ILIAS  release_4-4 Revision
Public Member Functions
ilRbacAdmin Class Reference
Services/AccessControl

Class ilRbacAdmin Core functions for role based access control. More...

+ Collaboration diagram for ilRbacAdmin:

Public Member Functions

 ilRbacAdmin ()
 Constructor public. More...
 
 removeUser ($a_usr_id)
 deletes a user from rbac_ua all user <-> role relations are deleted public More...
 
 deleteRole ($a_rol_id, $a_ref_id)
 Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa public. More...
 
 deleteTemplate ($a_obj_id)
 Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa public. More...
 
 deleteLocalRole ($a_rol_id, $a_ref_id=0)
 Deletes a local role and entries in rbac_fa and rbac_templates public. More...
 
 assignUser ($a_rol_id, $a_usr_id, $a_default=false)
 Assigns an user to a role. More...
 
 deassignUser ($a_rol_id, $a_usr_id)
 Deassigns a user from a role. More...
 
 grantPermission ($a_rol_id, $a_ops, $a_ref_id)
 Grants a permission to an object and a specific role. More...
 
 revokePermission ($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
 Revokes permissions of an object of one role. More...
 
 revokeSubtreePermissions ($a_ref_id, $a_role_id)
 Revoke subtree permissions. More...
 
 deleteSubtreeTemplates ($a_ref_id, $a_rol_id)
 Delete all template permissions of subtree nodes. More...
 
 revokePermissionList ($a_ref_ids, $a_rol_id)
 Revokes permissions of a LIST of objects of ONE role. More...
 
 copyRolePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions and permission of one role to another. More...
 
 copyRoleTemplatePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions of one role to another. More...
 
 copyRolePermissionIntersection ($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
 Copies the intersection of the template permissions of two roles to a third role. More...
 
 copyRolePermissionUnion ( $a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_id, $a_dest_parent)
 <type> $ilDB More...
 
 copyRolePermissionSubtract ($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
 Subtract role permissions. More...
 
 deleteRolePermission ($a_rol_id, $a_ref_id, $a_type=false)
 Deletes all entries of a template. More...
 
 setRolePermission ($a_rol_id, $a_type, $a_ops, $a_ref_id)
 Inserts template permissions in rbac_templates for an specific object type. More...
 
 assignRoleToFolder ($a_rol_id, $a_parent, $a_assign="y")
 Assigns a role to an role folder A role folder is an object to store roles. More...
 
 assignOperationToObject ($a_type_id, $a_ops_id)
 Assign an existing operation to an object Update of rbac_ta. More...
 
 deassignOperationFromObject ($a_type_id, $a_ops_id)
 Deassign an existing operation from an object Update of rbac_ta public. More...
 
 setProtected ($a_ref_id, $a_role_id, $a_value)
 Set protected $ilDB. More...
 
 copyLocalRoles ($a_source_id, $a_target_id)
 Copy local roles This method creates a copy of all local role. More...
 
 adjustMovedObjectPermissions ($a_ref_id, $a_old_parent)
 Adjust permissions of moved objects. More...
 
 copyEffectiveRolePermissions ($a_source_ref_id, $target_ref_id, $a_subtree_id)
 Copies all permission from source to target for all roles. More...
 

Detailed Description

Class ilRbacAdmin Core functions for role based access control.

Creation and maintenance of Relations. The main relations of Rbac are user <-> role (UR) assignment relation and the permission <-> role (PR) assignment relation. This class contains methods to 'create' and 'delete' instances of the (UR) relation e.g.: assignUser(), deassignUser() Required methods for the PR relation are grantPermission(), revokePermission()

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
$Id$

Definition at line 38 of file class.ilRbacAdmin.php.

Member Function Documentation

◆ adjustMovedObjectPermissions()

ilRbacAdmin::adjustMovedObjectPermissions (   $a_ref_id,
  $a_old_parent 
)

Adjust permissions of moved objects.

  • Delete permissions of parent roles that do not exist in new context
  • Delete role templates of parent roles that do not exist in new context
  • Add permissions for parent roles that did not exist in old context

public

Parameters
intref id of moved object
intref_id of old parent

Definition at line 1140 of file class.ilRbacAdmin.php.

References $ilLog, $log, ilRbacLog\add(), deleteLocalRole(), ilRbacLog\diffFaPa(), ilRbacLog\gatherFaPa(), grantPermission(), ilRbacLog\isActive(), ilRbacLog\MOVE_OBJECT, and revokePermission().

1141  {
1142  global $rbacreview,$tree,$ilLog;
1143 
1144  $new_parent = $tree->getParentId($a_ref_id);
1145  $old_context_roles = $rbacreview->getParentRoleIds($a_old_parent,false);
1146  $new_context_roles = $rbacreview->getParentRoleIds($new_parent,false);
1147 
1148  $for_addition = $for_deletion = array();
1149  foreach($new_context_roles as $new_role_id => $new_role)
1150  {
1151  if(!isset($old_context_roles[$new_role_id]))
1152  {
1153  $for_addition[$new_role_id] = $new_role;
1154  }
1155  elseif($new_role['parent'] != $old_context_roles[$new_role_id]['parent'])
1156  {
1157  // handle stopped inheritance
1158  $for_deletion[$new_role_id] = $new_role;
1159  $for_addition[$new_role_id] = $new_role;
1160  }
1161  }
1162  foreach($old_context_roles as $old_role_id => $old_role)
1163  {
1164  if(!isset($new_context_roles[$old_role_id]))
1165  {
1166  $for_deletion[$old_role_id] = $old_role;
1167  }
1168  }
1169 
1170  if(!count($for_deletion) and !count($for_addition))
1171  {
1172  return true;
1173  }
1174 
1175  include_once "Services/AccessControl/classes/class.ilRbacLog.php";
1176  $rbac_log_active = ilRbacLog::isActive();
1177  if($rbac_log_active)
1178  {
1179  $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
1180  }
1181 
1182  foreach($nodes = $tree->getSubTree($node_data = $tree->getNodeData($a_ref_id),true) as $node_data)
1183  {
1184  $node_id = $node_data['child'];
1185 
1186  if($rbac_log_active)
1187  {
1188  $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
1189  }
1190 
1191  // If $node_data['type'] is not set, this means there is a tree entry without
1192  // object_reference and/or object_data entry
1193  // Continue in this case
1194  if(!$node_data['type'])
1195  {
1196  $ilLog->write(__METHOD__.': No type give. Choosing next tree entry.');
1197  continue;
1198  }
1199 
1200  if(!$node_id)
1201  {
1202  $ilLog->write(__METHOD__.': Missing subtree node_id');
1203  continue;
1204  }
1205 
1206  foreach($for_deletion as $role_id => $role_data)
1207  {
1208  if($rolf_id = $rbacreview->getRoleFolderIdOfObject($node_id))
1209  {
1210  $this->deleteLocalRole($role_id,$rolf_id);
1211  }
1212  $this->revokePermission($node_id,$role_id,false);
1213 //var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
1214  }
1215  foreach($for_addition as $role_id => $role_data)
1216  {
1217  $this->grantPermission(
1218  $role_id,
1219  $ops = $rbacreview->getOperationsOfRole($role_id,$node_data['type'],$role_data['parent']),
1220  $node_id);
1221 //var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
1222  }
1223 
1224  if($rbac_log_active)
1225  {
1226  $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
1227  $log = ilRbacLog::diffFaPa($log_old, $log_new);
1228  ilRbacLog::add(ilRbacLog::MOVE_OBJECT, $node_id, $log);
1229  }
1230  }
1231 
1232  }
ilRbacLog\isActive
static isActive()
Definition: class.ilRbacLog.php:25
ilRbacLog\gatherFaPa
static gatherFaPa($a_ref_id, array $a_role_ids, $a_add_action=false)
Definition: class.ilRbacLog.php:36
ilRbacLog\diffFaPa
static diffFaPa(array $a_old, array $a_new)
Definition: class.ilRbacLog.php:79
ilRbacAdmin\deleteLocalRole
deleteLocalRole($a_rol_id, $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates public.
Definition: class.ilRbacAdmin.php:166
ilRbacAdmin\grantPermission
grantPermission($a_rol_id, $a_ops, $a_ref_id)
Grants a permission to an object and a specific role.
Definition: class.ilRbacAdmin.php:283
$ilLog
$ilLog
Definition: inc.setup_header.php:126
ilRbacLog\add
static add($a_action, $a_ref_id, array $a_diff, $a_source_ref_id=false)
Definition: class.ilRbacLog.php:164
ilRbacAdmin\revokePermission
revokePermission($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
Revokes permissions of an object of one role.
Definition: class.ilRbacAdmin.php:348
ilRbacLog\MOVE_OBJECT
const MOVE_OBJECT
Definition: class.ilRbacLog.php:17
$log
$log
Definition: inc.setup_header.php:125
+ Here is the call graph for this function:

◆ assignOperationToObject()

ilRbacAdmin::assignOperationToObject (   $a_type_id,
  $a_ops_id 
)

Assign an existing operation to an object Update of rbac_ta.

public

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 994 of file class.ilRbacAdmin.php.

References $query, and $res.

995  {
996  global $ilDB;
997 
998  if (!isset($a_type_id) or !isset($a_ops_id))
999  {
1000  $message = get_class($this)."::assignOperationToObject(): Missing parameter!".
1001  "type_id: ".$a_type_id.
1002  "ops_id: ".$a_ops_id;
1003  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1004  }
1005 
1006  $query = "INSERT INTO rbac_ta (typ_id, ops_id) ".
1007  "VALUES(".$ilDB->quote($a_type_id,'integer').",".$ilDB->quote($a_ops_id,'integer').")";
1008  $res = $ilDB->manipulate($query);
1009  return true;
1010  }

◆ assignRoleToFolder()

ilRbacAdmin::assignRoleToFolder (   $a_rol_id,
  $a_parent,
  $a_assign = "y" 
)

Assigns a role to an role folder A role folder is an object to store roles.

Every role is assigned to minimum one role folder If the inheritance of a role is stopped, a new role template will created, and the role is assigned to minimum two role folders. All roles with stopped inheritance need the flag '$a_assign = false'

public

Parameters
integerobject id of role
integerref_id of role folder
stringassignable('y','n'); default: 'y'
Returns
boolean

Definition at line 950 of file class.ilRbacAdmin.php.

References $query, and $res.

Referenced by copyLocalRoles().

951  {
952  global $ilDB,$rbacreview;
953 
954  if (!isset($a_rol_id) or !isset($a_parent))
955  {
956  $message = get_class($this)."::assignRoleToFolder(): Missing Parameter!".
957  " role_id: ".$a_rol_id.
958  " parent_id: ".$a_parent.
959  " assign: ".$a_assign;
960  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
961  }
962 
963  // exclude system role from rbac
964  if ($a_rol_id == SYSTEM_ROLE_ID)
965  {
966  return true;
967  }
968 
969  // if a wrong value is passed, always set assign to "n"
970  if ($a_assign != "y")
971  {
972  $a_assign = "n";
973  }
974 
975  $query = sprintf('INSERT INTO rbac_fa (rol_id, parent, assign, protected) '.
976  'VALUES (%s,%s,%s,%s)',
977  $ilDB->quote($a_rol_id,'integer'),
978  $ilDB->quote($a_parent,'integer'),
979  $ilDB->quote($a_assign,'text'),
980  $ilDB->quote('n','text'));
981  $res = $ilDB->manipulate($query);
982 
983  return true;
984  }
+ Here is the caller graph for this function:

◆ assignUser()

ilRbacAdmin::assignUser (   $a_rol_id,
  $a_usr_id,
  $a_default = false 
)

Assigns an user to a role.

Update of table rbac_ua TODO: remove deprecated 3rd parameter sometime public

Parameters
integerobject_id of role
integerobject_id of user
booleantrue means default role (optional
Returns
boolean

Definition at line 209 of file class.ilRbacAdmin.php.

References $query, $res, ilObjUser\_addDesktopItem(), and ilLDAPRoleGroupMapping\_getInstance().

210  {
211  global $ilDB,$rbacreview;
212 
213  if (!isset($a_rol_id) or !isset($a_usr_id))
214  {
215  $message = get_class($this)."::assignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
216  #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
217  }
218 
219  // check if already assigned user id and role_id
220  $alreadyAssigned = $rbacreview->isAssigned($a_usr_id,$a_rol_id);
221 
222  // enhanced: only if we haven't had this role for this user
223  if (!$alreadyAssigned)
224  {
225  $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
226  "VALUES (".$ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_rol_id,'integer').")";
227  $res = $ilDB->manipulate($query);
228 
229  include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
230  $role_desk_item_obj = new ilRoleDesktopItem($a_rol_id);
231  foreach($role_desk_item_obj->getAll() as $item_data)
232  {
233  include_once './Services/User/classes/class.ilObjUser.php';
234  ilObjUser::_addDesktopItem($a_usr_id, $item_data['item_id'], $item_data['item_type']);
235  }
236 
237  }
238 
239  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
240  $mapping = ilLDAPRoleGroupMapping::_getInstance();
241  $mapping->assign($a_rol_id,$a_usr_id);
242 
243  return true;
244  }
ilRoleDesktopItem
Class ilObjRoleGUI.
Definition: class.ilRoleDesktopItem.php:17
ilLDAPRoleGroupMapping\_getInstance
static _getInstance()
Get singleton instance of this class.
Definition: class.ilLDAPRoleGroupMapping.php:64
ilObjUser\_addDesktopItem
static _addDesktopItem($a_usr_id, $a_item_id, $a_type, $a_par="")
add an item to user&#39;s personal desktop
Definition: class.ilObjUser.php:3075
+ Here is the call graph for this function:

◆ copyEffectiveRolePermissions()

ilRbacAdmin::copyEffectiveRolePermissions (   $a_source_ref_id,
  $target_ref_id,
  $a_subtree_id 
)

Copies all permission from source to target for all roles.

Parameters
type$a_source_ref_id
type$target_ref_id
type$a_subtree_id

Definition at line 1241 of file class.ilRbacAdmin.php.

References $GLOBALS.

1242  {
1243  global $rbacreview;
1244 
1245  $parent_roles = $rbacreview->getParentRoleIds($a_source_ref_id, FALSE);
1246  $GLOBALS['ilLog']->write(__METHOD__.': '. print_r($parent_roles,TRUE));
1247 
1248 
1249 
1250  }
$GLOBALS
$GLOBALS['ct_recipient']
Definition: example_form.ajax.php:4

◆ copyLocalRoles()

ilRbacAdmin::copyLocalRoles (   $a_source_id,
  $a_target_id 
)

Copy local roles This method creates a copy of all local role.

Note: auto generated roles are excluded

public

Parameters
intsource id of object (not role folder)
inttarget id of object

Definition at line 1071 of file class.ilRbacAdmin.php.

References $ilLog, assignRoleToFolder(), copyRolePermissions(), and ilObjectFactory\getInstanceByRefId().

1072  {
1073  global $rbacreview,$ilLog,$ilObjDataCache;
1074 
1075  $source_rolf = $rbacreview->getRoleFolderIdOfObject($a_source_id);
1076  $target_rolf = $rbacreview->getRoleFolderIdOfObject($a_target_id);
1077 
1078  if(!$source_rolf)
1079  {
1080  // Nothing to do
1081  return true;
1082  }
1083  $real_local = array();
1084  foreach($rbacreview->getRolesOfRoleFolder($source_rolf,false) as $role_data)
1085  {
1086  $title = $ilObjDataCache->lookupTitle($role_data);
1087  if(substr($title,0,3) == 'il_')
1088  {
1089  continue;
1090  }
1091  $real_local[] = $role_data;
1092  }
1093  if(!count($real_local))
1094  {
1095  return true;
1096  }
1097  // Create role folder
1098  if(!$target_rolf)
1099  {
1100  $tmp_obj = ilObjectFactory::getInstanceByRefId($a_target_id,false);
1101  if(!is_object($tmp_obj))
1102  {
1103  return false;
1104  }
1105  $rolf = $tmp_obj->createRoleFolder();
1106  $target_rolf = $rolf->getRefId();
1107  $ilLog->write(__METHOD__.': Created new role folder with id '.$rolf->getRefId());
1108  }
1109  foreach($real_local as $role)
1110  {
1111  include_once ("./Services/AccessControl/classes/class.ilObjRole.php");
1112  $orig = new ilObjRole($role);
1113  $orig->read();
1114 
1115  $ilLog->write(__METHOD__.': Start copying of role '.$orig->getTitle());
1116  $roleObj = new ilObjRole();
1117  $roleObj->setTitle($orig->getTitle());
1118  $roleObj->setDescription($orig->getDescription());
1119  $roleObj->setImportId($orig->getImportId());
1120  $roleObj->create();
1121 
1122  $this->assignRoleToFolder($roleObj->getId(),$target_rolf,"y");
1123  $this->copyRolePermissions($role,$source_rolf,$target_rolf,$roleObj->getId(),true);
1124  $ilLog->write(__METHOD__.': Added new local role, id '.$roleObj->getId());
1125  }
1126 
1127  }
ilObjRole
Class ilObjRole.
Definition: class.ilObjRole.php:15
ilObjectFactory\getInstanceByRefId
getInstanceByRefId($a_ref_id, $stop_on_error=true)
get an instance of an Ilias object by reference id
Definition: class.ilObjectFactory.php:143
$ilLog
$ilLog
Definition: inc.setup_header.php:126
ilRbacAdmin\copyRolePermissions
copyRolePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions and permission of one role to another.
Definition: class.ilRbacAdmin.php:570
ilRbacAdmin\assignRoleToFolder
assignRoleToFolder($a_rol_id, $a_parent, $a_assign="y")
Assigns a role to an role folder A role folder is an object to store roles.
Definition: class.ilRbacAdmin.php:950
+ Here is the call graph for this function:

◆ copyRolePermissionIntersection()

ilRbacAdmin::copyRolePermissionIntersection (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_parent,
  $a_dest_id 
)

Copies the intersection of the template permissions of two roles to a third role.

public

Parameters
integer$a_source1_idrole_id source
integer$a_source1_parentparent_id source
integer$a_source2_idrole_id source
integer$a_source2_parentparent_id source
integer$a_dest_idrole_id destination
integer$a_dest_parentparent_id destination
Returns
boolean

Definition at line 669 of file class.ilRbacAdmin.php.

References $GLOBALS, $query, $res, $row, and DB_FETCHMODE_OBJECT.

670  {
671  global $rbacreview,$ilDB;
672 
673  if (!isset($a_source1_id) or !isset($a_source1_parent)
674  or !isset($a_source2_id) or !isset($a_source2_parent)
675  or !isset($a_dest_id) or !isset($a_dest_parent))
676  {
677  $message = get_class($this)."::copyRolePermissionIntersection(): Missing parameter! source1_id: ".$a_source1_id.
678  " source1_parent: ".$a_source1_parent.
679  " source2_id: ".$a_source2_id.
680  " source2_parent: ".$a_source2_parent.
681  " dest_id: ".$a_dest_id.
682  " dest_parent_id: ".$a_dest_parent;
683  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
684  }
685 
686  // exclude system role from rbac
687  if ($a_dest_id == SYSTEM_ROLE_ID)
688  {
689  return true;
690  }
691 
692  if ($rbacreview->isProtected($a_source2_parent,$a_source2_id))
693  {
694  $GLOBALS['ilLog']->write(__METHOD__.': Role is protected');
695  return true;
696  }
697 
698  $query = "SELECT s1.type, s1.ops_id ".
699  "FROM rbac_templates s1, rbac_templates s2 ".
700  "WHERE s1.rol_id = ".$ilDB->quote($a_source1_id,'integer')." ".
701  "AND s1.parent = ".$ilDB->quote($a_source1_parent,'integer')." ".
702  "AND s2.rol_id = ".$ilDB->quote($a_source2_id,'integer')." ".
703  "AND s2.parent = ".$ilDB->quote($a_source2_parent,'integer')." ".
704  "AND s1.type = s2.type ".
705  "AND s1.ops_id = s2.ops_id";
706  $res = $ilDB->query($query);
707  $operations = array();
708  $rowNum = 0;
709  while($row = $res->fetchRow(DB_FETCHMODE_OBJECT))
710  {
711  $operations[$rowNum]['type'] = $row->type;
712  $operations[$rowNum]['ops_id'] = $row->ops_id;
713 
714  $rowNum++;
715  }
716 
717  // Delete template permissions of target
718  $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
719  'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
720  $res = $ilDB->manipulate($query);
721 
722  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
723  'VALUES (?,?,?,?)';
724  $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
725  foreach($operations as $key => $set)
726  {
727  $ilDB->execute($sta,array(
728  $a_dest_id,
729  $set['type'],
730  $set['ops_id'],
731  $a_dest_parent));
732  }
733  return true;
734  }
DB_FETCHMODE_OBJECT
const DB_FETCHMODE_OBJECT
Definition: class.ilDB.php:11
$GLOBALS
$GLOBALS['ct_recipient']
Definition: example_form.ajax.php:4

◆ copyRolePermissions()

ilRbacAdmin::copyRolePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions and permission of one role to another.

public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 570 of file class.ilRbacAdmin.php.

References copyRoleTemplatePermissions(), grantPermission(), and revokePermission().

Referenced by copyLocalRoles().

571  {
572  global $tree,$rbacreview;
573 
574  // Copy template permissions
575  $this->copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected);
576 
577  $source_obj = $tree->getParentId($a_source_parent);
578  $target_obj = $tree->getParentId($a_dest_parent);
579  $ops = $rbacreview->getRoleOperationsOnObject($a_source_id,$source_obj);
580 
581  $this->revokePermission($target_obj,$a_dest_id);
582  $this->grantPermission($a_dest_id,$ops,$target_obj);
583  return true;
584  }
ilRbacAdmin\copyRoleTemplatePermissions
copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions of one role to another.
Definition: class.ilRbacAdmin.php:596
ilRbacAdmin\grantPermission
grantPermission($a_rol_id, $a_ops, $a_ref_id)
Grants a permission to an object and a specific role.
Definition: class.ilRbacAdmin.php:283
ilRbacAdmin\revokePermission
revokePermission($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
Revokes permissions of an object of one role.
Definition: class.ilRbacAdmin.php:348
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ copyRolePermissionSubtract()

ilRbacAdmin::copyRolePermissionSubtract (   $a_source_id,
  $a_source_parent,
  $a_dest_id,
  $a_dest_parent 
)

Subtract role permissions.

Parameters
type$a_source_id
type$a_source_parent
type$a_dest_id
type$a_dest_parent

Definition at line 812 of file class.ilRbacAdmin.php.

References $query.

813  {
814  global $rbacreview, $ilDB;
815 
816  $s1_ops = $rbacreview->getAllOperationsOfRole($a_source_id,$a_source_parent);
817  $d_ops = $rbacreview->getAllOperationsOfRole($a_dest_id,$a_dest_parent);
818 
819  foreach($s1_ops as $type => $ops)
820  {
821  foreach($ops as $op)
822  {
823  if(isset($d_ops[$type]) and in_array($op, $d_ops[$type]))
824  {
825  $query = 'DELETE FROM rbac_templates '.
826  'WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
827  'AND type = '.$ilDB->quote($type,'text').' '.
828  'AND ops_id = '.$ilDB->quote($op,'integer').' '.
829  'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
830  $ilDB->manipulate($query);
831  }
832  }
833  }
834  return true;
835  }

◆ copyRolePermissionUnion()

ilRbacAdmin::copyRolePermissionUnion (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_id,
  $a_dest_parent 
)

<type> $ilDB

Parameters
<type>$a_source1_id
<type>$a_source1_parent
<type>$a_source2_id
<type>$a_source2_parent
<type>$a_dest_id
<type>$a_dest_parent
Returns
<type>

Definition at line 747 of file class.ilRbacAdmin.php.

References $GLOBALS, $query, and deleteRolePermission().

754  {
755  global $ilDB, $rbacreview;
756 
757 
758  $s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id,$a_source1_parent);
759  $s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id,$a_source2_parent);
760 
761  $this->deleteRolePermission($a_dest_id, $a_dest_parent);
762 
763  $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s1_ops,TRUE));
764  $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s2_ops,TRUE));
765 
766  foreach($s1_ops as $type => $ops)
767  {
768  foreach($ops as $op)
769  {
770  // insert all permission of source 1
771  // #15469
772  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
773  'VALUES( '.
774  $ilDB->quote($a_dest_id,'integer').', '.
775  $ilDB->quote($type,'text').', '.
776  $ilDB->quote($op,'integer').', '.
777  $ilDB->quote($a_dest_parent,'integer').' '.
778  ')';
779  $ilDB->manipulate($query);
780  }
781  }
782 
783  // and the other direction...
784  foreach($s2_ops as $type => $ops)
785  {
786  foreach($ops as $op)
787  {
788  if(!isset($s1_ops[$type]) or !in_array($op, $s1_ops[$type]))
789  {
790  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
791  'VALUES( '.
792  $ilDB->quote($a_dest_id,'integer').', '.
793  $ilDB->quote($type,'text').', '.
794  $ilDB->quote($op,'integer').', '.
795  $ilDB->quote($a_dest_parent,'integer').' '.
796  ')';
797  $ilDB->manipulate($query);
798  }
799  }
800  }
801 
802  return true;
803  }
ilRbacAdmin\deleteRolePermission
deleteRolePermission($a_rol_id, $a_ref_id, $a_type=false)
Deletes all entries of a template.
Definition: class.ilRbacAdmin.php:848
$GLOBALS
$GLOBALS['ct_recipient']
Definition: example_form.ajax.php:4
+ Here is the call graph for this function:

◆ copyRoleTemplatePermissions()

ilRbacAdmin::copyRoleTemplatePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions of one role to another.

It's also possible to copy template permissions from/to RoleTemplateObject public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 596 of file class.ilRbacAdmin.php.

References $query, $res, $row, and setProtected().

Referenced by copyRolePermissions().

597  {
598  global $rbacreview,$ilDB;
599 
600  if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent))
601  {
602  $message = __METHOD__.": Missing parameter! source_id: ".$a_source_id.
603  " source_parent_id: ".$a_source_parent.
604  " dest_id : ".$a_dest_id.
605  " dest_parent_id: ".$a_dest_parent;
606  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
607  }
608 
609  // exclude system role from rbac
610  if ($a_dest_id == SYSTEM_ROLE_ID)
611  {
612  return true;
613  }
614 
615  // Read operations
616  $query = 'SELECT * FROM rbac_templates '.
617  'WHERE rol_id = '.$ilDB->quote($a_source_id,'integer').' '.
618  'AND parent = '.$ilDB->quote($a_source_parent,'integer');
619  $res = $ilDB->query($query);
620  $operations = array();
621  $rownum = 0;
622  while ($row = $ilDB->fetchObject($res))
623  {
624  $operations[$rownum]['type'] = $row->type;
625  $operations[$rownum]['ops_id'] = $row->ops_id;
626  $rownum++;
627  }
628 
629  // Delete target permissions
630  $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
631  'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
632  $res = $ilDB->manipulate($query);
633 
634  foreach($operations as $row => $op)
635  {
636  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
637  'VALUES ('.
638  $ilDB->quote($a_dest_id,'integer').",".
639  $ilDB->quote($op['type'],'text').",".
640  $ilDB->quote($op['ops_id'],'integer').",".
641  $ilDB->quote($a_dest_parent,'integer').")";
642  $ilDB->manipulate($query);
643  }
644 
645  // copy also protection status if applicable
646  if ($a_consider_protected == true)
647  {
648  if ($rbacreview->isProtected($a_source_parent,$a_source_id))
649  {
650  $this->setProtected($a_dest_parent,$a_dest_id,'y');
651  }
652  }
653 
654  return true;
655  }
ilRbacAdmin\setProtected
setProtected($a_ref_id, $a_role_id, $a_value)
Set protected $ilDB.
Definition: class.ilRbacAdmin.php:1048
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deassignOperationFromObject()

ilRbacAdmin::deassignOperationFromObject (   $a_type_id,
  $a_ops_id 
)

Deassign an existing operation from an object Update of rbac_ta public.

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 1020 of file class.ilRbacAdmin.php.

References $query, and $res.

1021  {
1022  global $ilDB;
1023 
1024  if (!isset($a_type_id) or !isset($a_ops_id))
1025  {
1026  $message = get_class($this)."::deassignPermissionFromObject(): Missing parameter!".
1027  "type_id: ".$a_type_id.
1028  "ops_id: ".$a_ops_id;
1029  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1030  }
1031 
1032  $query = "DELETE FROM rbac_ta ".
1033  "WHERE typ_id = ".$ilDB->quote($a_type_id,'integer')." ".
1034  "AND ops_id = ".$ilDB->quote($a_ops_id,'integer');
1035  $res = $ilDB->manipulate($query);
1036 
1037  return true;
1038  }

◆ deassignUser()

ilRbacAdmin::deassignUser (   $a_rol_id,
  $a_usr_id 
)

Deassigns a user from a role.

Update of table rbac_ua public

Parameters
integerobject id of role
integerobject id of user
Returns
boolean true on success

Definition at line 253 of file class.ilRbacAdmin.php.

References $query, $res, and ilLDAPRoleGroupMapping\_getInstance().

254  {
255  global $ilDB;
256 
257  if (!isset($a_rol_id) or !isset($a_usr_id))
258  {
259  $message = get_class($this)."::deassignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
260  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
261  }
262 
263  $query = "DELETE FROM rbac_ua ".
264  "WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer')." ".
265  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
266  $res = $ilDB->manipulate($query);
267 
268  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
269  $mapping = ilLDAPRoleGroupMapping::_getInstance();
270  $mapping->deassign($a_rol_id,$a_usr_id);
271 
272  return true;
273  }
ilLDAPRoleGroupMapping\_getInstance
static _getInstance()
Get singleton instance of this class.
Definition: class.ilLDAPRoleGroupMapping.php:64
+ Here is the call graph for this function:

◆ deleteLocalRole()

ilRbacAdmin::deleteLocalRole (   $a_rol_id,
  $a_ref_id = 0 
)

Deletes a local role and entries in rbac_fa and rbac_templates public.

Parameters
integerobject_id of role
integerref_id of role folder (optional)
Returns
boolean true on success

Definition at line 166 of file class.ilRbacAdmin.php.

References $query, and $res.

Referenced by adjustMovedObjectPermissions(), and deleteRole().

167  {
168  global $ilDB;
169 
170  if (!isset($a_rol_id))
171  {
172  $message = get_class($this)."::deleteLocalRole(): Missing parameter! role_id: '".$a_rol_id."'";
173  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
174  }
175 
176  // exclude system role from rbac
177  if ($a_rol_id == SYSTEM_ROLE_ID)
178  {
179  return true;
180  }
181 
182  if ($a_ref_id != 0)
183  {
184  $clause = 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' ';
185  }
186 
187  $query = 'DELETE FROM rbac_fa '.
188  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
189  $clause;
190  $res = $ilDB->manipulate($query);
191 
192  $query = 'DELETE FROM rbac_templates '.
193  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
194  $clause;
195  $res = $ilDB->manipulate($query);
196  return true;
197  }
+ Here is the caller graph for this function:

◆ deleteRole()

ilRbacAdmin::deleteRole (   $a_rol_id,
  $a_ref_id 
)

Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa public.

Parameters
integerobj_id of role (role_id)
integerref_id of role folder (ref_id)
Returns
boolean true on success

Definition at line 92 of file class.ilRbacAdmin.php.

References $lng, $query, $res, ilLDAPRoleGroupMapping\_getInstance(), and deleteLocalRole().

93  {
94  global $lng,$ilDB;
95 
96  if (!isset($a_rol_id) or !isset($a_ref_id))
97  {
98  $message = get_class($this)."::deleteRole(): Missing parameter! role_id: ".$a_rol_id." ref_id of role folder: ".$a_ref_id;
99  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
100  }
101 
102  // exclude system role from rbac
103  if ($a_rol_id == SYSTEM_ROLE_ID)
104  {
105  $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"),$this->ilErr->MESSAGE);
106  }
107 
108  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
109  $mapping = ilLDAPRoleGroupMapping::_getInstance();
110  $mapping->deleteRole($a_rol_id);
111 
112 
113  // TODO: check assigned users before deletion
114  // This is done in ilObjRole. Should be better moved to this place?
115 
116  // delete user assignements
117  $query = "DELETE FROM rbac_ua ".
118  "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer');
119  $res = $ilDB->manipulate($query);
120 
121  // delete permission assignments
122  $query = "DELETE FROM rbac_pa ".
123  "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
124  $res = $ilDB->manipulate($query);
125 
126  //delete rbac_templates and rbac_fa
127  $this->deleteLocalRole($a_rol_id);
128 
129  return true;
130  }
ilRbacAdmin\deleteLocalRole
deleteLocalRole($a_rol_id, $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates public.
Definition: class.ilRbacAdmin.php:166
ilLDAPRoleGroupMapping\_getInstance
static _getInstance()
Get singleton instance of this class.
Definition: class.ilLDAPRoleGroupMapping.php:64
$lng
global $lng
Definition: privfeed.php:40
+ Here is the call graph for this function:

◆ deleteRolePermission()

ilRbacAdmin::deleteRolePermission (   $a_rol_id,
  $a_ref_id,
  $a_type = false 
)

Deletes all entries of a template.

If an object type is given for third parameter only the entries for that object type are deleted Update of table rbac_templates. public

Parameters
integerobject id of role
integerref_id of role folder
stringobject type (optional)
Returns
boolean

Definition at line 848 of file class.ilRbacAdmin.php.

References $query, and $res.

Referenced by copyRolePermissionUnion().

849  {
850  global $ilDB;
851 
852  if (!isset($a_rol_id) or !isset($a_ref_id))
853  {
854  $message = get_class($this)."::deleteRolePermission(): Missing parameter! role_id: ".$a_rol_id." ref_id: ".$a_ref_id;
855  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
856  }
857 
858  // exclude system role from rbac
859  if ($a_rol_id == SYSTEM_ROLE_ID)
860  {
861  return true;
862  }
863 
864  if ($a_type !== false)
865  {
866  $and_type = " AND type=".$ilDB->quote($a_type,'text')." ";
867  }
868 
869  $query = 'DELETE FROM rbac_templates '.
870  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
871  'AND parent = '.$ilDB->quote($a_ref_id,'integer').' '.
872  $and_type;
873 
874  $res = $ilDB->manipulate($query);
875 
876  return true;
877  }
+ Here is the caller graph for this function:

◆ deleteSubtreeTemplates()

ilRbacAdmin::deleteSubtreeTemplates (   $a_ref_id,
  $a_rol_id 
)

Delete all template permissions of subtree nodes.

Parameters
object$a_ref_id
object$a_rol_id
Returns

Definition at line 478 of file class.ilRbacAdmin.php.

References $GLOBALS, and $query.

479  {
480  global $ilDB;
481 
482  /*
483  $query = "DELETE FROM rbac_templates ".
484  "WHERE parent IN ".
485  "(SELECT child FROM tree WHERE ".
486  "lft >= (SELECT lft FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) AND ".
487  "rgt <= (SELECT rgt FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) ".
488  ") ".
489  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
490  */
491 
492  $query = 'DELETE FROM rbac_templates '.
493  'WHERE parent IN ( '.
494  $GLOBALS['tree']->getSubTreeQuery($a_ref_id, array('child')).' ) '.
495  'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
496 
497  $GLOBALS['ilLog']->write($query);
498 
499  $ilDB->manipulate($query);
500 
501  /*
502  $query = "DELETE FROM rbac_fa ".
503  "WHERE parent IN ".
504  "(SELECT child FROM tree WHERE ".
505  "lft >= (SELECT lft FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) AND ".
506  "rgt <= (SELECT rgt FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) ".
507  ") ".
508  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
509  */
510  $query = 'DELETE FROM rbac_fa '.
511  'WHERE parent IN ( '.
512  $GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
513  'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
514 
515  $GLOBALS['ilLog']->write($query);
516 
517 
518  $ilDB->manipulate($query);
519 
520  return true;
521  }
$GLOBALS
$GLOBALS['ct_recipient']
Definition: example_form.ajax.php:4

◆ deleteTemplate()

ilRbacAdmin::deleteTemplate (   $a_obj_id)

Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa public.

Parameters
integerobject_id of role template
Returns
boolean

Definition at line 138 of file class.ilRbacAdmin.php.

References $query, and $res.

139  {
140  global $ilDB;
141 
142  if (!isset($a_obj_id))
143  {
144  $message = get_class($this)."::deleteTemplate(): No obj_id given!";
145  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
146  }
147 
148  $query = 'DELETE FROM rbac_templates '.
149  'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
150  $res = $ilDB->manipulate($query);
151 
152  $query = 'DELETE FROM rbac_fa '.
153  'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
154  $res = $ilDB->manipulate($query);
155 
156  return true;
157  }

◆ grantPermission()

ilRbacAdmin::grantPermission (   $a_rol_id,
  $a_ops,
  $a_ref_id 
)

Grants a permission to an object and a specific role.

Update of table rbac_pa public

Parameters
integerobject id of role
arrayarray of operation ids
integerreference id of that object which is granted the permissions
Returns
boolean

Definition at line 283 of file class.ilRbacAdmin.php.

References $query, and $res.

Referenced by adjustMovedObjectPermissions(), and copyRolePermissions().

284  {
285  global $ilDB;
286 
287  if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id))
288  {
289  $this->ilErr->raiseError(get_class($this)."::grantPermission(): Missing parameter! ".
290  "role_id: ".$a_rol_id." ref_id: ".$a_ref_id." operations: ",$this->ilErr->WARNING);
291  }
292 
293  if (!is_array($a_ops))
294  {
295  $this->ilErr->raiseError(get_class($this)."::grantPermission(): Wrong datatype for operations!",
296  $this->ilErr->WARNING);
297  }
298 
299  /*
300  if (count($a_ops) == 0)
301  {
302  return false;
303  }
304  */
305  // exclude system role from rbac
306  if ($a_rol_id == SYSTEM_ROLE_ID)
307  {
308  return true;
309  }
310 
311  // convert all values to integer
312  foreach ($a_ops as $key => $operation)
313  {
314  $a_ops[$key] = (int) $operation;
315  }
316 
317  // Serialization des ops_id Arrays
318  $ops_ids = serialize($a_ops);
319 
320  $query = 'DELETE FROM rbac_pa '.
321  'WHERE rol_id = %s '.
322  'AND ref_id = %s';
323  $res = $ilDB->queryF($query,array('integer','integer'),
324  array($a_rol_id,$a_ref_id));
325 
326  if(!count($a_ops))
327  {
328  return false;
329  }
330 
331  $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) ".
332  "VALUES ".
333  "(".$ilDB->quote($a_rol_id,'integer').",".$ilDB->quote($ops_ids,'text').",".$ilDB->quote($a_ref_id,'integer').")";
334  $res = $ilDB->manipulate($query);
335 
336  return true;
337  }
+ Here is the caller graph for this function:

◆ ilRbacAdmin()

ilRbacAdmin::ilRbacAdmin ( )

Constructor public.

Definition at line 44 of file class.ilRbacAdmin.php.

References $ilErr, if, and PEAR_ERROR_CALLBACK.

45  {
46  global $ilDB,$ilErr,$ilias;
47 
48  // set db & error handler
49  (isset($ilDB)) ? $this->ilDB =& $ilDB : $this->ilDB =& $ilias->db;
50 
51  if (!isset($ilErr))
52  {
53  $ilErr = new ilErrorHandling();
54  $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK,array($ilErr,'errorHandler'));
55  }
56  else
57  {
58  $this->ilErr =& $ilErr;
59  }
60  }
PEAR_ERROR_CALLBACK
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
if
if(!file_exists(getcwd().'/ilias.ini.php')) if(isset( $_GET["client_id"]))
registration confirmation script for ilias
Definition: confirmReg.php:20
ilErrorHandling
Error Handling & global info handling uses PEAR error class.
Definition: class.ilErrorHandling.php:17
ilDB
Database Wrapper.
Definition: class.ilDB.php:28
$ilErr
$ilErr
Definition: inc.setup_header.php:81

◆ removeUser()

ilRbacAdmin::removeUser (   $a_usr_id)

deletes a user from rbac_ua all user <-> role relations are deleted public

Parameters
integeruser_id
Returns
boolean true on success

Definition at line 69 of file class.ilRbacAdmin.php.

References $query, and $res.

70  {
71  global $ilDB;
72 
73  if (!isset($a_usr_id))
74  {
75  $message = get_class($this)."::removeUser(): No usr_id given!";
76  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
77  }
78 
79  $query = "DELETE FROM rbac_ua WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer');
80  $res = $ilDB->manipulate($query);
81 
82  return true;
83  }

◆ revokePermission()

ilRbacAdmin::revokePermission (   $a_ref_id,
  $a_rol_id = 0,
  $a_keep_protected = true 
)

Revokes permissions of an object of one role.

Update of table rbac_pa. Revokes all permission for all roles for that object (with this reference). When a role_id is given this applies only to that role public

Parameters
integerreference id of object where permissions should be revoked
integerrole_id (optional: if you want to revoke permissions of object only for a specific role)
Returns
boolean

Definition at line 348 of file class.ilRbacAdmin.php.

References $ilLog, $log, $query, and $res.

Referenced by adjustMovedObjectPermissions(), and copyRolePermissions().

349  {
350  global $rbacreview,$log,$ilDB,$ilLog;
351 
352  if (!isset($a_ref_id))
353  {
354  $ilLog->logStack();
355  $message = get_class($this)."::revokePermission(): Missing parameter! ref_id: ".$a_ref_id;
356  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
357  }
358 #$log->write("ilRBACadmin::revokePermission(), 0");
359 
360  // bypass protected status of roles
361  if ($a_keep_protected != true)
362  {
363  // exclude system role from rbac
364  if ($a_rol_id == SYSTEM_ROLE_ID)
365  {
366  return true;
367  }
368 
369  if ($a_rol_id)
370  {
371  $and1 = " AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
372  }
373  else
374  {
375  $and1 = "";
376  }
377 
378  $query = "DELETE FROM rbac_pa ".
379  "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer').
380  $and1;
381 
382  $res = $ilDB->manipulate($query);
383 
384  return true;
385  }
386 
387  // consider protected status of roles
388 
389  // in any case, get all roles in scope first
390  $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
391 
392  if (!$a_rol_id)
393  {
394 #$log->write("ilRBACadmin::revokePermission(), 1");
395 
396  $role_ids = array();
397 
398  foreach ($roles_in_scope as $role)
399  {
400  if ($role['protected'] == true)
401  {
402  continue;
403  }
404 
405  $role_ids[] = $role['obj_id'];
406  }
407 
408  // return if no role in array
409  if (!$role_ids)
410  {
411  return true;
412  }
413 
414  $query = 'DELETE FROM rbac_pa '.
415  'WHERE '.$ilDB->in('rol_id',$role_ids,false,'integer').' '.
416  'AND ref_id = '.$ilDB->quote($a_ref_id,'integer');
417  $res = $ilDB->manipulate($query);
418  }
419  else
420  {
421 #$log->write("ilRBACadmin::revokePermission(), 2");
422  // exclude system role from rbac
423  if ($a_rol_id == SYSTEM_ROLE_ID)
424  {
425  return true;
426  }
427 
428  // exclude protected permission settings from revoking
429  if ($roles_in_scope[$a_rol_id]['protected'] == true)
430  {
431  return true;
432  }
433 
434  $query = "DELETE FROM rbac_pa ".
435  "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer')." ".
436  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
437  $res = $ilDB->manipulate($query);
438  }
439 
440  return true;
441  }
$ilLog
$ilLog
Definition: inc.setup_header.php:126
$log
$log
Definition: inc.setup_header.php:125
+ Here is the caller graph for this function:

◆ revokePermissionList()

ilRbacAdmin::revokePermissionList (   $a_ref_ids,
  $a_rol_id 
)

Revokes permissions of a LIST of objects of ONE role.

Update of table rbac_pa. public

Parameters
arraylist of reference_ids to revoke permissions
integerrole_id
Returns
boolean

Definition at line 530 of file class.ilRbacAdmin.php.

References $query, and $res.

531  {
532  global $ilDB;
533 
534  if (!isset($a_ref_ids) or !is_array($a_ref_ids))
535  {
536  $message = get_class($this)."::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: ".var_dump($a_ref_ids);
537  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
538  }
539 
540  if (!isset($a_rol_id))
541  {
542  $message = get_class($this)."::revokePermissionList(): Missing parameter! rol_id: ".$a_rol_id;
543  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
544  }
545 
546  // exclude system role from rbac
547  if ($a_rol_id == SYSTEM_ROLE_ID)
548  {
549  return true;
550  }
551 
552  $query = "DELETE FROM rbac_pa ".
553  "WHERE ".$ilDB->in('ref_id',$a_ref_ids,false,'integer').' '.
554  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
555  $res = $ilDB->manipulate($query);
556 
557  return true;
558  }

◆ revokeSubtreePermissions()

ilRbacAdmin::revokeSubtreePermissions (   $a_ref_id,
  $a_role_id 
)

Revoke subtree permissions.

Parameters
object$a_ref_id
object$a_role_id
Returns

Definition at line 449 of file class.ilRbacAdmin.php.

References $query.

450  {
451  global $ilDB;
452 
453  /*
454  $query = "DELETE FROM rbac_pa ".
455  "WHERE ref_id IN ".
456  "(SELECT child FROM tree WHERE ".
457  "lft >= (SELECT lft FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) AND ".
458  "rgt <= (SELECT rgt FROM tree WHERE child = ".$ilDB->quote($a_ref_id,'integer')." ) ".
459  ") ".
460  "AND rol_id = ".$ilDB->quote($a_role_id,'integer');
461  */
462 
463  $query = 'DELETE FROM rbac_pa '.
464  'WHERE ref_id IN '.
465  '( '.$GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
466  'AND rol_id = '.$ilDB->quote($a_role_id,'integer');
467 
468  $ilDB->manipulate($query);
469  return true;
470  }

◆ setProtected()

ilRbacAdmin::setProtected (   $a_ref_id,
  $a_role_id,
  $a_value 
)

Set protected $ilDB.

Parameters
type$a_ref_id
type$a_role_id
type$a_valuey or n
Returns
boolean

Definition at line 1048 of file class.ilRbacAdmin.php.

References $query, and $res.

Referenced by copyRoleTemplatePermissions().

1049  {
1050  global $ilDB;
1051 
1052  // ref_id not used yet. protected permission acts 'global' for each role,
1053  // regardless of any broken inheritance before
1054  $query = 'UPDATE rbac_fa '.
1055  'SET protected = '.$ilDB->quote($a_value,'text').' '.
1056  'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer');
1057  $res = $ilDB->manipulate($query);
1058  return true;
1059  }
+ Here is the caller graph for this function:

◆ setRolePermission()

ilRbacAdmin::setRolePermission (   $a_rol_id,
  $a_type,
  $a_ops,
  $a_ref_id 
)

Inserts template permissions in rbac_templates for an specific object type.

Update of table rbac_templates public

Parameters
integerrole_id
stringobject type
arrayoperation_ids
integerref_id of role folder object
Returns
boolean

Definition at line 889 of file class.ilRbacAdmin.php.

References $query, and $res.

890  {
891  global $ilDB;
892 
893  if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id))
894  {
895  $message = get_class($this)."::setRolePermission(): Missing parameter!".
896  " role_id: ".$a_rol_id.
897  " type: ".$a_type.
898  " operations: ".$a_ops.
899  " ref_id: ".$a_ref_id;
900  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
901  }
902 
903  if (!is_string($a_type) or empty($a_type))
904  {
905  $message = get_class($this)."::setRolePermission(): a_type is no string or empty!";
906  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
907  }
908 
909  if (!is_array($a_ops) or empty($a_ops))
910  {
911  $message = get_class($this)."::setRolePermission(): a_ops is no array or empty!";
912  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
913  }
914 
915  // exclude system role from rbac
916  if ($a_rol_id == SYSTEM_ROLE_ID)
917  {
918  return true;
919  }
920 
921  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
922  'VALUES (?,?,?,?)';
923  $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
924  foreach ($a_ops as $op)
925  {
926  $res = $ilDB->execute($sta,array(
927  $a_rol_id,
928  $a_type,
929  $op,
930  $a_ref_id
931  ));
932  }
933 
934  return true;
935  }
The documentation for this class was generated from the following file: