ILIAS  release_4-4 Revision
Public Member Functions | Static Public Member Functions | Data Fields | Protected Member Functions | Protected Attributes | Static Protected Attributes | Private Member Functions | Static Private Attributes
ilRbacSystem Class Reference
Services/AccessControl

class ilRbacSystem system function like checkAccess, addActiveRole ... More...

+ Collaboration diagram for ilRbacSystem:

Public Member Functions

 checkAccess ($a_operations, $a_ref_id, $a_type="")
 checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this method you check the permissions a use may have due to its roles on an specific object. More...
 
 checkAccessOfUser ($a_user_id, $a_operations, $a_ref_id, $a_type="")
 
 preloadRbacPaCache ($a_ref_ids, $a_user_id)
 Preload rbac_pa cache. More...
 
 checkPermission ($a_ref_id, $a_rol_id, $a_operation)
 check if a specific role has the permission '$a_operation' of an object public More...
 
 __filterOwnerPermissions ($a_user_id, $a_operations, $a_ref_id)
 
 initMemberView ()
 Init member view. More...
 
 addTemporaryRole ($a_usr_id, $a_role_id)
 
 resetPACache ($a_usr_id, $a_ref_id)
 

Static Public Member Functions

static getInstance ()
 

Data Fields

 $ilias
 

Protected Member Functions

 ilRbacSystem ()
 Constructor public. More...
 

Protected Attributes

 $mem_view
 

Static Protected Attributes

static $instance = null
 
static $user_role_cache = array()
 

Private Member Functions

 fetchAssignedRoles ($a_usr_id, $a_ref_id)
 Fetch assigned roles This method caches the assigned roles per user. More...
 

Static Private Attributes

static $_paCache = null
 
static $_checkAccessOfUserCache = null
 

Detailed Description

class ilRbacSystem system function like checkAccess, addActiveRole ...

Supporting system functions are required for session management and in making access control decisions. This class depends on the session since we offer the possiblility to add or delete active roles during one session.

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
$Id$

Definition at line 36 of file class.ilRbacSystem.php.

Member Function Documentation

◆ __filterOwnerPermissions()

ilRbacSystem::__filterOwnerPermissions (   $a_user_id,
  $a_operations,
  $a_ref_id 
)

Definition at line 340 of file class.ilRbacSystem.php.

References $ilUser.

Referenced by checkAccessOfUser().

341  {
342  global $ilObjDataCache,$ilUser;
343 
344  // member view constraints
345  if($this->mem_view['active'] and $a_user_id == $ilUser->getId())
346  {
347  if(in_array($a_ref_id, $this->mem_view['items']))
348  {
349  return $a_operations;
350  }
351  }
352 
353  if($a_user_id != $ilObjDataCache->lookupOwner($ilObjDataCache->lookupObjId($a_ref_id)))
354  {
355  return $a_operations;
356  }
357  // Is owner
358  $new_ops = false;
359  foreach(explode(",",$a_operations) as $operation)
360  {
361  if($operation != 'cat_administrate_users' and $operation != 'edit_permission' and $operation != 'edit_learning_progress' and !preg_match('/^create/',$operation))
362  {
363  continue;
364  }
365  if(!strlen($new_ops))
366  {
367  $new_ops = $operation;
368  }
369  else
370  {
371  $new_ops .= (','.$operation);
372  }
373  }
374  return $new_ops;
375 
376 
377  }
$ilUser
global $ilUser
Definition: imgupload.php:15
+ Here is the caller graph for this function:

◆ addTemporaryRole()

ilRbacSystem::addTemporaryRole (   $a_usr_id,
  $a_role_id 
)

Definition at line 461 of file class.ilRbacSystem.php.

462  {
463  if(!in_array($a_role_id, self::$user_role_cache[$a_usr_id]))
464  {
465  self::$user_role_cache[$a_usr_id][] = $a_role_id;
466  }
467  }

◆ checkAccess()

ilRbacSystem::checkAccess (   $a_operations,
  $a_ref_id,
  $a_type = "" 
)

checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this method you check the permissions a use may have due to its roles on an specific object.

The first parameter are the operation(s) the user must have The second & third parameter specifies the object where the operation(s) may apply to The last parameter is only required, if you ask for the 'create' operation. Here you specify the object type which you want to create.

example: $rbacSystem->checkAccess("visible,read",23); Here you ask if the user is allowed to see ('visible') and access the object by reading it ('read'). The reference_id is 23 in the tree structure.

public

Parameters
stringone or more operations, separated by commas (i.e.: visible,read,join)
integerthe child_id in tree (usually a reference_id, no object_id !!)
stringthe type definition abbreviation (i.e.: frm,grp,crs)
Returns
boolean returns true if ALL passed operations are given, otherwise false

Definition at line 103 of file class.ilRbacSystem.php.

References $ilBench, $ilUser, $result, and checkAccessOfUser().

Referenced by initMemberView().

104  {
105  global $ilUser,$ilBench;
106 
107  $ilBench->start("RBAC", "system_checkAccess");
108 
109  $result = $this->checkAccessOfUser($ilUser->getId(), $a_operations, $a_ref_id, $a_type);
110 
111  $ilBench->stop("RBAC", "system_checkAccess");
112 
113  return $result;
114  }
$result
$result
Definition: CleanUpTest.php:407
ilRbacSystem\checkAccessOfUser
checkAccessOfUser($a_user_id, $a_operations, $a_ref_id, $a_type="")
Definition: class.ilRbacSystem.php:116
$ilUser
global $ilUser
Definition: imgupload.php:15
$ilBench
global $ilBench
Definition: ilias.php:18
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ checkAccessOfUser()

ilRbacSystem::checkAccessOfUser (   $a_user_id,
  $a_operations,
  $a_ref_id,
  $a_type = "" 
)

Definition at line 116 of file class.ilRbacSystem.php.

References $GLOBALS, $ilLog, $ilUser, $r, $row, __filterOwnerPermissions(), ilRbacReview\_getOperationIdByName(), DB_FETCHMODE_OBJECT, fetchAssignedRoles(), and ilDB\query().

Referenced by checkAccess().

117  {
118  global $ilUser, $rbacreview,$ilObjDataCache,$ilDB,$ilLog;
119 
120  // Create the user cache key
121  $cacheKey = $a_user_id.':'.$a_operations.':'.$a_ref_id.':'.$a_type;
122 
123  // Create the cache if it does not yet exist
124  if (! is_array(self::$_checkAccessOfUserCache)) {
125  self::$_checkAccessOfUserCache = array();
126  }
127 
128  // Try to return result from cache
129  if (array_key_exists($cacheKey, self::$_checkAccessOfUserCache)) {
130  return self::$_checkAccessOfUserCache[$cacheKey];
131  }
132 
133  #echo ++$counter;
134 
135  // DISABLED
136  // Check For owner
137  // Owners do always have full access to their objects
138  // Excluded are the permissions create and perm
139  // This method call return all operations that are NOT granted by the owner status
140  if(!$a_operations = $this->__filterOwnerPermissions($a_user_id,$a_operations,$a_ref_id))
141  {
142  // Store positive outcome in cache.
143  // Note: we only cache up to 1000 results to avoid memory overflows
144  if (count(self::$_checkAccessOfUserCache) < 1000) {
145  self::$_checkAccessOfUserCache[$cacheKey] = true;
146  }
147  return true;
148  }
149 
150 
151  // get roles using role cache
152  $roles = $this->fetchAssignedRoles($a_user_id,$a_ref_id);
153 
154  // exclude system role from rbac
155  if (in_array(SYSTEM_ROLE_ID, $roles))
156  {
157  // Store positive outcome in cache.
158  // Note: we only cache up to 1000 results to avoid memory overflows
159  if (count(self::$_checkAccessOfUserCache) < 1000) {
160  self::$_checkAccessOfUserCache[$cacheKey] = true;
161  }
162  return true;
163  }
164 
165  if (!isset($a_operations) or !isset($a_ref_id))
166  {
167  $GLOBALS['ilLog']->logStack();
168  $this->ilErr->raiseError(get_class($this)."::checkAccess(): Missing parameter! ".
169  "ref_id: ".$a_ref_id." operations: ".$a_operations,$this->ilErr->WARNING);
170  }
171 
172  if (!is_string($a_operations))
173  {
174  $GLOBALS['ilLog']->logStack();
175  $this->ilErr->raiseError(get_class($this)."::checkAccess(): Wrong datatype for operations!",$this->ilErr->WARNING);
176  }
177 
178  // Create the PA cache if it does not exist yet
179  $paCacheKey = $a_user_id.':'.$a_ref_id;
180  if (! is_array(self::$_paCache)) {
181  self::$_paCache = array();
182  }
183 
184  if (array_key_exists($paCacheKey, self::$_paCache)) {
185  // Return result from PA cache
186  $ops = self::$_paCache[$paCacheKey];
187  }
188  else
189  {
190  // Data is not in PA cache, perform database query
191  $q = "SELECT * FROM rbac_pa ".
192  "WHERE ref_id = ".$ilDB->quote($a_ref_id, 'integer');
193 
194  $r = $this->ilDB->query($q);
195 
196  $ops = array();
197 
198  while ($row = $r->fetchRow(DB_FETCHMODE_OBJECT))
199  {
200  if (in_array($row->rol_id, $roles))
201  {
202  $ops = array_merge($ops,unserialize(stripslashes($row->ops_id)));
203  }
204  }
205  // Cache up to 1000 entries in the PA cache
206  if (count(self::$_paCache) < 1000)
207  {
208  self::$_paCache[$paCacheKey] = $ops;
209  }
210  }
211 
212  $operations = explode(",",$a_operations);
213  foreach ($operations as $operation)
214  {
215  if ($operation == "create")
216  {
217  if (empty($a_type))
218  {
219  $this->ilErr->raiseError(get_class($this)."::CheckAccess(): Expect a type definition for checking a 'create' permission",
220  $this->ilErr->WARNING);
221  }
222 
223  $ops_id = ilRbacReview::_getOperationIdByName($operation."_".$a_type);
224  }
225  else
226  {
227  $ops_id = ilRbacReview::_getOperationIdByName($operation);
228  }
229  if (! in_array($ops_id,(array) $ops))
230  {
231  //$ilLog->write('PERMISSION: '.$a_ref_id.' -> '.$a_ops_id.' failed');
232  // Store negative outcome in cache.
233  // Note: we only cache up to 1000 results to avoid memory overflows
234  if (count(self::$_checkAccessOfUserCache) < 1000)
235  {
236  self::$_checkAccessOfUserCache[$cacheKey] = false;
237  }
238  return false;
239  }
240  }
241 
242  // Store positive outcome in cache.
243  // Note: we only cache up to 1000 results to avoid memory overflows
244  if (count(self::$_checkAccessOfUserCache) < 1000)
245  {
246  //$ilLog->write('PERMISSION: '.$a_ref_id.' -> '.$ops_id.' granted');
247  self::$_checkAccessOfUserCache[$cacheKey] = true;
248  }
249  return true;
250  }
ilDB\query
query($sql, $a_handle_error=true)
Query.
Definition: class.ilDB.php:1347
DB_FETCHMODE_OBJECT
const DB_FETCHMODE_OBJECT
Definition: class.ilDB.php:11
ilRbacSystem\fetchAssignedRoles
fetchAssignedRoles($a_usr_id, $a_ref_id)
Fetch assigned roles This method caches the assigned roles per user.
Definition: class.ilRbacSystem.php:387
$GLOBALS
$GLOBALS['ct_recipient']
Definition: example_form.ajax.php:4
$ilLog
$ilLog
Definition: inc.setup_header.php:126
ilRbacReview\_getOperationIdByName
static _getOperationIdByName($a_operation)
get operation id by name of operation public static
Definition: class.ilRbacReview.php:1780
$ilUser
global $ilUser
Definition: imgupload.php:15
ilDB
Database Wrapper.
Definition: class.ilDB.php:28
ilRbacSystem\__filterOwnerPermissions
__filterOwnerPermissions($a_user_id, $a_operations, $a_ref_id)
Definition: class.ilRbacSystem.php:340
$r
$r
Definition: shib_logout.php:151
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ checkPermission()

ilRbacSystem::checkPermission (   $a_ref_id,
  $a_rol_id,
  $a_operation 
)

check if a specific role has the permission '$a_operation' of an object public

Parameters
integerreference id of object
integerrole id
stringthe permission to check
Returns
boolean

Definition at line 314 of file class.ilRbacSystem.php.

References $query, $res, and $row.

315  {
316  global $ilDB;
317 
318  $ops = array();
319 
320  $query = 'SELECT ops_id FROM rbac_operations '.
321  'WHERE operation = '.$ilDB->quote($a_operation,'text');
322  $res = $ilDB->query($query);
323  while($row = $ilDB->fetchObject($res))
324  {
325  $ops_id = $row->ops_id;
326  }
327 
328  $query = "SELECT * FROM rbac_pa ".
329  "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer')." ".
330  "AND ref_id = ".$ilDB->quote($a_ref_id,'integer')." ";
331  $res = $ilDB->query($query);
332 
333  while($row = $ilDB->fetchObject($res))
334  {
335  $ops = array_merge($ops,unserialize($row->ops_id));
336  }
337  return in_array($ops_id,$ops);
338  }

◆ fetchAssignedRoles()

ilRbacSystem::fetchAssignedRoles (   $a_usr_id,
  $a_ref_id 
)
private

Fetch assigned roles This method caches the assigned roles per user.

private

Parameters
intuser id

Definition at line 387 of file class.ilRbacSystem.php.

References $ilUser.

Referenced by checkAccessOfUser(), and preloadRbacPaCache().

388  {
389  global $ilUser,$rbacreview;
390 
391  // Member view constraints
392  if($this->mem_view['active'] and $a_usr_id == $ilUser->getId())
393  {
394  // check if current ref_id is subitem of active container
395  if(in_array($a_ref_id, $this->mem_view['items']) and $this->mem_view['role'])
396  {
397  // Return default member role
398  return array($this->mem_view['role']);
399  }
400  }
401 
402  if(isset(self::$user_role_cache[$a_usr_id]) and is_array(self::$user_role_cache))
403  {
404  return self::$user_role_cache[$a_usr_id];
405  }
406 
407 
408 
409  return self::$user_role_cache[$a_usr_id] = $rbacreview->assignedRoles($a_usr_id);
410  }
$ilUser
global $ilUser
Definition: imgupload.php:15
+ Here is the caller graph for this function:

◆ getInstance()

static ilRbacSystem::getInstance ( )
static

Definition at line 75 of file class.ilRbacSystem.php.

References ilRbacSystem().

Referenced by ilInitialisation\initAccessHandling().

76  {
77  if(self::$instance)
78  {
79  return self::$instance;
80  }
81  return self::$instance = new ilRbacSystem();
82  }
ilRbacSystem\ilRbacSystem
ilRbacSystem()
Constructor public.
Definition: class.ilRbacSystem.php:55
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ ilRbacSystem()

ilRbacSystem::ilRbacSystem ( )
protected

Constructor public.

Definition at line 55 of file class.ilRbacSystem.php.

References $ilErr, $ilias, if, and PEAR_ERROR_CALLBACK.

Referenced by getInstance().

56  {
57  global $ilDB,$ilErr,$ilias;
58 
59  $this->ilias =& $ilias;
60 
61  // set db & error handler
62  (isset($ilDB)) ? $this->ilDB =& $ilDB : $this->ilDB =& $ilias->db;
63 
64  if (!isset($ilErr))
65  {
66  $ilErr = new ilErrorHandling();
67  $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK,array($ilErr,'errorHandler'));
68  }
69  else
70  {
71  $this->ilErr =& $ilErr;
72  }
73  }
PEAR_ERROR_CALLBACK
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
ilias
redirection script todo: (a better solution should control the processing via a xml file) ...
if
if(!file_exists(getcwd().'/ilias.ini.php')) if(isset( $_GET["client_id"]))
registration confirmation script for ilias
Definition: confirmReg.php:20
ilErrorHandling
Error Handling & global info handling uses PEAR error class.
Definition: class.ilErrorHandling.php:17
ilDB
Database Wrapper.
Definition: class.ilDB.php:28
$ilErr
$ilErr
Definition: inc.setup_header.php:81
+ Here is the caller graph for this function:

◆ initMemberView()

ilRbacSystem::initMemberView ( )

Init member view.

Returns

Definition at line 416 of file class.ilRbacSystem.php.

References $_GET, checkAccess(), ilParticipants\getDefaultMemberRole(), and ilMemberViewSettings\getInstance().

417  {
418  include_once './Services/Container/classes/class.ilMemberViewSettings.php';
419  $settings = ilMemberViewSettings::getInstance();
420 
421  if(!isset($_GET['mv']))
422  {
423  // nothing to do
424  return true;
425  }
426 
427  // disable member view
428  if(!$_GET['mv'])
429  {
430  // force deactivation
431  $settings->toggleActivation((int) $_GET['ref_id'], false);
432  }
433  else
434  {
435  if($this->checkAccess('write', (int) $_GET['ref_id']))
436  {
437  $settings->toggleActivation((int) $_GET['ref_id'], true);
438  }
439  }
440 
441  if(!$settings->isActive())
442  {
443  $this->mem_view['active'] = false;
444  $this->mem_view['items'] = array();
445  $this->mem_view['role'] = 0;
446  }
447  else
448  {
449  global $tree;
450 
451  $this->mem_view['active'] = true;
452  $this->mem_view['items'] = $tree->getSubTreeIds($settings->getContainer());
453  $this->mem_view['items'] = array_merge($this->mem_view['items'],array($settings->getContainer()));
454  include_once './Services/Membership/classes/class.ilParticipants.php';
455  $this->mem_view['role'] = ilParticipants::getDefaultMemberRole($settings->getContainer());
456 
457  }
458  return true;
459  }
$_GET
$_GET["client_id"]
Definition: cfg.phpunit.template.php:12
ilParticipants\getDefaultMemberRole
static getDefaultMemberRole($a_ref_id)
Definition: class.ilParticipants.php:344
ilRbacSystem\checkAccess
checkAccess($a_operations, $a_ref_id, $a_type="")
checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this ...
Definition: class.ilRbacSystem.php:103
ilMemberViewSettings\getInstance
static getInstance()
Get instance.
Definition: class.ilMemberViewSettings.php:51
+ Here is the call graph for this function:

◆ preloadRbacPaCache()

ilRbacSystem::preloadRbacPaCache (   $a_ref_ids,
  $a_user_id 
)

Preload rbac_pa cache.

Parameters

Definition at line 258 of file class.ilRbacSystem.php.

References $r, $ref_id, $row, DB_FETCHMODE_OBJECT, fetchAssignedRoles(), and ilDB\query().

259  {
260  global $ilDB;
261 
262  if (!is_array($a_ref_ids))
263  {
264  return;
265  }
266 
267  $ref_ids = array();
268  foreach ($a_ref_ids as $ref_id)
269  {
270  if (!isset(self::$_paCache[$a_user_id.":".$ref_id]))
271  {
272  $roles[$ref_id] = $this->fetchAssignedRoles($a_user_id, $ref_id);
273  $ops[$ref_id] = array();
274  $ref_ids[] = $ref_id;
275  }
276  }
277 
278  if (count($ref_ids) > 0)
279  {
280 
281  // Data is not in PA cache, perform database query
282  $q = "SELECT * FROM rbac_pa ".
283  "WHERE ".$ilDB->in("ref_id", $ref_ids, false, "integer");
284 
285  $r = $this->ilDB->query($q);
286 
287  while ($row = $r->fetchRow(DB_FETCHMODE_OBJECT))
288  {
289  if (in_array($row->rol_id, $roles[$row->ref_id]))
290  {
291  $ops[$row->ref_id] = array_merge($ops[$row->ref_id],
292  unserialize(stripslashes($row->ops_id)));
293  }
294  }
295  foreach ($a_ref_ids as $ref_id)
296  {
297  // #11313
298  if (!isset(self::$_paCache[$a_user_id.":".$ref_id]))
299  {
300  self::$_paCache[$a_user_id.":".$ref_id] = $ops[$ref_id];
301  }
302  }
303  }
304  }
ilDB\query
query($sql, $a_handle_error=true)
Query.
Definition: class.ilDB.php:1347
DB_FETCHMODE_OBJECT
const DB_FETCHMODE_OBJECT
Definition: class.ilDB.php:11
ilRbacSystem\fetchAssignedRoles
fetchAssignedRoles($a_usr_id, $a_ref_id)
Fetch assigned roles This method caches the assigned roles per user.
Definition: class.ilRbacSystem.php:387
ilDB
Database Wrapper.
Definition: class.ilDB.php:28
$ref_id
$ref_id
Definition: sahs_server.php:39
$r
$r
Definition: shib_logout.php:151
+ Here is the call graph for this function:

◆ resetPACache()

ilRbacSystem::resetPACache (   $a_usr_id,
  $a_ref_id 
)

Definition at line 469 of file class.ilRbacSystem.php.

470  {
471  $paCacheKey = $a_usr_id.':'.$a_ref_id;
472  unset(self::$_paCache[$paCacheKey]);
473  }

Field Documentation

◆ $_checkAccessOfUserCache

ilRbacSystem::$_checkAccessOfUserCache = null
staticprivate

Definition at line 49 of file class.ilRbacSystem.php.

◆ $_paCache

ilRbacSystem::$_paCache = null
staticprivate

Definition at line 46 of file class.ilRbacSystem.php.

◆ $ilias

ilRbacSystem::$ilias

Definition at line 43 of file class.ilRbacSystem.php.

Referenced by ilRbacSystem().

◆ $instance

ilRbacSystem::$instance = null
staticprotected

Definition at line 38 of file class.ilRbacSystem.php.

◆ $mem_view

ilRbacSystem::$mem_view
protected

Definition at line 40 of file class.ilRbacSystem.php.

◆ $user_role_cache

ilRbacSystem::$user_role_cache = array()
staticprotected

Definition at line 42 of file class.ilRbacSystem.php.

The documentation for this class was generated from the following file: