ILIAS  release_10 Revision v10.1-43-ga1241a92c2f
class.ilOrgUnitPositionAccess.php
Go to the documentation of this file.
1 <?php
2 
24 class ilOrgUnitPositionAccess implements ilOrgUnitPositionAccessHandler, ilOrgUnitPositionAndRBACAccessHandler
25 {
26  protected static array $ref_id_obj_type_map = array();
27  private \ilOrgUnitGlobalSettings $set;
28  private ilAccess $access;
29  private ilObjUser $user;
30  protected \ilOrgUnitUserAssignmentDBRepository $assignmentRepo;
31  protected \ilOrgUnitOperationDBRepository $operationRepo;
32  protected \ilOrgUnitPermissionDBRepository $permissionRepo;
33 
34  public function __construct(ilAccess $access)
35  {
36  global $DIC;
37  $this->set = ilOrgUnitGlobalSettings::getInstance();
38  $this->access = $access;
39  $this->user = $DIC->user();
40 
41  $dic = \ilOrgUnitLocalDIC::dic();
42  $this->assignmentRepo = $dic["repo.UserAssignments"];
43  $this->operationRepo = $dic["repo.Operations"];
44  $this->permissionRepo = $dic["repo.Permissions"];
45  }
46 
47 
49  public function filterUserIdsForCurrentUsersPositionsAndPermission(
50  array $user_ids,
51  string $permission
52  ): array {
53  $current_user_id = $this->getCurrentUsersId();
54  return $this->filterUserIdsForUsersPositionsAndPermission($user_ids, $current_user_id, $permission);
55  }
56 
57 
58 
60  public function filterUserIdsForUsersPositionsAndPermission(
61  array $user_ids,
62  int $for_user_id,
63  string $permission
64  ): array {
65  $assignment_of_user = $this->assignmentRepo->getByUsers([$for_user_id]);
66  $other_users_in_same_org_units = [];
67  foreach ($assignment_of_user as $assignment) {
68  $other_users_in_same_org_units += $this->assignmentRepo->getUsersByOrgUnits([$assignment->getOrguId()]);
69  }
70 
71  return array_intersect($user_ids, $other_users_in_same_org_units);
72  }
73 
75  public function isCurrentUserBasedOnPositionsAllowedTo(string $permission, array $on_user_ids): bool
76  {
77  $current_user_id = $this->getCurrentUsersId();
78 
79  return $this->isUserBasedOnPositionsAllowedTo($current_user_id, $permission, $on_user_ids);
80  }
81 
82 
84  public function isUserBasedOnPositionsAllowedTo(
85  int $which_user_id,
86  string $permission,
87  array $on_user_ids
88  ): bool {
89  $filtered_user_ids = $this->filterUserIdsForUsersPositionsAndPermission(
90  $on_user_ids,
91  $which_user_id,
92  $permission
93  );
94 
95  return ($on_user_ids === array_intersect($on_user_ids, $filtered_user_ids)
96  && $filtered_user_ids === array_intersect($filtered_user_ids, $on_user_ids));
97  }
98 
99 
101  public function filterUserIdsByPositionOfCurrentUser(string $pos_perm, int $ref_id, array $user_ids): array
102  {
103  $current_user_id = $this->getCurrentUsersId();
104 
105  return $this->filterUserIdsByPositionOfUser($current_user_id, $pos_perm, $ref_id, $user_ids);
106  }
107 
108 
110  public function filterUserIdsByPositionOfUser(
111  int $user_id,
112  string $pos_perm,
113  int $ref_id,
114  array $user_ids
115  ): array {
116  if (!$this->isPositionActiveForRefId($ref_id)) {
117  return [];
118  }
119 
120  $operation = $this->operationRepo->find($pos_perm, $this->getTypeForRefId($ref_id));
121  if (!$operation) {
122  return [];
123  }
124 
125  $allowed_user_ids = [];
126  foreach ($this->assignmentRepo->getPositionsByUser($user_id) as $position) {
127  $permissions = $this->permissionRepo->getLocalorDefault($ref_id, $position->getId());
128  if (!$permissions->isOperationIdSelected($operation->getOperationId())) {
129  continue;
130  }
131 
132  foreach ($position->getAuthorities() as $authority) {
133  switch ($authority->getOver()) {
134  case ilOrgUnitAuthority::OVER_EVERYONE:
135  switch ($authority->getScope()) {
136  case ilOrgUnitAuthority::SCOPE_SAME_ORGU:
137  $allowed = $this->assignmentRepo->getUsersByUserAndPosition(
138  $user_id,
139  $position->getId(),
140  false
141  );
142  $allowed_user_ids = array_merge($allowed_user_ids, $allowed);
143  break;
144  case ilOrgUnitAuthority::SCOPE_SUBSEQUENT_ORGUS:
145  $allowed = $this->assignmentRepo->getUsersByUserAndPosition(
146  $user_id,
147  $position->getId(),
148  true
149  );
150  $allowed_user_ids = array_merge($allowed_user_ids, $allowed);
151  break;
152  }
153  break;
154  default:
155  switch ($authority->getScope()) {
156  case ilOrgUnitAuthority::SCOPE_SAME_ORGU:
157  $allowed = $this->assignmentRepo->getFilteredUsersByUserAndPosition(
158  $user_id,
159  $authority->getPositionId(),
160  $authority->getOver(),
161  false
162  );
163  $allowed_user_ids = array_merge($allowed_user_ids, $allowed);
164  break;
165  case ilOrgUnitAuthority::SCOPE_SUBSEQUENT_ORGUS:
166  $allowed = $this->assignmentRepo->getFilteredUsersByUserAndPosition(
167  $user_id,
168  $authority->getPositionId(),
169  $authority->getOver(),
170  true
171  );
172  $allowed_user_ids = array_merge($allowed_user_ids, $allowed);
173  break;
174  }
175  break;
176  }
177  }
178  }
179  $allowed_user_ids[] = $this->user->getId();
180  return array_intersect($user_ids, $allowed_user_ids);
181  }
182 
183 
184  public function checkPositionAccess(string $pos_perm, int $ref_id): bool
185  {
186  if (!$this->isPositionActiveForRefId($ref_id)) {
187  return false;
188  }
189 
190  $operation = $this->operationRepo->find($pos_perm, $this->getTypeForRefId($ref_id));
191  if (!$operation) {
192  return false;
193  }
194  $current_user_id = $this->getCurrentUsersId();
195 
196  foreach ($this->assignmentRepo->getPositionsByUser($current_user_id) as $position) {
197  $permissions = $this->permissionRepo->getLocalorDefault($ref_id, $position->getId());
198  if ($permissions->isOperationIdSelected($operation->getOperationId())) {
199  return true;
200  }
201  }
202 
203  return false;
204  }
205 
206 
207  public function hasCurrentUserAnyPositionAccess(int $ref_id): bool
208  {
209  if (!$this->isPositionActiveForRefId($ref_id)) {
210  return false;
211  }
212 
213  $current_user_id = $this->getCurrentUsersId();
214 
215  foreach ($this->assignmentRepo->getPositionsByUser($current_user_id) as $position) {
216  $permissions = $this->permissionRepo->getLocalorDefault($ref_id, $position->getId());
217  if (count($permissions->getOperations()) > 0) {
218  return true;
219  }
220  }
221 
222  return false;
223  }
224 
225 
226  public function checkRbacOrPositionPermissionAccess(string $rbac_perm, string $pos_perm, int $ref_id): bool
227  {
228  // If RBAC allows, just return true
229  if ($this->access->checkAccess($rbac_perm, '', $ref_id)) {
230  return true;
231  }
232 
233  if (!$this->isPositionActiveForRefId($ref_id)) {
234  return false;
235  }
236 
237  return $this->checkPositionAccess($pos_perm, $ref_id);
238  }
239 
240 
241  public function filterUserIdsByRbacOrPositionOfCurrentUser(
242  string $rbac_perm,
243  string $pos_perm,
244  int $ref_id,
245  array $user_ids
246  ): array {
247  global $DIC;
248 
249  // If RBAC allows, just return true
250  if ($this->access->checkAccess($rbac_perm, '', $ref_id)) {
251  return $user_ids;
252  }
253 
254  return $this->filterUserIdsByPositionOfCurrentUser($pos_perm, $ref_id, $user_ids);
255  }
256 
257 
258  public function hasUserRBACorAnyPositionAccess(string $rbac_perm, int $ref_id): bool
259  {
260  if ($this->access->checkAccess($rbac_perm, '', $ref_id)) {
261  return true;
262  }
263 
264  return $this->hasCurrentUserAnyPositionAccess($ref_id);
265  }
266 
267 
268  //
269  // Helpers
270  //
271 
272  private function getCurrentUsersId(): int
273  {
274  return $this->user->getId();
275  }
276 
277 
278  private function getTypeForRefId(int $ref_id): string
279  {
280  if (!isset(self::$ref_id_obj_type_map[$ref_id])) {
281  self::$ref_id_obj_type_map[$ref_id] = ilObject2::_lookupType($ref_id, true);
282  }
283 
284  return self::$ref_id_obj_type_map[$ref_id];
285  }
286 
287  private function getObjIdForRefId(int $ref_id): int
288  {
289  return ilObject2::_lookupObjectId($ref_id);
290  }
291 
292  private function isPositionActiveForRefId(int $ref_id): bool
293  {
294  $obj_id = $this->getObjIdForRefId($ref_id); // TODO this will change to ref_id!!
295 
296  return $this->set->isPositionAccessActiveForObject($obj_id);
297  }
298 }
ilOrgUnitPositionAccess\isUserBasedOnPositionsAllowedTo
isUserBasedOnPositionsAllowedTo(int $which_user_id, string $permission, array $on_user_ids)
Definition: class.ilOrgUnitPositionAccess.php:84
ilOrgUnitPositionAccess\$permissionRepo
ilOrgUnitPermissionDBRepository $permissionRepo
Definition: class.ilOrgUnitPositionAccess.php:32
ilOrgUnitPositionAccess\hasUserRBACorAnyPositionAccess
hasUserRBACorAnyPositionAccess(string $rbac_perm, int $ref_id)
Definition: class.ilOrgUnitPositionAccess.php:258
ilOrgUnitPositionAccess\checkPositionAccess
checkPositionAccess(string $pos_perm, int $ref_id)
Definition: class.ilOrgUnitPositionAccess.php:184
ilOrgUnitPositionAccess\filterUserIdsByPositionOfCurrentUser
filterUserIdsByPositionOfCurrentUser(string $pos_perm, int $ref_id, array $user_ids)
Definition: class.ilOrgUnitPositionAccess.php:101
ilOrgUnitPositionAccess
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilOrgUnitPositionAccess.php:24
ilOrgUnitPositionAndRBACAccessHandler
Interface ilOrgUnitPositionAndRBACAccessHandler Provides access checks due to a users OrgUnit-Positio...
Definition: class.ilOrgUnitPositionAndRBACAccessHandler.php:8
ilOrgUnitPositionAccess\$assignmentRepo
ilOrgUnitUserAssignmentDBRepository $assignmentRepo
Definition: class.ilOrgUnitPositionAccess.php:30
$ref_id
$ref_id
Definition: ltiauth.php:66
$DIC
global $DIC
Definition: shib_login.php:25
ilObject\_lookupObjectId
static _lookupObjectId(int $ref_id)
Definition: class.ilObject.php:1117
ilOrgUnitPositionAccess\filterUserIdsByPositionOfUser
filterUserIdsByPositionOfUser(int $user_id, string $pos_perm, int $ref_id, array $user_ids)
Definition: class.ilOrgUnitPositionAccess.php:110
ilOrgUnitPositionAccess\checkRbacOrPositionPermissionAccess
checkRbacOrPositionPermissionAccess(string $rbac_perm, string $pos_perm, int $ref_id)
Definition: class.ilOrgUnitPositionAccess.php:226
ilOrgUnitPositionAccessHandler
Interface ilOrgUnitPositionAccessHandler Provides access checks due to a users OrgUnit-Positions.
Definition: class.ilOrgUnitPositionAccessHandler.php:8
ilOrgUnitPositionAccess\filterUserIdsForCurrentUsersPositionsAndPermission
filterUserIdsForCurrentUsersPositionsAndPermission(array $user_ids, string $permission)
Definition: class.ilOrgUnitPositionAccess.php:49
ilOrgUnitPositionAccess\filterUserIdsByRbacOrPositionOfCurrentUser
filterUserIdsByRbacOrPositionOfCurrentUser(string $rbac_perm, string $pos_perm, int $ref_id, array $user_ids)
Definition: class.ilOrgUnitPositionAccess.php:241
$dic
$dic
Definition: ltiresult.php:33
ilOrgUnitPositionAccess\filterUserIdsForUsersPositionsAndPermission
filterUserIdsForUsersPositionsAndPermission(array $user_ids, int $for_user_id, string $permission)
Definition: class.ilOrgUnitPositionAccess.php:60
ilOrgUnitPositionAccess\isCurrentUserBasedOnPositionsAllowedTo
isCurrentUserBasedOnPositionsAllowedTo(string $permission, array $on_user_ids)
Definition: class.ilOrgUnitPositionAccess.php:75
ilObject\_lookupType
static _lookupType(int $id, bool $reference=false)
Definition: class.ilObject.php:1085
ilOrgUnitPositionAccess\$operationRepo
ilOrgUnitOperationDBRepository $operationRepo
Definition: class.ilOrgUnitPositionAccess.php:31