ILIAS  release_5-0 Revision 5.0.0-1144-gc4397b1f870
class.ilRbacAdmin.php
Go to the documentation of this file.
1<?php
2/* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
3
4
18class ilRbacAdmin
19{
24 public function __construct()
25 {
26 global $ilDB,$ilErr,$ilias;
27
28 // set db & error handler
29 (isset($ilDB)) ? $this->ilDB =& $ilDB : $this->ilDB =& $ilias->db;
30
31 if (!isset($ilErr))
32 {
33 $ilErr = new ilErrorHandling();
34 $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK,array($ilErr,'errorHandler'));
35 }
36 else
37 {
38 $this->ilErr =& $ilErr;
39 }
40 }
41
49 public function removeUser($a_usr_id)
50 {
51 global $ilDB;
52
53 if (!isset($a_usr_id))
54 {
55 $message = get_class($this)."::removeUser(): No usr_id given!";
56 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
57 }
58
59 $query = "DELETE FROM rbac_ua WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer');
60 $res = $ilDB->manipulate($query);
61
62 return true;
63 }
64
72 public function deleteRole($a_rol_id,$a_ref_id)
73 {
74 global $lng,$ilDB;
75
76 if (!isset($a_rol_id) or !isset($a_ref_id))
77 {
78 $message = get_class($this)."::deleteRole(): Missing parameter! role_id: ".$a_rol_id." ref_id of role folder: ".$a_ref_id;
79 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
80 }
81
82 // exclude system role from rbac
83 if ($a_rol_id == SYSTEM_ROLE_ID)
84 {
85 $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"),$this->ilErr->MESSAGE);
86 }
87
88 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
89 $mapping = ilLDAPRoleGroupMapping::_getInstance();
90 $mapping->deleteRole($a_rol_id);
91
92
93 // TODO: check assigned users before deletion
94 // This is done in ilObjRole. Should be better moved to this place?
95
96 // delete user assignements
97 $query = "DELETE FROM rbac_ua ".
98 "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer');
99 $res = $ilDB->manipulate($query);
100
101 // delete permission assignments
102 $query = "DELETE FROM rbac_pa ".
103 "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
104 $res = $ilDB->manipulate($query);
105
106 //delete rbac_templates and rbac_fa
107 $this->deleteLocalRole($a_rol_id);
108
109 return true;
110 }
111
118 public function deleteTemplate($a_obj_id)
119 {
120 global $ilDB;
121
122 if (!isset($a_obj_id))
123 {
124 $message = get_class($this)."::deleteTemplate(): No obj_id given!";
125 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
126 }
127
128 $query = 'DELETE FROM rbac_templates '.
129 'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
130 $res = $ilDB->manipulate($query);
131
132 $query = 'DELETE FROM rbac_fa '.
133 'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
134 $res = $ilDB->manipulate($query);
135
136 return true;
137 }
138
146 public function deleteLocalRole($a_rol_id,$a_ref_id = 0)
147 {
148 global $ilDB;
149
150 if (!isset($a_rol_id))
151 {
152 $message = get_class($this)."::deleteLocalRole(): Missing parameter! role_id: '".$a_rol_id."'";
153 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
154 }
155
156 // exclude system role from rbac
157 if ($a_rol_id == SYSTEM_ROLE_ID)
158 {
159 return true;
160 }
161
162 if ($a_ref_id != 0)
163 {
164 $clause = 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' ';
165 }
166
167 $query = 'DELETE FROM rbac_fa '.
168 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
169 $clause;
170 $res = $ilDB->manipulate($query);
171
172 $query = 'DELETE FROM rbac_templates '.
173 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
174 $clause;
175 $res = $ilDB->manipulate($query);
176 return true;
177 }
178
185 public function assignUserLimited($a_role_id, $a_usr_id, $a_limit, $a_limited_roles = array())
186 {
187 global $ilDB;
188
189 $GLOBALS['ilDB']->lockTables(
190 array(
191 0 => array('name' => 'rbac_ua', 'type' => ilDB::LOCK_WRITE)
192 )
193 );
194
195 $limit_query = 'SELECT COUNT(*) num FROM rbac_ua '.
196 'WHERE '.$GLOBALS['ilDB']->in('rol_id',(array) $a_limited_roles,FALSE,'integer');
197 $res = $GLOBALS['ilDB']->query($limit_query);
198 $row = $res->fetchRow(DB_FETCHMODE_OBJECT);
199 if($row->num >= $a_limit)
200 {
201 $GLOBALS['ilDB']->unlockTables();
202 return FALSE;
203 }
204
205 $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
206 "VALUES (".
207 $ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_role_id,'integer').
208 ")";
209 $res = $ilDB->manipulate($query);
210
211 $GLOBALS['ilDB']->unlockTables();
212 $GLOBALS['rbacreview']->setAssignedCacheEntry($a_role_id,$a_usr_id,TRUE);
213
214 $this->addDesktopItem($a_role_id,$a_usr_id);
215
216 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
217 $mapping = ilLDAPRoleGroupMapping::_getInstance();
218 $mapping->assign($a_role_id,$a_usr_id);
219 return TRUE;
220 }
221
227 protected function addDesktopItem($a_rol_id, $a_usr_id)
228 {
229 include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
230 $role_desk_item_obj = new ilRoleDesktopItem($a_rol_id);
231 foreach($role_desk_item_obj->getAll() as $item_data)
232 {
233 include_once './Services/User/classes/class.ilObjUser.php';
234 ilObjUser::_addDesktopItem($a_usr_id, $item_data['item_id'], $item_data['item_type']);
235 }
236 }
237
238
248 public function assignUser($a_rol_id,$a_usr_id)
249 {
250 global $ilDB,$rbacreview;
251
252 if (!isset($a_rol_id) or !isset($a_usr_id))
253 {
254 $message = get_class($this)."::assignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
255 #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
256 }
257
258 // check if already assigned user id and role_id
259 $alreadyAssigned = $rbacreview->isAssigned($a_usr_id,$a_rol_id);
260
261 // enhanced: only if we haven't had this role for this user
262 if (!$alreadyAssigned)
263 {
264 $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
265 "VALUES (".$ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_rol_id,'integer').")";
266 $res = $ilDB->manipulate($query);
267
268 $this->addDesktopItem($a_rol_id, $a_usr_id);
269
270 $rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,true);
271 }
272
273 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
274 $mapping = ilLDAPRoleGroupMapping::_getInstance();
275 $mapping->assign($a_rol_id,$a_usr_id);
276
277 return true;
278 }
279
287 public function deassignUser($a_rol_id,$a_usr_id)
288 {
289 global $ilDB, $rbacreview;
290
291 if (!isset($a_rol_id) or !isset($a_usr_id))
292 {
293 $message = get_class($this)."::deassignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
294 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
295 }
296
297 $query = "DELETE FROM rbac_ua ".
298 "WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer')." ".
299 "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
300 $res = $ilDB->manipulate($query);
301
302 $rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,false);
303
304 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
305 $mapping = ilLDAPRoleGroupMapping::_getInstance();
306 $mapping->deassign($a_rol_id,$a_usr_id);
307
308 return true;
309 }
310
319 public function grantPermission($a_rol_id,$a_ops,$a_ref_id)
320 {
321 global $ilDB;
322
323 if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id))
324 {
325 $this->ilErr->raiseError(get_class($this)."::grantPermission(): Missing parameter! ".
326 "role_id: ".$a_rol_id." ref_id: ".$a_ref_id." operations: ",$this->ilErr->WARNING);
327 }
328
329 if (!is_array($a_ops))
330 {
331 $this->ilErr->raiseError(get_class($this)."::grantPermission(): Wrong datatype for operations!",
332 $this->ilErr->WARNING);
333 }
334
335 /*
336 if (count($a_ops) == 0)
337 {
338 return false;
339 }
340 */
341 // exclude system role from rbac
342 if ($a_rol_id == SYSTEM_ROLE_ID)
343 {
344 return true;
345 }
346
347 // convert all values to integer
348 foreach ($a_ops as $key => $operation)
349 {
350 $a_ops[$key] = (int) $operation;
351 }
352
353 // Serialization des ops_id Arrays
354 $ops_ids = serialize($a_ops);
355
356 $query = 'DELETE FROM rbac_pa '.
357 'WHERE rol_id = %s '.
358 'AND ref_id = %s';
359 $res = $ilDB->queryF($query,array('integer','integer'),
360 array($a_rol_id,$a_ref_id));
361
362 if(!count($a_ops))
363 {
364 return false;
365 }
366
367 $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) ".
368 "VALUES ".
369 "(".$ilDB->quote($a_rol_id,'integer').",".$ilDB->quote($ops_ids,'text').",".$ilDB->quote($a_ref_id,'integer').")";
370 $res = $ilDB->manipulate($query);
371
372 return true;
373 }
374
384 public function revokePermission($a_ref_id,$a_rol_id = 0,$a_keep_protected = true)
385 {
386 global $rbacreview,$log,$ilDB,$ilLog;
387
388 if (!isset($a_ref_id))
389 {
390 $ilLog->logStack();
391 $message = get_class($this)."::revokePermission(): Missing parameter! ref_id: ".$a_ref_id;
392 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
393 }
394#$log->write("ilRBACadmin::revokePermission(), 0");
395
396 // bypass protected status of roles
397 if ($a_keep_protected != true)
398 {
399 // exclude system role from rbac
400 if ($a_rol_id == SYSTEM_ROLE_ID)
401 {
402 return true;
403 }
404
405 if ($a_rol_id)
406 {
407 $and1 = " AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
408 }
409 else
410 {
411 $and1 = "";
412 }
413
414 $query = "DELETE FROM rbac_pa ".
415 "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer').
416 $and1;
417
418 $res = $ilDB->manipulate($query);
419
420 return true;
421 }
422
423 // consider protected status of roles
424
425 // in any case, get all roles in scope first
426 $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
427
428 if (!$a_rol_id)
429 {
430#$log->write("ilRBACadmin::revokePermission(), 1");
431
432 $role_ids = array();
433
434 foreach ($roles_in_scope as $role)
435 {
436 if ($role['protected'] == true)
437 {
438 continue;
439 }
440
441 $role_ids[] = $role['obj_id'];
442 }
443
444 // return if no role in array
445 if (!$role_ids)
446 {
447 return true;
448 }
449
450 $query = 'DELETE FROM rbac_pa '.
451 'WHERE '.$ilDB->in('rol_id',$role_ids,false,'integer').' '.
452 'AND ref_id = '.$ilDB->quote($a_ref_id,'integer');
453 $res = $ilDB->manipulate($query);
454 }
455 else
456 {
457#$log->write("ilRBACadmin::revokePermission(), 2");
458 // exclude system role from rbac
459 if ($a_rol_id == SYSTEM_ROLE_ID)
460 {
461 return true;
462 }
463
464 // exclude protected permission settings from revoking
465 if ($roles_in_scope[$a_rol_id]['protected'] == true)
466 {
467 return true;
468 }
469
470 $query = "DELETE FROM rbac_pa ".
471 "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer')." ".
472 "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
473 $res = $ilDB->manipulate($query);
474 }
475
476 return true;
477 }
478
485 public function revokeSubtreePermissions($a_ref_id,$a_role_id)
486 {
487 global $ilDB;
488
489 $query = 'DELETE FROM rbac_pa '.
490 'WHERE ref_id IN '.
491 '( '.$GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
492 'AND rol_id = '.$ilDB->quote($a_role_id,'integer');
493
494 $ilDB->manipulate($query);
495 return true;
496 }
497
504 public function deleteSubtreeTemplates($a_ref_id,$a_rol_id)
505 {
506 global $ilDB;
507
508 $query = 'DELETE FROM rbac_templates '.
509 'WHERE parent IN ( '.
510 $GLOBALS['tree']->getSubTreeQuery($a_ref_id, array('child')).' ) '.
511 'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
512
513 $ilDB->manipulate($query);
514
515 $query = 'DELETE FROM rbac_fa '.
516 'WHERE parent IN ( '.
517 $GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
518 'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
519
520 $ilDB->manipulate($query);
521
522 return true;
523 }
524
532 public function revokePermissionList($a_ref_ids,$a_rol_id)
533 {
534 global $ilDB;
535
536 if (!isset($a_ref_ids) or !is_array($a_ref_ids))
537 {
538 $message = get_class($this)."::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: ".var_dump($a_ref_ids);
539 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
540 }
541
542 if (!isset($a_rol_id))
543 {
544 $message = get_class($this)."::revokePermissionList(): Missing parameter! rol_id: ".$a_rol_id;
545 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
546 }
547
548 // exclude system role from rbac
549 if ($a_rol_id == SYSTEM_ROLE_ID)
550 {
551 return true;
552 }
553
554 $query = "DELETE FROM rbac_pa ".
555 "WHERE ".$ilDB->in('ref_id',$a_ref_ids,false,'integer').' '.
556 "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
557 $res = $ilDB->manipulate($query);
558
559 return true;
560 }
561
572 public function copyRolePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected = true)
573 {
574 global $tree,$rbacreview;
575
576 // Copy template permissions
577 $this->copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected);
578
579 $ops = $rbacreview->getRoleOperationsOnObject($a_source_id,$a_source_parent);
580
581 $this->revokePermission($a_dest_parent,$a_dest_id);
582 $this->grantPermission($a_dest_id,$ops,$a_dest_parent);
583 return true;
584 }
585
596 public function copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected = true)
597 {
598 global $rbacreview,$ilDB;
599
600 if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent))
601 {
602 $message = __METHOD__.": Missing parameter! source_id: ".$a_source_id.
603 " source_parent_id: ".$a_source_parent.
604 " dest_id : ".$a_dest_id.
605 " dest_parent_id: ".$a_dest_parent;
606 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
607 }
608
609 // exclude system role from rbac
610 if ($a_dest_id == SYSTEM_ROLE_ID)
611 {
612 return true;
613 }
614
615 // Read operations
616 $query = 'SELECT * FROM rbac_templates '.
617 'WHERE rol_id = '.$ilDB->quote($a_source_id,'integer').' '.
618 'AND parent = '.$ilDB->quote($a_source_parent,'integer');
619 $res = $ilDB->query($query);
620 $operations = array();
621 $rownum = 0;
622 while ($row = $ilDB->fetchObject($res))
623 {
624 $operations[$rownum]['type'] = $row->type;
625 $operations[$rownum]['ops_id'] = $row->ops_id;
626 $rownum++;
627 }
628
629 // Delete target permissions
630 $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
631 'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
632 $res = $ilDB->manipulate($query);
633
634 foreach($operations as $row => $op)
635 {
636 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
637 'VALUES ('.
638 $ilDB->quote($a_dest_id,'integer').",".
639 $ilDB->quote($op['type'],'text').",".
640 $ilDB->quote($op['ops_id'],'integer').",".
641 $ilDB->quote($a_dest_parent,'integer').")";
642 $ilDB->manipulate($query);
643 }
644
645 // copy also protection status if applicable
646 if ($a_consider_protected == true)
647 {
648 if ($rbacreview->isProtected($a_source_parent,$a_source_id))
649 {
650 $this->setProtected($a_dest_parent,$a_dest_id,'y');
651 }
652 }
653
654 return true;
655 }
669 public function copyRolePermissionIntersection($a_source1_id,$a_source1_parent,$a_source2_id,$a_source2_parent,$a_dest_parent,$a_dest_id)
670 {
671 global $rbacreview,$ilDB;
672
673 if (!isset($a_source1_id) or !isset($a_source1_parent)
674 or !isset($a_source2_id) or !isset($a_source2_parent)
675 or !isset($a_dest_id) or !isset($a_dest_parent))
676 {
677 $message = get_class($this)."::copyRolePermissionIntersection(): Missing parameter! source1_id: ".$a_source1_id.
678 " source1_parent: ".$a_source1_parent.
679 " source2_id: ".$a_source2_id.
680 " source2_parent: ".$a_source2_parent.
681 " dest_id: ".$a_dest_id.
682 " dest_parent_id: ".$a_dest_parent;
683 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
684 }
685
686 // exclude system role from rbac
687 if ($a_dest_id == SYSTEM_ROLE_ID)
688 {
689 return true;
690 }
691
692 if ($rbacreview->isProtected($a_source2_parent,$a_source2_id))
693 {
694 $GLOBALS['ilLog']->write(__METHOD__.': Role is protected');
695 return true;
696 }
697
698 $query = "SELECT s1.type, s1.ops_id ".
699 "FROM rbac_templates s1, rbac_templates s2 ".
700 "WHERE s1.rol_id = ".$ilDB->quote($a_source1_id,'integer')." ".
701 "AND s1.parent = ".$ilDB->quote($a_source1_parent,'integer')." ".
702 "AND s2.rol_id = ".$ilDB->quote($a_source2_id,'integer')." ".
703 "AND s2.parent = ".$ilDB->quote($a_source2_parent,'integer')." ".
704 "AND s1.type = s2.type ".
705 "AND s1.ops_id = s2.ops_id";
706 $res = $ilDB->query($query);
707 $operations = array();
708 $rowNum = 0;
709 while($row = $res->fetchRow(DB_FETCHMODE_OBJECT))
710 {
711 $operations[$rowNum]['type'] = $row->type;
712 $operations[$rowNum]['ops_id'] = $row->ops_id;
713
714 $rowNum++;
715 }
716
717 // Delete template permissions of target
718 $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
719 'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
720 $res = $ilDB->manipulate($query);
721
722 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
723 'VALUES (?,?,?,?)';
724 $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
725 foreach($operations as $key => $set)
726 {
727 $ilDB->execute($sta,array(
728 $a_dest_id,
729 $set['type'],
730 $set['ops_id'],
731 $a_dest_parent));
732 }
733 return true;
734 }
735
747 public function copyRolePermissionUnion(
748 $a_source1_id,
749 $a_source1_parent,
750 $a_source2_id,
751 $a_source2_parent,
752 $a_dest_id,
753 $a_dest_parent)
754 {
755 global $ilDB, $rbacreview;
756
757
758 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id,$a_source1_parent);
759 $s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id,$a_source2_parent);
760
761 $this->deleteRolePermission($a_dest_id, $a_dest_parent);
762
763 $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s1_ops,TRUE));
764 $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s2_ops,TRUE));
765
766 foreach($s1_ops as $type => $ops)
767 {
768 foreach($ops as $op)
769 {
770 // insert all permission of source 1
771 // #15469
772 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
773 'VALUES( '.
774 $ilDB->quote($a_dest_id,'integer').', '.
775 $ilDB->quote($type,'text').', '.
776 $ilDB->quote($op,'integer').', '.
777 $ilDB->quote($a_dest_parent,'integer').' '.
778 ')';
779 $ilDB->manipulate($query);
780 }
781 }
782
783 // and the other direction...
784 foreach($s2_ops as $type => $ops)
785 {
786 foreach($ops as $op)
787 {
788 if(!isset($s1_ops[$type]) or !in_array($op, $s1_ops[$type]))
789 {
790 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
791 'VALUES( '.
792 $ilDB->quote($a_dest_id,'integer').', '.
793 $ilDB->quote($type,'text').', '.
794 $ilDB->quote($op,'integer').', '.
795 $ilDB->quote($a_dest_parent,'integer').' '.
796 ')';
797 $ilDB->manipulate($query);
798 }
799 }
800 }
801
802 return true;
803 }
804
812 public function copyRolePermissionSubtract($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
813 {
814 global $rbacreview, $ilDB;
815
816 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source_id,$a_source_parent);
817 $d_ops = $rbacreview->getAllOperationsOfRole($a_dest_id,$a_dest_parent);
818
819 foreach($s1_ops as $type => $ops)
820 {
821 foreach($ops as $op)
822 {
823 if(isset($d_ops[$type]) and in_array($op, $d_ops[$type]))
824 {
825 $query = 'DELETE FROM rbac_templates '.
826 'WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
827 'AND type = '.$ilDB->quote($type,'text').' '.
828 'AND ops_id = '.$ilDB->quote($op,'integer').' '.
829 'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
830 $ilDB->manipulate($query);
831 }
832 }
833 }
834 return true;
835 }
836
837
848 public function deleteRolePermission($a_rol_id,$a_ref_id,$a_type = false)
849 {
850 global $ilDB;
851
852 if (!isset($a_rol_id) or !isset($a_ref_id))
853 {
854 $message = get_class($this)."::deleteRolePermission(): Missing parameter! role_id: ".$a_rol_id." ref_id: ".$a_ref_id;
855 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
856 }
857
858 // exclude system role from rbac
859 if ($a_rol_id == SYSTEM_ROLE_ID)
860 {
861 return true;
862 }
863
864 if ($a_type !== false)
865 {
866 $and_type = " AND type=".$ilDB->quote($a_type,'text')." ";
867 }
868
869 $query = 'DELETE FROM rbac_templates '.
870 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
871 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' '.
872 $and_type;
873
874 $res = $ilDB->manipulate($query);
875
876 return true;
877 }
878
889 public function setRolePermission($a_rol_id,$a_type,$a_ops,$a_ref_id)
890 {
891 global $ilDB;
892
893 if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id))
894 {
895 $message = get_class($this)."::setRolePermission(): Missing parameter!".
896 " role_id: ".$a_rol_id.
897 " type: ".$a_type.
898 " operations: ".$a_ops.
899 " ref_id: ".$a_ref_id;
900 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
901 }
902
903 if (!is_string($a_type) or empty($a_type))
904 {
905 $message = get_class($this)."::setRolePermission(): a_type is no string or empty!";
906 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
907 }
908
909 if (!is_array($a_ops) or empty($a_ops))
910 {
911 $message = get_class($this)."::setRolePermission(): a_ops is no array or empty!";
912 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
913 }
914
915 // exclude system role from rbac
916 if ($a_rol_id == SYSTEM_ROLE_ID)
917 {
918 return true;
919 }
920
921 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
922 'VALUES (?,?,?,?)';
923 $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
924 foreach ($a_ops as $op)
925 {
926 $res = $ilDB->execute($sta,array(
927 $a_rol_id,
928 $a_type,
929 $op,
930 $a_ref_id
931 ));
932 }
933
934 return true;
935 }
936
950 public function assignRoleToFolder($a_rol_id,$a_parent,$a_assign = "y")
951 {
952 global $ilDB,$rbacreview;
953
954 if (!isset($a_rol_id) or !isset($a_parent))
955 {
956 $message = get_class($this)."::assignRoleToFolder(): Missing Parameter!".
957 " role_id: ".$a_rol_id.
958 " parent_id: ".$a_parent.
959 " assign: ".$a_assign;
960 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
961 }
962
963 // exclude system role from rbac
964 if ($a_rol_id == SYSTEM_ROLE_ID)
965 {
966 return true;
967 }
968
969 // if a wrong value is passed, always set assign to "n"
970 if ($a_assign != "y")
971 {
972 $a_assign = "n";
973 }
974
975 $query = sprintf('INSERT INTO rbac_fa (rol_id, parent, assign, protected) '.
976 'VALUES (%s,%s,%s,%s)',
977 $ilDB->quote($a_rol_id,'integer'),
978 $ilDB->quote($a_parent,'integer'),
979 $ilDB->quote($a_assign,'text'),
980 $ilDB->quote('n','text'));
981 $res = $ilDB->manipulate($query);
982
983 return true;
984 }
985
994 public function assignOperationToObject($a_type_id,$a_ops_id)
995 {
996 global $ilDB;
997
998 if (!isset($a_type_id) or !isset($a_ops_id))
999 {
1000 $message = get_class($this)."::assignOperationToObject(): Missing parameter!".
1001 "type_id: ".$a_type_id.
1002 "ops_id: ".$a_ops_id;
1003 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1004 }
1005
1006 $query = "INSERT INTO rbac_ta (typ_id, ops_id) ".
1007 "VALUES(".$ilDB->quote($a_type_id,'integer').",".$ilDB->quote($a_ops_id,'integer').")";
1008 $res = $ilDB->manipulate($query);
1009 return true;
1010 }
1011
1020 function deassignOperationFromObject($a_type_id,$a_ops_id)
1021 {
1022 global $ilDB;
1023
1024 if (!isset($a_type_id) or !isset($a_ops_id))
1025 {
1026 $message = get_class($this)."::deassignPermissionFromObject(): Missing parameter!".
1027 "type_id: ".$a_type_id.
1028 "ops_id: ".$a_ops_id;
1029 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1030 }
1031
1032 $query = "DELETE FROM rbac_ta ".
1033 "WHERE typ_id = ".$ilDB->quote($a_type_id,'integer')." ".
1034 "AND ops_id = ".$ilDB->quote($a_ops_id,'integer');
1035 $res = $ilDB->manipulate($query);
1036
1037 return true;
1038 }
1039
1048 public function setProtected($a_ref_id,$a_role_id,$a_value)
1049 {
1050 global $ilDB;
1051
1052 // ref_id not used yet. protected permission acts 'global' for each role,
1053 // regardless of any broken inheritance before
1054 $query = 'UPDATE rbac_fa '.
1055 'SET protected = '.$ilDB->quote($a_value,'text').' '.
1056 'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer');
1057 $res = $ilDB->manipulate($query);
1058 return true;
1059 }
1060
1071 public function copyLocalRoles($a_source_id,$a_target_id)
1072 {
1073 global $rbacreview,$ilLog,$ilObjDataCache;
1074
1075 $real_local = array();
1076 foreach($rbacreview->getRolesOfRoleFolder($a_source_id,false) as $role_data)
1077 {
1078 $title = $ilObjDataCache->lookupTitle($role_data);
1079 if(substr($title,0,3) == 'il_')
1080 {
1081 continue;
1082 }
1083 $real_local[] = $role_data;
1084 }
1085 if(!count($real_local))
1086 {
1087 return true;
1088 }
1089 // Create role folder
1090 foreach($real_local as $role)
1091 {
1092 include_once ("./Services/AccessControl/classes/class.ilObjRole.php");
1093 $orig = new ilObjRole($role);
1094 $orig->read();
1095
1096 $ilLog->write(__METHOD__.': Start copying of role '.$orig->getTitle());
1097 $roleObj = new ilObjRole();
1098 $roleObj->setTitle($orig->getTitle());
1099 $roleObj->setDescription($orig->getDescription());
1100 $roleObj->setImportId($orig->getImportId());
1101 $roleObj->create();
1102
1103 $this->assignRoleToFolder($roleObj->getId(),$a_target_id,"y");
1104 $this->copyRolePermissions($role,$a_source_id,$a_target_id,$roleObj->getId(),true);
1105 $ilLog->write(__METHOD__.': Added new local role, id '.$roleObj->getId());
1106 }
1107
1108 }
1109
1120 public function initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
1121 {
1122 global $rbacreview;
1123
1124 if($rbacreview->isProtected($a_role_parent, $a_role_id))
1125 {
1126 // Assign object permissions
1127 $new_ops = $rbacreview->getOperationsOfRole(
1128 $a_role_id,
1129 ilObject::_lookupType($a_ref_id, true),
1130 $a_role_parent
1131 );
1132
1133 // set new permissions for object
1134 $this->grantPermission(
1135 $a_role_id,
1136 (array) $new_ops,
1137 $a_ref_id
1138 );
1139 return;
1140 }
1141 if(!$a_template_id)
1142 {
1143 return;
1144 }
1145 // create template permission intersection
1146 $this->copyRolePermissionIntersection(
1147 $a_template_id,
1148 $a_template_parent,
1149 $a_role_id,
1150 $a_role_parent,
1151 $a_ref_id,
1152 $a_role_id
1153 );
1154
1155 // assign role to folder
1156 $this->assignRoleToFolder(
1157 $a_role_id,
1158 $a_ref_id,
1159 'n'
1160 );
1161
1162 // Assign object permissions
1163 $new_ops = $rbacreview->getOperationsOfRole(
1164 $a_role_id,
1165 ilObject::_lookupType($a_ref_id, true),
1166 $a_ref_id
1167 );
1168
1169 // set new permissions for object
1170 $this->grantPermission(
1171 $a_role_id,
1172 (array) $new_ops,
1173 $a_ref_id
1174 );
1175
1176 return;
1177 }
1178
1190 public function adjustMovedObjectPermissions($a_ref_id,$a_old_parent)
1191 {
1192 global $rbacreview,$tree,$ilLog;
1193
1194 $new_parent = $tree->getParentId($a_ref_id);
1195 $old_context_roles = $rbacreview->getParentRoleIds($a_old_parent,false);
1196 $new_context_roles = $rbacreview->getParentRoleIds($new_parent,false);
1197
1198 $for_addition = $for_deletion = array();
1199 foreach($new_context_roles as $new_role_id => $new_role)
1200 {
1201 if(!isset($old_context_roles[$new_role_id]))
1202 {
1203 $for_addition[$new_role_id] = $new_role;
1204 }
1205 elseif($new_role['parent'] != $old_context_roles[$new_role_id]['parent'])
1206 {
1207 // handle stopped inheritance
1208 $for_deletion[$new_role_id] = $new_role;
1209 $for_addition[$new_role_id] = $new_role;
1210 }
1211 }
1212 foreach($old_context_roles as $old_role_id => $old_role)
1213 {
1214 if(!isset($new_context_roles[$old_role_id]))
1215 {
1216 $for_deletion[$old_role_id] = $old_role;
1217 }
1218 }
1219
1220 if(!count($for_deletion) and !count($for_addition))
1221 {
1222 return true;
1223 }
1224
1225 include_once "Services/AccessControl/classes/class.ilRbacLog.php";
1226 $rbac_log_active = ilRbacLog::isActive();
1227 if($rbac_log_active)
1228 {
1229 $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
1230 }
1231
1232 foreach($nodes = $tree->getSubTree($tree->getNodeData($a_ref_id),true) as $node_data)
1233 {
1234 $node_id = $node_data['child'];
1235
1236 if($rbac_log_active)
1237 {
1238 $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
1239 }
1240
1241 // If $node_data['type'] is not set, this means there is a tree entry without
1242 // object_reference and/or object_data entry
1243 // Continue in this case
1244 if(!$node_data['type'])
1245 {
1246 $ilLog->write(__METHOD__.': No type give. Choosing next tree entry.');
1247 continue;
1248 }
1249
1250 if(!$node_id)
1251 {
1252 $ilLog->write(__METHOD__.': Missing subtree node_id');
1253 continue;
1254 }
1255
1256 foreach($for_deletion as $role_id => $role_data)
1257 {
1258 $this->deleteLocalRole($role_id,$node_id);
1259 $this->revokePermission($node_id,$role_id,false);
1260//var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
1261 }
1262 foreach($for_addition as $role_id => $role_data)
1263 {
1264 switch($node_data['type'])
1265 {
1266 case 'grp':
1267 include_once './Modules/Group/classes/class.ilObjGroup.php';
1268 $tpl_id = ilObjGroup::lookupGroupStatusTemplateId($node_data['obj_id']);
1269 $this->initIntersectionPermissions(
1270 $node_data['child'],
1271 $role_id,
1272 $role_data['parent'],
1273 $tpl_id,
1274 ROLE_FOLDER_ID
1275 );
1276 break;
1277
1278 case 'crs':
1279 include_once './Modules/Course/classes/class.ilObjCourse.php';
1280 $tpl_id = ilObjCourse::lookupCourseNonMemberTemplatesId();
1281 $this->initIntersectionPermissions(
1282 $node_data['child'],
1283 $role_id,
1284 $role_data['parent'],
1285 $tpl_id,
1286 ROLE_FOLDER_ID
1287 );
1288 break;
1289
1290
1291 default:
1292 $this->grantPermission(
1293 $role_id,
1294 $ops = $rbacreview->getOperationsOfRole($role_id,$node_data['type'],$role_data['parent']),
1295 $node_id);
1296 break;
1297
1298
1299 }
1300
1301
1302//var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
1303 }
1304
1305 if($rbac_log_active)
1306 {
1307 $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
1308 $log = ilRbacLog::diffFaPa($log_old, $log_new);
1309 ilRbacLog::add(ilRbacLog::MOVE_OBJECT, $node_id, $log);
1310 }
1311 }
1312
1313 }
1314
1315
1322 public function copyEffectiveRolePermissions($a_source_ref_id, $target_ref_id, $a_subtree_id)
1323 {
1324 global $rbacreview;
1325
1326 $parent_roles = $rbacreview->getParentRoleIds($a_source_ref_id, FALSE);
1327 $GLOBALS['ilLog']->write(__METHOD__.': '. print_r($parent_roles,TRUE));
1328
1329
1330
1331 }
1332
1333
1334
1335
1336} // END class.ilRbacAdmin
1337?>
PEAR_ERROR_CALLBACK
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
DB_FETCHMODE_OBJECT
const DB_FETCHMODE_OBJECT
Definition: class.ilDB.php:11
ilDB
Database Wrapper.
Definition: class.ilDB.php:29
ilDB\LOCK_WRITE
const LOCK_WRITE
Definition: class.ilDB.php:30
ilErrorHandling
Error Handling & global info handling uses PEAR error class.
Definition: class.ilErrorHandling.php:19
ilLDAPRoleGroupMapping\_getInstance
static _getInstance()
Get singleton instance of this class.
Definition: class.ilLDAPRoleGroupMapping.php:64
ilObjCourse\lookupCourseNonMemberTemplatesId
static lookupCourseNonMemberTemplatesId()
Lookup course non member id.
Definition: class.ilObjCourse.php:1572
ilObjGroup\lookupGroupStatusTemplateId
static lookupGroupStatusTemplateId($a_obj_id)
@global $ilDB $ilDB
Definition: class.ilObjGroup.php:1194
ilObjRole
Class ilObjRole.
Definition: class.ilObjRole.php:16
ilObjUser\_addDesktopItem
static _addDesktopItem($a_usr_id, $a_item_id, $a_type, $a_par="")
add an item to user's personal desktop
Definition: class.ilObjUser.php:3057
ilObject\_lookupType
static _lookupType($a_id, $a_reference=false)
lookup object type
Definition: class.ilObject.php:1183
ilRbacAdmin
Class ilRbacAdmin Core functions for role based access control.
Definition: class.ilRbacAdmin.php:19
ilRbacAdmin\setProtected
setProtected($a_ref_id, $a_role_id, $a_value)
Set protected @global $ilDB.
Definition: class.ilRbacAdmin.php:1048
ilRbacAdmin\revokePermission
revokePermission($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
Revokes permissions of an object of one role.
Definition: class.ilRbacAdmin.php:384
ilRbacAdmin\deleteRole
deleteRole($a_rol_id, $a_ref_id)
Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua,...
Definition: class.ilRbacAdmin.php:72
ilRbacAdmin\deleteSubtreeTemplates
deleteSubtreeTemplates($a_ref_id, $a_rol_id)
Delete all template permissions of subtree nodes.
Definition: class.ilRbacAdmin.php:504
ilRbacAdmin\__construct
__construct()
Constructor @access public.
Definition: class.ilRbacAdmin.php:24
ilRbacAdmin\copyRolePermissions
copyRolePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions and permission of one role to another.
Definition: class.ilRbacAdmin.php:572
ilRbacAdmin\deassignOperationFromObject
deassignOperationFromObject($a_type_id, $a_ops_id)
Deassign an existing operation from an object Update of rbac_ta @access public.
Definition: class.ilRbacAdmin.php:1020
ilRbacAdmin\adjustMovedObjectPermissions
adjustMovedObjectPermissions($a_ref_id, $a_old_parent)
Adjust permissions of moved objects.
Definition: class.ilRbacAdmin.php:1190
ilRbacAdmin\assignUser
assignUser($a_rol_id, $a_usr_id)
Assigns an user to a role.
Definition: class.ilRbacAdmin.php:248
ilRbacAdmin\assignRoleToFolder
assignRoleToFolder($a_rol_id, $a_parent, $a_assign="y")
Assigns a role to an role folder A role folder is an object to store roles.
Definition: class.ilRbacAdmin.php:950
ilRbacAdmin\removeUser
removeUser($a_usr_id)
deletes a user from rbac_ua all user <-> role relations are deleted @access public
Definition: class.ilRbacAdmin.php:49
ilRbacAdmin\assignUserLimited
assignUserLimited($a_role_id, $a_usr_id, $a_limit, $a_limited_roles=array())
Assign user limited.
Definition: class.ilRbacAdmin.php:185
ilRbacAdmin\deleteLocalRole
deleteLocalRole($a_rol_id, $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates @access public.
Definition: class.ilRbacAdmin.php:146
ilRbacAdmin\copyLocalRoles
copyLocalRoles($a_source_id, $a_target_id)
Copy local roles This method creates a copy of all local role.
Definition: class.ilRbacAdmin.php:1071
ilRbacAdmin\revokePermissionList
revokePermissionList($a_ref_ids, $a_rol_id)
Revokes permissions of a LIST of objects of ONE role.
Definition: class.ilRbacAdmin.php:532
ilRbacAdmin\setRolePermission
setRolePermission($a_rol_id, $a_type, $a_ops, $a_ref_id)
Inserts template permissions in rbac_templates for an specific object type.
Definition: class.ilRbacAdmin.php:889
ilRbacAdmin\initIntersectionPermissions
initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
Init intersection permissions.
Definition: class.ilRbacAdmin.php:1120
ilRbacAdmin\copyRoleTemplatePermissions
copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions of one role to another.
Definition: class.ilRbacAdmin.php:596
ilRbacAdmin\copyRolePermissionUnion
copyRolePermissionUnion( $a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_id, $a_dest_parent)
@global <type> $ilDB
Definition: class.ilRbacAdmin.php:747
ilRbacAdmin\deassignUser
deassignUser($a_rol_id, $a_usr_id)
Deassigns a user from a role.
Definition: class.ilRbacAdmin.php:287
ilRbacAdmin\copyEffectiveRolePermissions
copyEffectiveRolePermissions($a_source_ref_id, $target_ref_id, $a_subtree_id)
Copies all permission from source to target for all roles.
Definition: class.ilRbacAdmin.php:1322
ilRbacAdmin\revokeSubtreePermissions
revokeSubtreePermissions($a_ref_id, $a_role_id)
Revoke subtree permissions.
Definition: class.ilRbacAdmin.php:485
ilRbacAdmin\copyRolePermissionIntersection
copyRolePermissionIntersection($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
Copies the intersection of the template permissions of two roles to a third role.
Definition: class.ilRbacAdmin.php:669
ilRbacAdmin\assignOperationToObject
assignOperationToObject($a_type_id, $a_ops_id)
Assign an existing operation to an object Update of rbac_ta.
Definition: class.ilRbacAdmin.php:994
ilRbacAdmin\deleteTemplate
deleteTemplate($a_obj_id)
Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public...
Definition: class.ilRbacAdmin.php:118
ilRbacAdmin\grantPermission
grantPermission($a_rol_id, $a_ops, $a_ref_id)
Grants a permission to an object and a specific role.
Definition: class.ilRbacAdmin.php:319
ilRbacAdmin\deleteRolePermission
deleteRolePermission($a_rol_id, $a_ref_id, $a_type=false)
Deletes all entries of a template.
Definition: class.ilRbacAdmin.php:848
ilRbacAdmin\addDesktopItem
addDesktopItem($a_rol_id, $a_usr_id)
Add desktop item.
Definition: class.ilRbacAdmin.php:227
ilRbacAdmin\copyRolePermissionSubtract
copyRolePermissionSubtract($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
Subtract role permissions.
Definition: class.ilRbacAdmin.php:812
ilRbacLog\MOVE_OBJECT
const MOVE_OBJECT
Definition: class.ilRbacLog.php:17
ilRbacLog\diffFaPa
static diffFaPa(array $a_old, array $a_new)
Definition: class.ilRbacLog.php:77
ilRbacLog\add
static add($a_action, $a_ref_id, array $a_diff, $a_source_ref_id=false)
Definition: class.ilRbacLog.php:162
ilRbacLog\gatherFaPa
static gatherFaPa($a_ref_id, array $a_role_ids, $a_add_action=false)
Definition: class.ilRbacLog.php:36
ilRbacLog\isActive
static isActive()
Definition: class.ilRbacLog.php:25
if
if(!file_exists(getcwd().'/ilias.ini.php')) if(isset( $_GET["client_id"]))
registration confirmation script for ilias
Definition: confirmReg.php:20
$GLOBALS
$GLOBALS['ct_recipient']
Definition: example_form.ajax.php:4
$ilLog
$ilLog
Definition: inc.setup_header.php:132
$log
$log
Definition: inc.setup_header.php:131
$ilErr
$ilErr
Definition: inc.setup_header.php:81
$lng
global $lng
Definition: privfeed.php:40
$ilDB
global $ilDB
Definition: storeScorm2004.php:19