ilDB->manipulate($query);
return true;
}
ilRbacAdmin::revokePermission (   $a_ref_id,
  $a_rol_id = 0,
  $a_keep_protected = true 
)

Revokes permissions of an object of one role.

Update of table rbac_pa. Revokes all permission for all roles for that object (with this reference). When a role_id is given this applies only to that role public

Parameters
integerreference id of object where permissions should be revoked
integerrole_id (optional: if you want to revoke permissions of object only for a specific role)
Returns
boolean

Definition at line 384 of file class.ilRbacAdmin.php.

References $ilDB, $ilLog, $log, $query, and $res.

Referenced by adjustMovedObjectPermissions(), and copyRolePermissions().

{
global $rbacreview,$log,$ilDB,$ilLog;
if (!isset($a_ref_id))
{
$ilLog->logStack();
$message = get_class($this)."::revokePermission(): Missing parameter! ref_id: ".$a_ref_id;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
#$log->write("ilRBACadmin::revokePermission(), 0");
// bypass protected status of roles
if ($a_keep_protected != true)
{
// exclude system role from rbac
if ($a_rol_id == SYSTEM_ROLE_ID)
{
return true;
}
if ($a_rol_id)
{
$and1 = " AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
}
else
{
$and1 = "";
}
$query = "DELETE FROM rbac_pa ".
"WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer').
$and1;
$res = $ilDB->manipulate($query);
return true;
}
// consider protected status of roles
// in any case, get all roles in scope first
$roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
if (!$a_rol_id)
{
#$log->write("ilRBACadmin::revokePermission(), 1");
$role_ids = array();
foreach ($roles_in_scope as $role)
{
if ($role['protected'] == true)
{
continue;
}
$role_ids[] = $role['obj_id'];
}
// return if no role in array
if (!$role_ids)
{
return true;
}
$query = 'DELETE FROM rbac_pa '.
'WHERE '.$ilDB->in('rol_id',$role_ids,false,'integer').' '.
'AND ref_id = '.$ilDB->quote($a_ref_id,'integer');
$res = $ilDB->manipulate($query);
}
else
{
#$log->write("ilRBACadmin::revokePermission(), 2");
// exclude system role from rbac
if ($a_rol_id == SYSTEM_ROLE_ID)
{
return true;
}
// exclude protected permission settings from revoking
if ($roles_in_scope[$a_rol_id]['protected'] == true)
{
return true;
}
$query = "DELETE FROM rbac_pa ".
"WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer')." ".
"AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
$res = $ilDB->manipulate($query);
}
return true;
}

+ Here is the caller graph for this function:

ilRbacAdmin::revokePermissionList (   $a_ref_ids,
  $a_rol_id 
)

Revokes permissions of a LIST of objects of ONE role.

Update of table rbac_pa. public

Parameters
arraylist of reference_ids to revoke permissions
integerrole_id
Returns
boolean

Definition at line 532 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

{
global $ilDB;
if (!isset($a_ref_ids) or !is_array($a_ref_ids))
{
$message = get_class($this)."::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: ".var_dump($a_ref_ids);
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
if (!isset($a_rol_id))
{
$message = get_class($this)."::revokePermissionList(): Missing parameter! rol_id: ".$a_rol_id;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
// exclude system role from rbac
if ($a_rol_id == SYSTEM_ROLE_ID)
{
return true;
}
$query = "DELETE FROM rbac_pa ".
"WHERE ".$ilDB->in('ref_id',$a_ref_ids,false,'integer').' '.
"AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
$res = $ilDB->manipulate($query);
return true;
}
ilRbacAdmin::revokeSubtreePermissions (   $a_ref_id,
  $a_role_id 
)

Revoke subtree permissions.

Parameters
object$a_ref_id
object$a_role_id
Returns

Definition at line 485 of file class.ilRbacAdmin.php.

References $ilDB, and $query.

{
global $ilDB;
$query = 'DELETE FROM rbac_pa '.
'WHERE ref_id IN '.
'( '.$GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
'AND rol_id = '.$ilDB->quote($a_role_id,'integer');
$ilDB->manipulate($query);
return true;
}
ilRbacAdmin::setProtected (   $a_ref_id,
  $a_role_id,
  $a_value 
)

Set protected $ilDB.

Parameters
type$a_ref_id
type$a_role_id
type$a_valuey or n
Returns
boolean

Definition at line 1048 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

Referenced by copyRoleTemplatePermissions().

{
global $ilDB;
// ref_id not used yet. protected permission acts 'global' for each role,
// regardless of any broken inheritance before
$query = 'UPDATE rbac_fa '.
'SET protected = '.$ilDB->quote($a_value,'text').' '.
'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer');
$res = $ilDB->manipulate($query);
return true;
}

+ Here is the caller graph for this function:

ilRbacAdmin::setRolePermission (   $a_rol_id,
  $a_type,
  $a_ops,
  $a_ref_id 
)

Inserts template permissions in rbac_templates for an specific object type.

Update of table rbac_templates public

Parameters
integerrole_id
stringobject type
arrayoperation_ids
integerref_id of role folder object
Returns
boolean

Definition at line 889 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

{
global $ilDB;
if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id))
{
$message = get_class($this)."::setRolePermission(): Missing parameter!".
" role_id: ".$a_rol_id.
" type: ".$a_type.
" operations: ".$a_ops.
" ref_id: ".$a_ref_id;
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
if (!is_string($a_type) or empty($a_type))
{
$message = get_class($this)."::setRolePermission(): a_type is no string or empty!";
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
if (!is_array($a_ops) or empty($a_ops))
{
$message = get_class($this)."::setRolePermission(): a_ops is no array or empty!";
$this->ilErr->raiseError($message,$this->ilErr->WARNING);
}
// exclude system role from rbac
if ($a_rol_id == SYSTEM_ROLE_ID)
{
return true;
}
$query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
'VALUES (?,?,?,?)';
$sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
foreach ($a_ops as $op)
{
$res = $ilDB->execute($sta,array(
$a_rol_id,
$a_type,
$op,
$a_ref_id
));
}
return true;
}
The documentation for this class was generated from the following file: