ILIAS  release_4-3 Revision
 All Data Structures Namespaces Files Functions Variables Groups Pages
class.ilRbacAdmin.php
Go to the documentation of this file.
1 <?php
2 /*
3  +-----------------------------------------------------------------------------+
4  | ILIAS open source |
5  +-----------------------------------------------------------------------------+
6  | Copyright (c) 1998-2001 ILIAS open source, University of Cologne |
7  | |
8  | This program is free software; you can redistribute it and/or |
9  | modify it under the terms of the GNU General Public License |
10  | as published by the Free Software Foundation; either version 2 |
11  | of the License, or (at your option) any later version. |
12  | |
13  | This program is distributed in the hope that it will be useful, |
14  | but WITHOUT ANY WARRANTY; without even the implied warranty of |
15  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16  | GNU General Public License for more details. |
17  | |
18  | You should have received a copy of the GNU General Public License |
19  | along with this program; if not, write to the Free Software |
20  | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
21  +-----------------------------------------------------------------------------+
22 */
23 
24 
38 class ilRbacAdmin
39 {
44  function ilRbacAdmin()
45  {
46  global $ilDB,$ilErr,$ilias;
47 
48  // set db & error handler
49  (isset($ilDB)) ? $this->ilDB =& $ilDB : $this->ilDB =& $ilias->db;
50 
51  if (!isset($ilErr))
52  {
53  $ilErr = new ilErrorHandling();
54  $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK,array($ilErr,'errorHandler'));
55  }
56  else
57  {
58  $this->ilErr =& $ilErr;
59  }
60  }
61 
69  function removeUser($a_usr_id)
70  {
71  global $ilDB;
72 
73  if (!isset($a_usr_id))
74  {
75  $message = get_class($this)."::removeUser(): No usr_id given!";
76  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
77  }
78 
79  $query = "DELETE FROM rbac_ua WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer');
80  $res = $ilDB->manipulate($query);
81 
82  return true;
83  }
84 
92  function deleteRole($a_rol_id,$a_ref_id)
93  {
94  global $lng,$ilDB;
95 
96  if (!isset($a_rol_id) or !isset($a_ref_id))
97  {
98  $message = get_class($this)."::deleteRole(): Missing parameter! role_id: ".$a_rol_id." ref_id of role folder: ".$a_ref_id;
99  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
100  }
101 
102  // exclude system role from rbac
103  if ($a_rol_id == SYSTEM_ROLE_ID)
104  {
105  $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"),$this->ilErr->MESSAGE);
106  }
107 
108  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
109  $mapping = ilLDAPRoleGroupMapping::_getInstance();
110  $mapping->deleteRole($a_rol_id);
111 
112 
113  // TODO: check assigned users before deletion
114  // This is done in ilObjRole. Should be better moved to this place?
115 
116  // delete user assignements
117  $query = "DELETE FROM rbac_ua ".
118  "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer');
119  $res = $ilDB->manipulate($query);
120 
121  // delete permission assignments
122  $query = "DELETE FROM rbac_pa ".
123  "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
124  $res = $ilDB->manipulate($query);
125 
126  //delete rbac_templates and rbac_fa
127  $this->deleteLocalRole($a_rol_id);
128 
129  return true;
130  }
131 
138  function deleteTemplate($a_obj_id)
139  {
140  global $ilDB;
141 
142  if (!isset($a_obj_id))
143  {
144  $message = get_class($this)."::deleteTemplate(): No obj_id given!";
145  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
146  }
147 
148  $query = 'DELETE FROM rbac_templates '.
149  'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
150  $res = $ilDB->manipulate($query);
151 
152  $query = 'DELETE FROM rbac_fa '.
153  'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
154  $res = $ilDB->manipulate($query);
155 
156  return true;
157  }
158 
166  function deleteLocalRole($a_rol_id,$a_ref_id = 0)
167  {
168  global $ilDB;
169 
170  if (!isset($a_rol_id))
171  {
172  $message = get_class($this)."::deleteLocalRole(): Missing parameter! role_id: '".$a_rol_id."'";
173  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
174  }
175 
176  // exclude system role from rbac
177  if ($a_rol_id == SYSTEM_ROLE_ID)
178  {
179  return true;
180  }
181 
182  if ($a_ref_id != 0)
183  {
184  $clause = 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' ';
185  }
186 
187  $query = 'DELETE FROM rbac_fa '.
188  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
189  $clause;
190  $res = $ilDB->manipulate($query);
191 
192  $query = 'DELETE FROM rbac_templates '.
193  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
194  $clause;
195  $res = $ilDB->manipulate($query);
196  return true;
197  }
198 
199 
209  function assignUser($a_rol_id,$a_usr_id,$a_default = false)
210  {
211  global $ilDB,$rbacreview;
212 
213  if (!isset($a_rol_id) or !isset($a_usr_id))
214  {
215  $message = get_class($this)."::assignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
216  #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
217  }
218 
219  // check if already assigned user id and role_id
220  $alreadyAssigned = $rbacreview->isAssigned($a_usr_id,$a_rol_id);
221 
222  // enhanced: only if we haven't had this role for this user
223  if (!$alreadyAssigned)
224  {
225  $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
226  "VALUES (".$ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_rol_id,'integer').")";
227  $res = $ilDB->manipulate($query);
228 
229  include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
230 
231  $role_desk_item_obj =& new ilRoleDesktopItem($a_rol_id);
232 
233  if(is_object($tmp_user = ilObjectFactory::getInstanceByObjId($a_usr_id,false)))
234  {
235  foreach($role_desk_item_obj->getAll() as $item_data)
236  {
237  if(!$tmp_user->isDesktopItem($item_data['item_id'],$item_data['item_type']))
238  {
239  $tmp_user->addDesktopItem($item_data['item_id'],$item_data['item_type']);
240  }
241  }
242  }
243  }
244 
245  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
246  $mapping = ilLDAPRoleGroupMapping::_getInstance();
247  $mapping->assign($a_rol_id,$a_usr_id);
248 
249  return true;
250  }
251 
259  function deassignUser($a_rol_id,$a_usr_id)
260  {
261  global $ilDB;
262 
263  if (!isset($a_rol_id) or !isset($a_usr_id))
264  {
265  $message = get_class($this)."::deassignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
266  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
267  }
268 
269  $query = "DELETE FROM rbac_ua ".
270  "WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer')." ".
271  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
272  $res = $ilDB->manipulate($query);
273 
274  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
275  $mapping = ilLDAPRoleGroupMapping::_getInstance();
276  $mapping->deassign($a_rol_id,$a_usr_id);
277 
278  return true;
279  }
280 
289  function grantPermission($a_rol_id,$a_ops,$a_ref_id)
290  {
291  global $ilDB;
292 
293  if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id))
294  {
295  $this->ilErr->raiseError(get_class($this)."::grantPermission(): Missing parameter! ".
296  "role_id: ".$a_rol_id." ref_id: ".$a_ref_id." operations: ",$this->ilErr->WARNING);
297  }
298 
299  if (!is_array($a_ops))
300  {
301  $this->ilErr->raiseError(get_class($this)."::grantPermission(): Wrong datatype for operations!",
302  $this->ilErr->WARNING);
303  }
304 
305  /*
306  if (count($a_ops) == 0)
307  {
308  return false;
309  }
310  */
311  // exclude system role from rbac
312  if ($a_rol_id == SYSTEM_ROLE_ID)
313  {
314  return true;
315  }
316 
317  // convert all values to integer
318  foreach ($a_ops as $key => $operation)
319  {
320  $a_ops[$key] = (int) $operation;
321  }
322 
323  // Serialization des ops_id Arrays
324  $ops_ids = serialize($a_ops);
325 
326  $query = 'DELETE FROM rbac_pa '.
327  'WHERE rol_id = %s '.
328  'AND ref_id = %s';
329  $res = $ilDB->queryF($query,array('integer','integer'),
330  array($a_rol_id,$a_ref_id));
331 
332  if(!count($a_ops))
333  {
334  return false;
335  }
336 
337  $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) ".
338  "VALUES ".
339  "(".$ilDB->quote($a_rol_id,'integer').",".$ilDB->quote($ops_ids,'text').",".$ilDB->quote($a_ref_id,'integer').")";
340  $res = $ilDB->manipulate($query);
341 
342  return true;
343  }
344 
354  function revokePermission($a_ref_id,$a_rol_id = 0,$a_keep_protected = true)
355  {
356  global $rbacreview,$log,$ilDB,$ilLog;
357 
358  if (!isset($a_ref_id))
359  {
360  $ilLog->logStack();
361  $message = get_class($this)."::revokePermission(): Missing parameter! ref_id: ".$a_ref_id;
362  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
363  }
364 #$log->write("ilRBACadmin::revokePermission(), 0");
365 
366  // bypass protected status of roles
367  if ($a_keep_protected != true)
368  {
369  // exclude system role from rbac
370  if ($a_rol_id == SYSTEM_ROLE_ID)
371  {
372  return true;
373  }
374 
375  if ($a_rol_id)
376  {
377  $and1 = " AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
378  }
379  else
380  {
381  $and1 = "";
382  }
383 
384  $query = "DELETE FROM rbac_pa ".
385  "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer').
386  $and1;
387 
388  $res = $ilDB->manipulate($query);
389 
390  return true;
391  }
392 
393  // consider protected status of roles
394 
395  // in any case, get all roles in scope first
396  $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
397 
398  if (!$a_rol_id)
399  {
400 #$log->write("ilRBACadmin::revokePermission(), 1");
401 
402  $role_ids = array();
403 
404  foreach ($roles_in_scope as $role)
405  {
406  if ($role['protected'] == true)
407  {
408  continue;
409  }
410 
411  $role_ids[] = $role['obj_id'];
412  }
413 
414  // return if no role in array
415  if (!$role_ids)
416  {
417  return true;
418  }
419 
420  $query = 'DELETE FROM rbac_pa '.
421  'WHERE '.$ilDB->in('rol_id',$role_ids,false,'integer').' '.
422  'AND ref_id = '.$ilDB->quote($a_ref_id,'integer');
423  $res = $ilDB->manipulate($query);
424  }
425  else
426  {
427 #$log->write("ilRBACadmin::revokePermission(), 2");
428  // exclude system role from rbac
429  if ($a_rol_id == SYSTEM_ROLE_ID)
430  {
431  return true;
432  }
433 
434  // exclude protected permission settings from revoking
435  if ($roles_in_scope[$a_rol_id]['protected'] == true)
436  {
437  return true;
438  }
439 
440  $query = "DELETE FROM rbac_pa ".
441  "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer')." ".
442  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
443  $res = $ilDB->manipulate($query);
444  }
445 
446  return true;
447  }
448 
455  public function revokeSubtreePermissions($a_ref_id,$a_role_id)
456  {
457  global $ilDB;
458 
459  $query = "DELETE FROM rbac_pa ".
460  "WHERE ref_id IN ".
461  "(SELECT child FROM tree WHERE ".
462  "lft >= (SELECT lft FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) AND ".
463  "rgt <= (SELECT rgt FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) ".
464  ") ".
465  "AND rol_id = ".$ilDB->quote($a_role_id,'integer');
466 
467  $ilDB->manipulate($query);
468  return true;
469  }
470 
477  public function deleteSubtreeTemplates($a_ref_id,$a_rol_id)
478  {
479  global $ilDB;
480 
481  $query = "DELETE FROM rbac_templates ".
482  "WHERE parent IN ".
483  "(SELECT child FROM tree WHERE ".
484  "lft >= (SELECT lft FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) AND ".
485  "rgt <= (SELECT rgt FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) ".
486  ") ".
487  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
488 
489  $ilDB->manipulate($query);
490 
491  $query = "DELETE FROM rbac_fa ".
492  "WHERE parent IN ".
493  "(SELECT child FROM tree WHERE ".
494  "lft >= (SELECT lft FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) AND ".
495  "rgt <= (SELECT rgt FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) ".
496  ") ".
497  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
498 
499 
500  $ilDB->manipulate($query);
501 
502  return true;
503  }
504 
512  function revokePermissionList($a_ref_ids,$a_rol_id)
513  {
514  global $ilDB;
515 
516  if (!isset($a_ref_ids) or !is_array($a_ref_ids))
517  {
518  $message = get_class($this)."::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: ".var_dump($a_ref_ids);
519  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
520  }
521 
522  if (!isset($a_rol_id))
523  {
524  $message = get_class($this)."::revokePermissionList(): Missing parameter! rol_id: ".$a_rol_id;
525  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
526  }
527 
528  // exclude system role from rbac
529  if ($a_rol_id == SYSTEM_ROLE_ID)
530  {
531  return true;
532  }
533 
534  $query = "DELETE FROM rbac_pa ".
535  "WHERE ".$ilDB->in('ref_id',$a_ref_ids,false,'integer').' '.
536  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
537  $res = $ilDB->manipulate($query);
538 
539  return true;
540  }
541 
552  public function copyRolePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected = true)
553  {
554  global $tree,$rbacreview;
555 
556  // Copy template permissions
557  $this->copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected);
558 
559  $source_obj = $tree->getParentId($a_source_parent);
560  $target_obj = $tree->getParentId($a_dest_parent);
561  $ops = $rbacreview->getRoleOperationsOnObject($a_source_id,$source_obj);
562 
563  $this->revokePermission($target_obj,$a_dest_id);
564  $this->grantPermission($a_dest_id,$ops,$target_obj);
565  return true;
566  }
567 
578  function copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected = true)
579  {
580  global $rbacreview,$ilDB;
581 
582  if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent))
583  {
584  $message = __METHOD__.": Missing parameter! source_id: ".$a_source_id.
585  " source_parent_id: ".$a_source_parent.
586  " dest_id : ".$a_dest_id.
587  " dest_parent_id: ".$a_dest_parent;
588  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
589  }
590 
591  // exclude system role from rbac
592  if ($a_dest_id == SYSTEM_ROLE_ID)
593  {
594  return true;
595  }
596 
597  // Read operations
598  $query = 'SELECT * FROM rbac_templates '.
599  'WHERE rol_id = '.$ilDB->quote($a_source_id,'integer').' '.
600  'AND parent = '.$ilDB->quote($a_source_parent,'integer');
601  $res = $ilDB->query($query);
602  $operations = array();
603  $rownum = 0;
604  while ($row = $ilDB->fetchObject($res))
605  {
606  $operations[$rownum]['type'] = $row->type;
607  $operations[$rownum]['ops_id'] = $row->ops_id;
608  $rownum++;
609  }
610 
611  // Delete target permissions
612  $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
613  'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
614  $res = $ilDB->manipulate($query);
615 
616  foreach($operations as $row => $op)
617  {
618  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
619  'VALUES ('.
620  $ilDB->quote($a_dest_id,'integer').",".
621  $ilDB->quote($op['type'],'text').",".
622  $ilDB->quote($op['ops_id'],'integer').",".
623  $ilDB->quote($a_dest_parent,'integer').")";
624  $ilDB->manipulate($query);
625  }
626 
627  // copy also protection status if applicable
628  if ($a_consider_protected == true)
629  {
630  if ($rbacreview->isProtected($a_source_parent,$a_source_id))
631  {
632  $this->setProtected($a_dest_parent,$a_dest_id,'y');
633  }
634  }
635 
636  return true;
637  }
651  function copyRolePermissionIntersection($a_source1_id,$a_source1_parent,$a_source2_id,$a_source2_parent,$a_dest_parent,$a_dest_id)
652  {
653  global $rbacreview,$ilDB;
654 
655  if (!isset($a_source1_id) or !isset($a_source1_parent)
656  or !isset($a_source2_id) or !isset($a_source2_parent)
657  or !isset($a_dest_id) or !isset($a_dest_parent))
658  {
659  $message = get_class($this)."::copyRolePermissionIntersection(): Missing parameter! source1_id: ".$a_source1_id.
660  " source1_parent: ".$a_source1_parent.
661  " source2_id: ".$a_source2_id.
662  " source2_parent: ".$a_source2_parent.
663  " dest_id: ".$a_dest_id.
664  " dest_parent_id: ".$a_dest_parent;
665  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
666  }
667 
668  // exclude system role from rbac
669  if ($a_dest_id == SYSTEM_ROLE_ID)
670  {
671  return true;
672  }
673 
674  if ($rbacreview->isProtected($a_source2_parent,$a_source2_id))
675  {
676  $GLOBALS['ilLog']->write(__METHOD__.': Role is protected');
677  return true;
678  }
679 
680  $query = "SELECT s1.type, s1.ops_id ".
681  "FROM rbac_templates s1, rbac_templates s2 ".
682  "WHERE s1.rol_id = ".$ilDB->quote($a_source1_id,'integer')." ".
683  "AND s1.parent = ".$ilDB->quote($a_source1_parent,'integer')." ".
684  "AND s2.rol_id = ".$ilDB->quote($a_source2_id,'integer')." ".
685  "AND s2.parent = ".$ilDB->quote($a_source2_parent,'integer')." ".
686  "AND s1.type = s2.type ".
687  "AND s1.ops_id = s2.ops_id";
688  $res = $ilDB->query($query);
689  $operations = array();
690  $rowNum = 0;
691  while($row = $res->fetchRow(DB_FETCHMODE_OBJECT))
692  {
693  $operations[$rowNum]['type'] = $row->type;
694  $operations[$rowNum]['ops_id'] = $row->ops_id;
695 
696  $rowNum++;
697  }
698 
699  // Delete template permissions of target
700  $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
701  'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
702  $res = $ilDB->manipulate($query);
703 
704  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
705  'VALUES (?,?,?,?)';
706  $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
707  foreach($operations as $key => $set)
708  {
709  $ilDB->execute($sta,array(
710  $a_dest_id,
711  $set['type'],
712  $set['ops_id'],
713  $a_dest_parent));
714  }
715  return true;
716  }
717 
729  public function copyRolePermissionUnion(
730  $a_source1_id,
731  $a_source1_parent,
732  $a_source2_id,
733  $a_source2_parent,
734  $a_dest_id,
735  $a_dest_parent)
736  {
737  global $ilDB, $rbacreview;
738 
739  $this->copyRoleTemplatePermissions(
740  $a_source1_id,
741  $a_source1_parent,
742  $a_dest_parent,
743  $a_dest_id
744  );
745 
746  $s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id,$a_source1_parent);
747  $s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id,$a_source2_parent);
748 
749  foreach($s2_ops as $type => $ops)
750  {
751  foreach($ops as $op)
752  {
753  if(!isset($s1_ops[$type]) or !in_array($op, $s1_ops[$type]))
754  {
755  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
756  'VALUES( '.
757  $ilDB->quote($a_dest_id,'integer').', '.
758  $ilDB->quote($type,'text').', '.
759  $ilDB->quote($op,'integer').', '.
760  $ilDB->quote($a_dest_parent,'integer').' '.
761  ')';
762  $ilDB->manipulate($query);
763  }
764  }
765  }
766  return true;
767  }
768 
769 
780  function deleteRolePermission($a_rol_id,$a_ref_id,$a_type = false)
781  {
782  global $ilDB;
783 
784  if (!isset($a_rol_id) or !isset($a_ref_id))
785  {
786  $message = get_class($this)."::deleteRolePermission(): Missing parameter! role_id: ".$a_rol_id." ref_id: ".$a_ref_id;
787  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
788  }
789 
790  // exclude system role from rbac
791  if ($a_rol_id == SYSTEM_ROLE_ID)
792  {
793  return true;
794  }
795 
796  if ($a_type !== false)
797  {
798  $and_type = " AND type=".$ilDB->quote($a_type,'text')." ";
799  }
800 
801  $query = 'DELETE FROM rbac_templates '.
802  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
803  'AND parent = '.$ilDB->quote($a_ref_id,'integer').' '.
804  $and_type;
805 
806  $res = $ilDB->manipulate($query);
807 
808  return true;
809  }
810 
821  function setRolePermission($a_rol_id,$a_type,$a_ops,$a_ref_id)
822  {
823  global $ilDB;
824 
825  if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id))
826  {
827  $message = get_class($this)."::setRolePermission(): Missing parameter!".
828  " role_id: ".$a_rol_id.
829  " type: ".$a_type.
830  " operations: ".$a_ops.
831  " ref_id: ".$a_ref_id;
832  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
833  }
834 
835  if (!is_string($a_type) or empty($a_type))
836  {
837  $message = get_class($this)."::setRolePermission(): a_type is no string or empty!";
838  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
839  }
840 
841  if (!is_array($a_ops) or empty($a_ops))
842  {
843  $message = get_class($this)."::setRolePermission(): a_ops is no array or empty!";
844  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
845  }
846 
847  // exclude system role from rbac
848  if ($a_rol_id == SYSTEM_ROLE_ID)
849  {
850  return true;
851  }
852 
853  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
854  'VALUES (?,?,?,?)';
855  $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
856  foreach ($a_ops as $op)
857  {
858  $res = $ilDB->execute($sta,array(
859  $a_rol_id,
860  $a_type,
861  $op,
862  $a_ref_id
863  ));
864  }
865 
866  return true;
867  }
868 
882  function assignRoleToFolder($a_rol_id,$a_parent,$a_assign = "y")
883  {
884  global $ilDB,$rbacreview;
885 
886  if (!isset($a_rol_id) or !isset($a_parent))
887  {
888  $message = get_class($this)."::assignRoleToFolder(): Missing Parameter!".
889  " role_id: ".$a_rol_id.
890  " parent_id: ".$a_parent.
891  " assign: ".$a_assign;
892  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
893  }
894 
895  // exclude system role from rbac
896  if ($a_rol_id == SYSTEM_ROLE_ID)
897  {
898  return true;
899  }
900 
901  // if a wrong value is passed, always set assign to "n"
902  if ($a_assign != "y")
903  {
904  $a_assign = "n";
905  }
906 
907  $query = sprintf('INSERT INTO rbac_fa (rol_id, parent, assign, protected) '.
908  'VALUES (%s,%s,%s,%s)',
909  $ilDB->quote($a_rol_id,'integer'),
910  $ilDB->quote($a_parent,'integer'),
911  $ilDB->quote($a_assign,'text'),
912  $ilDB->quote('n','text'));
913  $res = $ilDB->manipulate($query);
914 
915  return true;
916  }
917 
926  function assignOperationToObject($a_type_id,$a_ops_id)
927  {
928  global $ilDB;
929 
930  if (!isset($a_type_id) or !isset($a_ops_id))
931  {
932  $message = get_class($this)."::assignOperationToObject(): Missing parameter!".
933  "type_id: ".$a_type_id.
934  "ops_id: ".$a_ops_id;
935  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
936  }
937 
938  $query = "INSERT INTO rbac_ta (typ_id, ops_id) ".
939  "VALUES(".$ilDB->quote($a_type_id,'integer').",".$ilDB->quote($a_ops_id,'integer').")";
940  $res = $ilDB->manipulate($query);
941  return true;
942  }
943 
952  function deassignOperationFromObject($a_type_id,$a_ops_id)
953  {
954  global $ilDB;
955 
956  if (!isset($a_type_id) or !isset($a_ops_id))
957  {
958  $message = get_class($this)."::deassignPermissionFromObject(): Missing parameter!".
959  "type_id: ".$a_type_id.
960  "ops_id: ".$a_ops_id;
961  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
962  }
963 
964  $query = "DELETE FROM rbac_ta ".
965  "WHERE typ_id = ".$ilDB->quote($a_type_id,'integer')." ".
966  "AND ops_id = ".$ilDB->quote($a_ops_id,'integer');
967  $res = $ilDB->manipulate($query);
968 
969  return true;
970  }
971 
972  function setProtected($a_ref_id,$a_role_id,$a_value)
973  {
974  global $ilDB;
975 
976  // ref_id not used yet. protected permission acts 'global' for each role,
977  // regardless of any broken inheritance before
978  $query = 'UPDATE rbac_fa '.
979  'SET protected = '.$ilDB->quote($a_value,'text').' '.
980  'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer');
981  $res = $ilDB->manipulate($query);
982  return true;
983  }
984 
995  public function copyLocalRoles($a_source_id,$a_target_id)
996  {
997  global $rbacreview,$ilLog,$ilObjDataCache;
998 
999  $source_rolf = $rbacreview->getRoleFolderIdOfObject($a_source_id);
1000  $target_rolf = $rbacreview->getRoleFolderIdOfObject($a_target_id);
1001 
1002  if(!$source_rolf)
1003  {
1004  // Nothing to do
1005  return true;
1006  }
1007  $real_local = array();
1008  foreach($rbacreview->getRolesOfRoleFolder($source_rolf,false) as $role_data)
1009  {
1010  $title = $ilObjDataCache->lookupTitle($role_data);
1011  if(substr($title,0,3) == 'il_')
1012  {
1013  continue;
1014  }
1015  $real_local[] = $role_data;
1016  }
1017  if(!count($real_local))
1018  {
1019  return true;
1020  }
1021  // Create role folder
1022  if(!$target_rolf)
1023  {
1024  $tmp_obj = ilObjectFactory::getInstanceByRefId($a_target_id,false);
1025  if(!is_object($tmp_obj))
1026  {
1027  return false;
1028  }
1029  $rolf = $tmp_obj->createRoleFolder();
1030  $target_rolf = $rolf->getRefId();
1031  $ilLog->write(__METHOD__.': Created new role folder with id '.$rolf->getRefId());
1032  }
1033  foreach($real_local as $role)
1034  {
1035  include_once ("./Services/AccessControl/classes/class.ilObjRole.php");
1036  $orig = new ilObjRole($role);
1037  $orig->read();
1038 
1039  $ilLog->write(__METHOD__.': Start copying of role '.$orig->getTitle());
1040  $roleObj = new ilObjRole();
1041  $roleObj->setTitle($orig->getTitle());
1042  $roleObj->setDescription($orig->getDescription());
1043  $roleObj->setImportId($orig->getImportId());
1044  $roleObj->create();
1045 
1046  $this->assignRoleToFolder($roleObj->getId(),$target_rolf,"y");
1047  $this->copyRolePermissions($role,$source_rolf,$target_rolf,$roleObj->getId(),true);
1048  $ilLog->write(__METHOD__.': Added new local role, id '.$roleObj->getId());
1049  }
1050 
1051  }
1052 
1064  public function adjustMovedObjectPermissions($a_ref_id,$a_old_parent)
1065  {
1066  global $rbacreview,$tree,$ilLog;
1067 
1068  $new_parent = $tree->getParentId($a_ref_id);
1069  $old_context_roles = $rbacreview->getParentRoleIds($a_old_parent,false);
1070  $new_context_roles = $rbacreview->getParentRoleIds($new_parent,false);
1071 
1072  $for_addition = $for_deletion = array();
1073  foreach($new_context_roles as $new_role_id => $new_role)
1074  {
1075  if(!isset($old_context_roles[$new_role_id]))
1076  {
1077  $for_addition[$new_role_id] = $new_role;
1078  }
1079  elseif($new_role['parent'] != $old_context_roles[$new_role_id]['parent'])
1080  {
1081  // handle stopped inheritance
1082  $for_deletion[$new_role_id] = $new_role;
1083  $for_addition[$new_role_id] = $new_role;
1084  }
1085  }
1086  foreach($old_context_roles as $old_role_id => $old_role)
1087  {
1088  if(!isset($new_context_roles[$old_role_id]))
1089  {
1090  $for_deletion[$old_role_id] = $old_role;
1091  }
1092  }
1093 
1094  if(!count($for_deletion) and !count($for_addition))
1095  {
1096  return true;
1097  }
1098 
1099  include_once "Services/AccessControl/classes/class.ilRbacLog.php";
1100  $rbac_log_active = ilRbacLog::isActive();
1101  if($rbac_log_active)
1102  {
1103  $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
1104  }
1105 
1106  foreach($nodes = $tree->getSubTree($node_data = $tree->getNodeData($a_ref_id),true) as $node_data)
1107  {
1108  $node_id = $node_data['child'];
1109 
1110  if($rbac_log_active)
1111  {
1112  $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
1113  }
1114 
1115  // If $node_data['type'] is not set, this means there is a tree entry without
1116  // object_reference and/or object_data entry
1117  // Continue in this case
1118  if(!$node_data['type'])
1119  {
1120  $ilLog->write(__METHOD__.': No type give. Choosing next tree entry.');
1121  continue;
1122  }
1123 
1124  if(!$node_id)
1125  {
1126  $ilLog->write(__METHOD__.': Missing subtree node_id');
1127  continue;
1128  }
1129 
1130  foreach($for_deletion as $role_id => $role_data)
1131  {
1132  if($rolf_id = $rbacreview->getRoleFolderIdOfObject($node_id))
1133  {
1134  $this->deleteLocalRole($role_id,$rolf_id);
1135  }
1136  $this->revokePermission($node_id,$role_id,false);
1137 //var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
1138  }
1139  foreach($for_addition as $role_id => $role_data)
1140  {
1141  $this->grantPermission(
1142  $role_id,
1143  $ops = $rbacreview->getOperationsOfRole($role_id,$node_data['type'],$role_data['parent']),
1144  $node_id);
1145 //var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
1146  }
1147 
1148  if($rbac_log_active)
1149  {
1150  $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
1151  $log = ilRbacLog::diffFaPa($log_old, $log_new);
1152  ilRbacLog::add(ilRbacLog::MOVE_OBJECT, $node_id, $log);
1153  }
1154  }
1155 
1156  }
1157 } // END class.ilRbacAdmin
1158 ?>