ILIAS  release_5-0 Revision 5.0.0-1144-gc4397b1f870
Public Member Functions | Protected Member Functions
ilRbacAdmin Class Reference
Services/AccessControl

Class ilRbacAdmin Core functions for role based access control. More...

+ Collaboration diagram for ilRbacAdmin:

Public Member Functions

 __construct ()
 Constructor @access public. More...
 
 removeUser ($a_usr_id)
 deletes a user from rbac_ua all user <-> role relations are deleted @access public More...
 
 deleteRole ($a_rol_id, $a_ref_id)
 Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa @access public. More...
 
 deleteTemplate ($a_obj_id)
 Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public. More...
 
 deleteLocalRole ($a_rol_id, $a_ref_id=0)
 Deletes a local role and entries in rbac_fa and rbac_templates @access public. More...
 
 assignUserLimited ($a_role_id, $a_usr_id, $a_limit, $a_limited_roles=array())
 Assign user limited. More...
 
 assignUser ($a_rol_id, $a_usr_id)
 Assigns an user to a role. More...
 
 deassignUser ($a_rol_id, $a_usr_id)
 Deassigns a user from a role. More...
 
 grantPermission ($a_rol_id, $a_ops, $a_ref_id)
 Grants a permission to an object and a specific role. More...
 
 revokePermission ($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
 Revokes permissions of an object of one role. More...
 
 revokeSubtreePermissions ($a_ref_id, $a_role_id)
 Revoke subtree permissions. More...
 
 deleteSubtreeTemplates ($a_ref_id, $a_rol_id)
 Delete all template permissions of subtree nodes. More...
 
 revokePermissionList ($a_ref_ids, $a_rol_id)
 Revokes permissions of a LIST of objects of ONE role. More...
 
 copyRolePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions and permission of one role to another. More...
 
 copyRoleTemplatePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions of one role to another. More...
 
 copyRolePermissionIntersection ($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
 Copies the intersection of the template permissions of two roles to a third role. More...
 
 copyRolePermissionUnion ( $a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_id, $a_dest_parent)
 @global <type> $ilDB More...
 
 copyRolePermissionSubtract ($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
 Subtract role permissions. More...
 
 deleteRolePermission ($a_rol_id, $a_ref_id, $a_type=false)
 Deletes all entries of a template. More...
 
 setRolePermission ($a_rol_id, $a_type, $a_ops, $a_ref_id)
 Inserts template permissions in rbac_templates for an specific object type. More...
 
 assignRoleToFolder ($a_rol_id, $a_parent, $a_assign="y")
 Assigns a role to an role folder A role folder is an object to store roles. More...
 
 assignOperationToObject ($a_type_id, $a_ops_id)
 Assign an existing operation to an object Update of rbac_ta. More...
 
 deassignOperationFromObject ($a_type_id, $a_ops_id)
 Deassign an existing operation from an object Update of rbac_ta @access public. More...
 
 setProtected ($a_ref_id, $a_role_id, $a_value)
 Set protected @global $ilDB. More...
 
 copyLocalRoles ($a_source_id, $a_target_id)
 Copy local roles This method creates a copy of all local role. More...
 
 initIntersectionPermissions ($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
 Init intersection permissions. More...
 
 adjustMovedObjectPermissions ($a_ref_id, $a_old_parent)
 Adjust permissions of moved objects. More...
 
 copyEffectiveRolePermissions ($a_source_ref_id, $target_ref_id, $a_subtree_id)
 Copies all permission from source to target for all roles. More...
 

Protected Member Functions

 addDesktopItem ($a_rol_id, $a_usr_id)
 Add desktop item. More...
 

Detailed Description

Class ilRbacAdmin Core functions for role based access control.

Creation and maintenance of Relations. The main relations of Rbac are user <-> role (UR) assignment relation and the permission <-> role (PR) assignment relation. This class contains methods to 'create' and 'delete' instances of the (UR) relation e.g.: assignUser(), deassignUser() Required methods for the PR relation are grantPermission(), revokePermission()

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
$Id$

Definition at line 18 of file class.ilRbacAdmin.php.

Constructor & Destructor Documentation

◆ __construct()

ilRbacAdmin::__construct ( )

Constructor @access public.

Definition at line 24 of file class.ilRbacAdmin.php.

25 {
26 global $ilDB,$ilErr,$ilias;
27
28 // set db & error handler
29 (isset($ilDB)) ? $this->ilDB =& $ilDB : $this->ilDB =& $ilias->db;
30
31 if (!isset($ilErr))
32 {
33 $ilErr = new ilErrorHandling();
34 $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK,array($ilErr,'errorHandler'));
35 }
36 else
37 {
38 $this->ilErr =& $ilErr;
39 }
40 }
PEAR_ERROR_CALLBACK
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
ilDB
Database Wrapper.
Definition: class.ilDB.php:29
ilErrorHandling
Error Handling & global info handling uses PEAR error class.
Definition: class.ilErrorHandling.php:19
if
if(!file_exists(getcwd().'/ilias.ini.php')) if(isset( $_GET["client_id"]))
registration confirmation script for ilias
Definition: confirmReg.php:20
$ilErr
$ilErr
Definition: inc.setup_header.php:81
$ilDB
global $ilDB
Definition: storeScorm2004.php:19

References $ilDB, $ilErr, if, and PEAR_ERROR_CALLBACK.

Member Function Documentation

◆ addDesktopItem()

ilRbacAdmin::addDesktopItem (   $a_rol_id,
  $a_usr_id 
)
protected

Add desktop item.

Parameters
type$a_rol_id
type$a_usr_id

Definition at line 227 of file class.ilRbacAdmin.php.

228 {
229 include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
230 $role_desk_item_obj = new ilRoleDesktopItem($a_rol_id);
231 foreach($role_desk_item_obj->getAll() as $item_data)
232 {
233 include_once './Services/User/classes/class.ilObjUser.php';
234 ilObjUser::_addDesktopItem($a_usr_id, $item_data['item_id'], $item_data['item_type']);
235 }
236 }
ilObjUser\_addDesktopItem
static _addDesktopItem($a_usr_id, $a_item_id, $a_type, $a_par="")
add an item to user's personal desktop
Definition: class.ilObjUser.php:3057

References ilObjUser\_addDesktopItem().

Referenced by assignUser(), and assignUserLimited().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ adjustMovedObjectPermissions()

ilRbacAdmin::adjustMovedObjectPermissions (   $a_ref_id,
  $a_old_parent 
)

Adjust permissions of moved objects.

  • Delete permissions of parent roles that do not exist in new context
  • Delete role templates of parent roles that do not exist in new context
  • Add permissions for parent roles that did not exist in old context

@access public

Parameters
intref id of moved object
intref_id of old parent

Definition at line 1190 of file class.ilRbacAdmin.php.

1191 {
1192 global $rbacreview,$tree,$ilLog;
1193
1194 $new_parent = $tree->getParentId($a_ref_id);
1195 $old_context_roles = $rbacreview->getParentRoleIds($a_old_parent,false);
1196 $new_context_roles = $rbacreview->getParentRoleIds($new_parent,false);
1197
1198 $for_addition = $for_deletion = array();
1199 foreach($new_context_roles as $new_role_id => $new_role)
1200 {
1201 if(!isset($old_context_roles[$new_role_id]))
1202 {
1203 $for_addition[$new_role_id] = $new_role;
1204 }
1205 elseif($new_role['parent'] != $old_context_roles[$new_role_id]['parent'])
1206 {
1207 // handle stopped inheritance
1208 $for_deletion[$new_role_id] = $new_role;
1209 $for_addition[$new_role_id] = $new_role;
1210 }
1211 }
1212 foreach($old_context_roles as $old_role_id => $old_role)
1213 {
1214 if(!isset($new_context_roles[$old_role_id]))
1215 {
1216 $for_deletion[$old_role_id] = $old_role;
1217 }
1218 }
1219
1220 if(!count($for_deletion) and !count($for_addition))
1221 {
1222 return true;
1223 }
1224
1225 include_once "Services/AccessControl/classes/class.ilRbacLog.php";
1226 $rbac_log_active = ilRbacLog::isActive();
1227 if($rbac_log_active)
1228 {
1229 $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
1230 }
1231
1232 foreach($nodes = $tree->getSubTree($tree->getNodeData($a_ref_id),true) as $node_data)
1233 {
1234 $node_id = $node_data['child'];
1235
1236 if($rbac_log_active)
1237 {
1238 $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
1239 }
1240
1241 // If $node_data['type'] is not set, this means there is a tree entry without
1242 // object_reference and/or object_data entry
1243 // Continue in this case
1244 if(!$node_data['type'])
1245 {
1246 $ilLog->write(__METHOD__.': No type give. Choosing next tree entry.');
1247 continue;
1248 }
1249
1250 if(!$node_id)
1251 {
1252 $ilLog->write(__METHOD__.': Missing subtree node_id');
1253 continue;
1254 }
1255
1256 foreach($for_deletion as $role_id => $role_data)
1257 {
1258 $this->deleteLocalRole($role_id,$node_id);
1259 $this->revokePermission($node_id,$role_id,false);
1260//var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
1261 }
1262 foreach($for_addition as $role_id => $role_data)
1263 {
1264 switch($node_data['type'])
1265 {
1266 case 'grp':
1267 include_once './Modules/Group/classes/class.ilObjGroup.php';
1268 $tpl_id = ilObjGroup::lookupGroupStatusTemplateId($node_data['obj_id']);
1269 $this->initIntersectionPermissions(
1270 $node_data['child'],
1271 $role_id,
1272 $role_data['parent'],
1273 $tpl_id,
1274 ROLE_FOLDER_ID
1275 );
1276 break;
1277
1278 case 'crs':
1279 include_once './Modules/Course/classes/class.ilObjCourse.php';
1280 $tpl_id = ilObjCourse::lookupCourseNonMemberTemplatesId();
1281 $this->initIntersectionPermissions(
1282 $node_data['child'],
1283 $role_id,
1284 $role_data['parent'],
1285 $tpl_id,
1286 ROLE_FOLDER_ID
1287 );
1288 break;
1289
1290
1291 default:
1292 $this->grantPermission(
1293 $role_id,
1294 $ops = $rbacreview->getOperationsOfRole($role_id,$node_data['type'],$role_data['parent']),
1295 $node_id);
1296 break;
1297
1298
1299 }
1300
1301
1302//var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
1303 }
1304
1305 if($rbac_log_active)
1306 {
1307 $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
1308 $log = ilRbacLog::diffFaPa($log_old, $log_new);
1309 ilRbacLog::add(ilRbacLog::MOVE_OBJECT, $node_id, $log);
1310 }
1311 }
1312
1313 }
ilObjCourse\lookupCourseNonMemberTemplatesId
static lookupCourseNonMemberTemplatesId()
Lookup course non member id.
Definition: class.ilObjCourse.php:1572
ilObjGroup\lookupGroupStatusTemplateId
static lookupGroupStatusTemplateId($a_obj_id)
@global $ilDB $ilDB
Definition: class.ilObjGroup.php:1194
ilRbacAdmin\revokePermission
revokePermission($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
Revokes permissions of an object of one role.
Definition: class.ilRbacAdmin.php:384
ilRbacAdmin\deleteLocalRole
deleteLocalRole($a_rol_id, $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates @access public.
Definition: class.ilRbacAdmin.php:146
ilRbacAdmin\initIntersectionPermissions
initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
Init intersection permissions.
Definition: class.ilRbacAdmin.php:1120
ilRbacAdmin\grantPermission
grantPermission($a_rol_id, $a_ops, $a_ref_id)
Grants a permission to an object and a specific role.
Definition: class.ilRbacAdmin.php:319
ilRbacLog\MOVE_OBJECT
const MOVE_OBJECT
Definition: class.ilRbacLog.php:17
ilRbacLog\diffFaPa
static diffFaPa(array $a_old, array $a_new)
Definition: class.ilRbacLog.php:77
ilRbacLog\add
static add($a_action, $a_ref_id, array $a_diff, $a_source_ref_id=false)
Definition: class.ilRbacLog.php:162
ilRbacLog\gatherFaPa
static gatherFaPa($a_ref_id, array $a_role_ids, $a_add_action=false)
Definition: class.ilRbacLog.php:36
ilRbacLog\isActive
static isActive()
Definition: class.ilRbacLog.php:25
$ilLog
$ilLog
Definition: inc.setup_header.php:132
$log
$log
Definition: inc.setup_header.php:131

References $ilLog, $log, ilRbacLog\add(), deleteLocalRole(), ilRbacLog\diffFaPa(), ilRbacLog\gatherFaPa(), grantPermission(), initIntersectionPermissions(), ilRbacLog\isActive(), ilObjCourse\lookupCourseNonMemberTemplatesId(), ilObjGroup\lookupGroupStatusTemplateId(), ilRbacLog\MOVE_OBJECT, and revokePermission().

+ Here is the call graph for this function:

◆ assignOperationToObject()

ilRbacAdmin::assignOperationToObject (   $a_type_id,
  $a_ops_id 
)

Assign an existing operation to an object Update of rbac_ta.

@access public

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 994 of file class.ilRbacAdmin.php.

995 {
996 global $ilDB;
997
998 if (!isset($a_type_id) or !isset($a_ops_id))
999 {
1000 $message = get_class($this)."::assignOperationToObject(): Missing parameter!".
1001 "type_id: ".$a_type_id.
1002 "ops_id: ".$a_ops_id;
1003 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1004 }
1005
1006 $query = "INSERT INTO rbac_ta (typ_id, ops_id) ".
1007 "VALUES(".$ilDB->quote($a_type_id,'integer').",".$ilDB->quote($a_ops_id,'integer').")";
1008 $res = $ilDB->manipulate($query);
1009 return true;
1010 }

References $ilDB, $query, and $res.

◆ assignRoleToFolder()

ilRbacAdmin::assignRoleToFolder (   $a_rol_id,
  $a_parent,
  $a_assign = "y" 
)

Assigns a role to an role folder A role folder is an object to store roles.

Every role is assigned to minimum one role folder If the inheritance of a role is stopped, a new role template will created, and the role is assigned to minimum two role folders. All roles with stopped inheritance need the flag '$a_assign = false'

@access public

Parameters
integerobject id of role
integerref_id of role folder
stringassignable('y','n'); default: 'y'
Returns
boolean

Definition at line 950 of file class.ilRbacAdmin.php.

951 {
952 global $ilDB,$rbacreview;
953
954 if (!isset($a_rol_id) or !isset($a_parent))
955 {
956 $message = get_class($this)."::assignRoleToFolder(): Missing Parameter!".
957 " role_id: ".$a_rol_id.
958 " parent_id: ".$a_parent.
959 " assign: ".$a_assign;
960 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
961 }
962
963 // exclude system role from rbac
964 if ($a_rol_id == SYSTEM_ROLE_ID)
965 {
966 return true;
967 }
968
969 // if a wrong value is passed, always set assign to "n"
970 if ($a_assign != "y")
971 {
972 $a_assign = "n";
973 }
974
975 $query = sprintf('INSERT INTO rbac_fa (rol_id, parent, assign, protected) '.
976 'VALUES (%s,%s,%s,%s)',
977 $ilDB->quote($a_rol_id,'integer'),
978 $ilDB->quote($a_parent,'integer'),
979 $ilDB->quote($a_assign,'text'),
980 $ilDB->quote('n','text'));
981 $res = $ilDB->manipulate($query);
982
983 return true;
984 }

References $ilDB, $query, and $res.

Referenced by copyLocalRoles(), and initIntersectionPermissions().

+ Here is the caller graph for this function:

◆ assignUser()

ilRbacAdmin::assignUser (   $a_rol_id,
  $a_usr_id 
)

Assigns an user to a role.

Update of table rbac_ua TODO: remove deprecated 3rd parameter sometime @access public

Parameters
integerobject_id of role
integerobject_id of user
booleantrue means default role (optional
Returns
boolean

Definition at line 248 of file class.ilRbacAdmin.php.

249 {
250 global $ilDB,$rbacreview;
251
252 if (!isset($a_rol_id) or !isset($a_usr_id))
253 {
254 $message = get_class($this)."::assignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
255 #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
256 }
257
258 // check if already assigned user id and role_id
259 $alreadyAssigned = $rbacreview->isAssigned($a_usr_id,$a_rol_id);
260
261 // enhanced: only if we haven't had this role for this user
262 if (!$alreadyAssigned)
263 {
264 $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
265 "VALUES (".$ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_rol_id,'integer').")";
266 $res = $ilDB->manipulate($query);
267
268 $this->addDesktopItem($a_rol_id, $a_usr_id);
269
270 $rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,true);
271 }
272
273 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
274 $mapping = ilLDAPRoleGroupMapping::_getInstance();
275 $mapping->assign($a_rol_id,$a_usr_id);
276
277 return true;
278 }
ilLDAPRoleGroupMapping\_getInstance
static _getInstance()
Get singleton instance of this class.
Definition: class.ilLDAPRoleGroupMapping.php:64
ilRbacAdmin\addDesktopItem
addDesktopItem($a_rol_id, $a_usr_id)
Add desktop item.
Definition: class.ilRbacAdmin.php:227

References $ilDB, $query, $res, ilLDAPRoleGroupMapping\_getInstance(), and addDesktopItem().

+ Here is the call graph for this function:

◆ assignUserLimited()

ilRbacAdmin::assignUserLimited (   $a_role_id,
  $a_usr_id,
  $a_limit,
  $a_limited_roles = array() 
)

Assign user limited.

Parameters
type$a_role_id
type$a_usr_id
type$a_limit

Definition at line 185 of file class.ilRbacAdmin.php.

186 {
187 global $ilDB;
188
189 $GLOBALS['ilDB']->lockTables(
190 array(
191 0 => array('name' => 'rbac_ua', 'type' => ilDB::LOCK_WRITE)
192 )
193 );
194
195 $limit_query = 'SELECT COUNT(*) num FROM rbac_ua '.
196 'WHERE '.$GLOBALS['ilDB']->in('rol_id',(array) $a_limited_roles,FALSE,'integer');
197 $res = $GLOBALS['ilDB']->query($limit_query);
198 $row = $res->fetchRow(DB_FETCHMODE_OBJECT);
199 if($row->num >= $a_limit)
200 {
201 $GLOBALS['ilDB']->unlockTables();
202 return FALSE;
203 }
204
205 $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
206 "VALUES (".
207 $ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_role_id,'integer').
208 ")";
209 $res = $ilDB->manipulate($query);
210
211 $GLOBALS['ilDB']->unlockTables();
212 $GLOBALS['rbacreview']->setAssignedCacheEntry($a_role_id,$a_usr_id,TRUE);
213
214 $this->addDesktopItem($a_role_id,$a_usr_id);
215
216 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
217 $mapping = ilLDAPRoleGroupMapping::_getInstance();
218 $mapping->assign($a_role_id,$a_usr_id);
219 return TRUE;
220 }
DB_FETCHMODE_OBJECT
const DB_FETCHMODE_OBJECT
Definition: class.ilDB.php:11
ilDB\LOCK_WRITE
const LOCK_WRITE
Definition: class.ilDB.php:30
$GLOBALS
$GLOBALS['ct_recipient']
Definition: example_form.ajax.php:4

References $GLOBALS, $ilDB, $query, $res, $row, ilLDAPRoleGroupMapping\_getInstance(), addDesktopItem(), DB_FETCHMODE_OBJECT, and ilDB\LOCK_WRITE.

+ Here is the call graph for this function:

◆ copyEffectiveRolePermissions()

ilRbacAdmin::copyEffectiveRolePermissions (   $a_source_ref_id,
  $target_ref_id,
  $a_subtree_id 
)

Copies all permission from source to target for all roles.

Parameters
type$a_source_ref_id
type$target_ref_id
type$a_subtree_id

Definition at line 1322 of file class.ilRbacAdmin.php.

1323 {
1324 global $rbacreview;
1325
1326 $parent_roles = $rbacreview->getParentRoleIds($a_source_ref_id, FALSE);
1327 $GLOBALS['ilLog']->write(__METHOD__.': '. print_r($parent_roles,TRUE));
1328
1329
1330
1331 }

References $GLOBALS.

◆ copyLocalRoles()

ilRbacAdmin::copyLocalRoles (   $a_source_id,
  $a_target_id 
)

Copy local roles This method creates a copy of all local role.

Note: auto generated roles are excluded

@access public

Parameters
intsource id of object (not role folder)
inttarget id of object

Definition at line 1071 of file class.ilRbacAdmin.php.

1072 {
1073 global $rbacreview,$ilLog,$ilObjDataCache;
1074
1075 $real_local = array();
1076 foreach($rbacreview->getRolesOfRoleFolder($a_source_id,false) as $role_data)
1077 {
1078 $title = $ilObjDataCache->lookupTitle($role_data);
1079 if(substr($title,0,3) == 'il_')
1080 {
1081 continue;
1082 }
1083 $real_local[] = $role_data;
1084 }
1085 if(!count($real_local))
1086 {
1087 return true;
1088 }
1089 // Create role folder
1090 foreach($real_local as $role)
1091 {
1092 include_once ("./Services/AccessControl/classes/class.ilObjRole.php");
1093 $orig = new ilObjRole($role);
1094 $orig->read();
1095
1096 $ilLog->write(__METHOD__.': Start copying of role '.$orig->getTitle());
1097 $roleObj = new ilObjRole();
1098 $roleObj->setTitle($orig->getTitle());
1099 $roleObj->setDescription($orig->getDescription());
1100 $roleObj->setImportId($orig->getImportId());
1101 $roleObj->create();
1102
1103 $this->assignRoleToFolder($roleObj->getId(),$a_target_id,"y");
1104 $this->copyRolePermissions($role,$a_source_id,$a_target_id,$roleObj->getId(),true);
1105 $ilLog->write(__METHOD__.': Added new local role, id '.$roleObj->getId());
1106 }
1107
1108 }
ilObjRole
Class ilObjRole.
Definition: class.ilObjRole.php:16
ilRbacAdmin\copyRolePermissions
copyRolePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions and permission of one role to another.
Definition: class.ilRbacAdmin.php:572
ilRbacAdmin\assignRoleToFolder
assignRoleToFolder($a_rol_id, $a_parent, $a_assign="y")
Assigns a role to an role folder A role folder is an object to store roles.
Definition: class.ilRbacAdmin.php:950

References $ilLog, assignRoleToFolder(), and copyRolePermissions().

+ Here is the call graph for this function:

◆ copyRolePermissionIntersection()

ilRbacAdmin::copyRolePermissionIntersection (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_parent,
  $a_dest_id 
)

Copies the intersection of the template permissions of two roles to a third role.

@access public

Parameters
integer$a_source1_idrole_id source
integer$a_source1_parentparent_id source
integer$a_source2_idrole_id source
integer$a_source2_parentparent_id source
integer$a_dest_idrole_id destination
integer$a_dest_parentparent_id destination
Returns
boolean

Definition at line 669 of file class.ilRbacAdmin.php.

670 {
671 global $rbacreview,$ilDB;
672
673 if (!isset($a_source1_id) or !isset($a_source1_parent)
674 or !isset($a_source2_id) or !isset($a_source2_parent)
675 or !isset($a_dest_id) or !isset($a_dest_parent))
676 {
677 $message = get_class($this)."::copyRolePermissionIntersection(): Missing parameter! source1_id: ".$a_source1_id.
678 " source1_parent: ".$a_source1_parent.
679 " source2_id: ".$a_source2_id.
680 " source2_parent: ".$a_source2_parent.
681 " dest_id: ".$a_dest_id.
682 " dest_parent_id: ".$a_dest_parent;
683 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
684 }
685
686 // exclude system role from rbac
687 if ($a_dest_id == SYSTEM_ROLE_ID)
688 {
689 return true;
690 }
691
692 if ($rbacreview->isProtected($a_source2_parent,$a_source2_id))
693 {
694 $GLOBALS['ilLog']->write(__METHOD__.': Role is protected');
695 return true;
696 }
697
698 $query = "SELECT s1.type, s1.ops_id ".
699 "FROM rbac_templates s1, rbac_templates s2 ".
700 "WHERE s1.rol_id = ".$ilDB->quote($a_source1_id,'integer')." ".
701 "AND s1.parent = ".$ilDB->quote($a_source1_parent,'integer')." ".
702 "AND s2.rol_id = ".$ilDB->quote($a_source2_id,'integer')." ".
703 "AND s2.parent = ".$ilDB->quote($a_source2_parent,'integer')." ".
704 "AND s1.type = s2.type ".
705 "AND s1.ops_id = s2.ops_id";
706 $res = $ilDB->query($query);
707 $operations = array();
708 $rowNum = 0;
709 while($row = $res->fetchRow(DB_FETCHMODE_OBJECT))
710 {
711 $operations[$rowNum]['type'] = $row->type;
712 $operations[$rowNum]['ops_id'] = $row->ops_id;
713
714 $rowNum++;
715 }
716
717 // Delete template permissions of target
718 $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
719 'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
720 $res = $ilDB->manipulate($query);
721
722 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
723 'VALUES (?,?,?,?)';
724 $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
725 foreach($operations as $key => $set)
726 {
727 $ilDB->execute($sta,array(
728 $a_dest_id,
729 $set['type'],
730 $set['ops_id'],
731 $a_dest_parent));
732 }
733 return true;
734 }

References $GLOBALS, $ilDB, $query, $res, $row, and DB_FETCHMODE_OBJECT.

Referenced by initIntersectionPermissions().

+ Here is the caller graph for this function:

◆ copyRolePermissions()

ilRbacAdmin::copyRolePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions and permission of one role to another.

@access public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 572 of file class.ilRbacAdmin.php.

573 {
574 global $tree,$rbacreview;
575
576 // Copy template permissions
577 $this->copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected);
578
579 $ops = $rbacreview->getRoleOperationsOnObject($a_source_id,$a_source_parent);
580
581 $this->revokePermission($a_dest_parent,$a_dest_id);
582 $this->grantPermission($a_dest_id,$ops,$a_dest_parent);
583 return true;
584 }
ilRbacAdmin\copyRoleTemplatePermissions
copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions of one role to another.
Definition: class.ilRbacAdmin.php:596

References copyRoleTemplatePermissions(), grantPermission(), and revokePermission().

Referenced by copyLocalRoles().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ copyRolePermissionSubtract()

ilRbacAdmin::copyRolePermissionSubtract (   $a_source_id,
  $a_source_parent,
  $a_dest_id,
  $a_dest_parent 
)

Subtract role permissions.

Parameters
type$a_source_id
type$a_source_parent
type$a_dest_id
type$a_dest_parent

Definition at line 812 of file class.ilRbacAdmin.php.

813 {
814 global $rbacreview, $ilDB;
815
816 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source_id,$a_source_parent);
817 $d_ops = $rbacreview->getAllOperationsOfRole($a_dest_id,$a_dest_parent);
818
819 foreach($s1_ops as $type => $ops)
820 {
821 foreach($ops as $op)
822 {
823 if(isset($d_ops[$type]) and in_array($op, $d_ops[$type]))
824 {
825 $query = 'DELETE FROM rbac_templates '.
826 'WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
827 'AND type = '.$ilDB->quote($type,'text').' '.
828 'AND ops_id = '.$ilDB->quote($op,'integer').' '.
829 'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
830 $ilDB->manipulate($query);
831 }
832 }
833 }
834 return true;
835 }

References $ilDB, and $query.

◆ copyRolePermissionUnion()

ilRbacAdmin::copyRolePermissionUnion (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_id,
  $a_dest_parent 
)

@global <type> $ilDB

Parameters
<type>$a_source1_id
<type>$a_source1_parent
<type>$a_source2_id
<type>$a_source2_parent
<type>$a_dest_id
<type>$a_dest_parent
Returns
<type>

Definition at line 747 of file class.ilRbacAdmin.php.

754 {
755 global $ilDB, $rbacreview;
756
757
758 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id,$a_source1_parent);
759 $s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id,$a_source2_parent);
760
761 $this->deleteRolePermission($a_dest_id, $a_dest_parent);
762
763 $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s1_ops,TRUE));
764 $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s2_ops,TRUE));
765
766 foreach($s1_ops as $type => $ops)
767 {
768 foreach($ops as $op)
769 {
770 // insert all permission of source 1
771 // #15469
772 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
773 'VALUES( '.
774 $ilDB->quote($a_dest_id,'integer').', '.
775 $ilDB->quote($type,'text').', '.
776 $ilDB->quote($op,'integer').', '.
777 $ilDB->quote($a_dest_parent,'integer').' '.
778 ')';
779 $ilDB->manipulate($query);
780 }
781 }
782
783 // and the other direction...
784 foreach($s2_ops as $type => $ops)
785 {
786 foreach($ops as $op)
787 {
788 if(!isset($s1_ops[$type]) or !in_array($op, $s1_ops[$type]))
789 {
790 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
791 'VALUES( '.
792 $ilDB->quote($a_dest_id,'integer').', '.
793 $ilDB->quote($type,'text').', '.
794 $ilDB->quote($op,'integer').', '.
795 $ilDB->quote($a_dest_parent,'integer').' '.
796 ')';
797 $ilDB->manipulate($query);
798 }
799 }
800 }
801
802 return true;
803 }
ilRbacAdmin\deleteRolePermission
deleteRolePermission($a_rol_id, $a_ref_id, $a_type=false)
Deletes all entries of a template.
Definition: class.ilRbacAdmin.php:848

References $GLOBALS, $ilDB, $query, and deleteRolePermission().

+ Here is the call graph for this function:

◆ copyRoleTemplatePermissions()

ilRbacAdmin::copyRoleTemplatePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions of one role to another.

It's also possible to copy template permissions from/to RoleTemplateObject @access public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 596 of file class.ilRbacAdmin.php.

597 {
598 global $rbacreview,$ilDB;
599
600 if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent))
601 {
602 $message = __METHOD__.": Missing parameter! source_id: ".$a_source_id.
603 " source_parent_id: ".$a_source_parent.
604 " dest_id : ".$a_dest_id.
605 " dest_parent_id: ".$a_dest_parent;
606 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
607 }
608
609 // exclude system role from rbac
610 if ($a_dest_id == SYSTEM_ROLE_ID)
611 {
612 return true;
613 }
614
615 // Read operations
616 $query = 'SELECT * FROM rbac_templates '.
617 'WHERE rol_id = '.$ilDB->quote($a_source_id,'integer').' '.
618 'AND parent = '.$ilDB->quote($a_source_parent,'integer');
619 $res = $ilDB->query($query);
620 $operations = array();
621 $rownum = 0;
622 while ($row = $ilDB->fetchObject($res))
623 {
624 $operations[$rownum]['type'] = $row->type;
625 $operations[$rownum]['ops_id'] = $row->ops_id;
626 $rownum++;
627 }
628
629 // Delete target permissions
630 $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
631 'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
632 $res = $ilDB->manipulate($query);
633
634 foreach($operations as $row => $op)
635 {
636 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
637 'VALUES ('.
638 $ilDB->quote($a_dest_id,'integer').",".
639 $ilDB->quote($op['type'],'text').",".
640 $ilDB->quote($op['ops_id'],'integer').",".
641 $ilDB->quote($a_dest_parent,'integer').")";
642 $ilDB->manipulate($query);
643 }
644
645 // copy also protection status if applicable
646 if ($a_consider_protected == true)
647 {
648 if ($rbacreview->isProtected($a_source_parent,$a_source_id))
649 {
650 $this->setProtected($a_dest_parent,$a_dest_id,'y');
651 }
652 }
653
654 return true;
655 }
ilRbacAdmin\setProtected
setProtected($a_ref_id, $a_role_id, $a_value)
Set protected @global $ilDB.
Definition: class.ilRbacAdmin.php:1048

References $ilDB, $query, $res, $row, and setProtected().

Referenced by copyRolePermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deassignOperationFromObject()

ilRbacAdmin::deassignOperationFromObject (   $a_type_id,
  $a_ops_id 
)

Deassign an existing operation from an object Update of rbac_ta @access public.

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 1020 of file class.ilRbacAdmin.php.

1021 {
1022 global $ilDB;
1023
1024 if (!isset($a_type_id) or !isset($a_ops_id))
1025 {
1026 $message = get_class($this)."::deassignPermissionFromObject(): Missing parameter!".
1027 "type_id: ".$a_type_id.
1028 "ops_id: ".$a_ops_id;
1029 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1030 }
1031
1032 $query = "DELETE FROM rbac_ta ".
1033 "WHERE typ_id = ".$ilDB->quote($a_type_id,'integer')." ".
1034 "AND ops_id = ".$ilDB->quote($a_ops_id,'integer');
1035 $res = $ilDB->manipulate($query);
1036
1037 return true;
1038 }

References $ilDB, $query, and $res.

◆ deassignUser()

ilRbacAdmin::deassignUser (   $a_rol_id,
  $a_usr_id 
)

Deassigns a user from a role.

Update of table rbac_ua @access public

Parameters
integerobject id of role
integerobject id of user
Returns
boolean true on success

Definition at line 287 of file class.ilRbacAdmin.php.

288 {
289 global $ilDB, $rbacreview;
290
291 if (!isset($a_rol_id) or !isset($a_usr_id))
292 {
293 $message = get_class($this)."::deassignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
294 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
295 }
296
297 $query = "DELETE FROM rbac_ua ".
298 "WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer')." ".
299 "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
300 $res = $ilDB->manipulate($query);
301
302 $rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,false);
303
304 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
305 $mapping = ilLDAPRoleGroupMapping::_getInstance();
306 $mapping->deassign($a_rol_id,$a_usr_id);
307
308 return true;
309 }

References $ilDB, $query, $res, and ilLDAPRoleGroupMapping\_getInstance().

+ Here is the call graph for this function:

◆ deleteLocalRole()

ilRbacAdmin::deleteLocalRole (   $a_rol_id,
  $a_ref_id = 0 
)

Deletes a local role and entries in rbac_fa and rbac_templates @access public.

Parameters
integerobject_id of role
integerref_id of role folder (optional)
Returns
boolean true on success

Definition at line 146 of file class.ilRbacAdmin.php.

147 {
148 global $ilDB;
149
150 if (!isset($a_rol_id))
151 {
152 $message = get_class($this)."::deleteLocalRole(): Missing parameter! role_id: '".$a_rol_id."'";
153 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
154 }
155
156 // exclude system role from rbac
157 if ($a_rol_id == SYSTEM_ROLE_ID)
158 {
159 return true;
160 }
161
162 if ($a_ref_id != 0)
163 {
164 $clause = 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' ';
165 }
166
167 $query = 'DELETE FROM rbac_fa '.
168 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
169 $clause;
170 $res = $ilDB->manipulate($query);
171
172 $query = 'DELETE FROM rbac_templates '.
173 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
174 $clause;
175 $res = $ilDB->manipulate($query);
176 return true;
177 }

References $ilDB, $query, and $res.

Referenced by adjustMovedObjectPermissions(), and deleteRole().

+ Here is the caller graph for this function:

◆ deleteRole()

ilRbacAdmin::deleteRole (   $a_rol_id,
  $a_ref_id 
)

Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa @access public.

Parameters
integerobj_id of role (role_id)
integerref_id of role folder (ref_id)
Returns
boolean true on success

Definition at line 72 of file class.ilRbacAdmin.php.

73 {
74 global $lng,$ilDB;
75
76 if (!isset($a_rol_id) or !isset($a_ref_id))
77 {
78 $message = get_class($this)."::deleteRole(): Missing parameter! role_id: ".$a_rol_id." ref_id of role folder: ".$a_ref_id;
79 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
80 }
81
82 // exclude system role from rbac
83 if ($a_rol_id == SYSTEM_ROLE_ID)
84 {
85 $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"),$this->ilErr->MESSAGE);
86 }
87
88 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
89 $mapping = ilLDAPRoleGroupMapping::_getInstance();
90 $mapping->deleteRole($a_rol_id);
91
92
93 // TODO: check assigned users before deletion
94 // This is done in ilObjRole. Should be better moved to this place?
95
96 // delete user assignements
97 $query = "DELETE FROM rbac_ua ".
98 "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer');
99 $res = $ilDB->manipulate($query);
100
101 // delete permission assignments
102 $query = "DELETE FROM rbac_pa ".
103 "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
104 $res = $ilDB->manipulate($query);
105
106 //delete rbac_templates and rbac_fa
107 $this->deleteLocalRole($a_rol_id);
108
109 return true;
110 }
$lng
global $lng
Definition: privfeed.php:40

References $ilDB, $lng, $query, $res, ilLDAPRoleGroupMapping\_getInstance(), and deleteLocalRole().

+ Here is the call graph for this function:

◆ deleteRolePermission()

ilRbacAdmin::deleteRolePermission (   $a_rol_id,
  $a_ref_id,
  $a_type = false 
)

Deletes all entries of a template.

If an object type is given for third parameter only the entries for that object type are deleted Update of table rbac_templates. @access public

Parameters
integerobject id of role
integerref_id of role folder
stringobject type (optional)
Returns
boolean

Definition at line 848 of file class.ilRbacAdmin.php.

849 {
850 global $ilDB;
851
852 if (!isset($a_rol_id) or !isset($a_ref_id))
853 {
854 $message = get_class($this)."::deleteRolePermission(): Missing parameter! role_id: ".$a_rol_id." ref_id: ".$a_ref_id;
855 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
856 }
857
858 // exclude system role from rbac
859 if ($a_rol_id == SYSTEM_ROLE_ID)
860 {
861 return true;
862 }
863
864 if ($a_type !== false)
865 {
866 $and_type = " AND type=".$ilDB->quote($a_type,'text')." ";
867 }
868
869 $query = 'DELETE FROM rbac_templates '.
870 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
871 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' '.
872 $and_type;
873
874 $res = $ilDB->manipulate($query);
875
876 return true;
877 }

References $ilDB, $query, and $res.

Referenced by copyRolePermissionUnion().

+ Here is the caller graph for this function:

◆ deleteSubtreeTemplates()

ilRbacAdmin::deleteSubtreeTemplates (   $a_ref_id,
  $a_rol_id 
)

Delete all template permissions of subtree nodes.

Parameters
object$a_ref_id
object$a_rol_id
Returns

Definition at line 504 of file class.ilRbacAdmin.php.

505 {
506 global $ilDB;
507
508 $query = 'DELETE FROM rbac_templates '.
509 'WHERE parent IN ( '.
510 $GLOBALS['tree']->getSubTreeQuery($a_ref_id, array('child')).' ) '.
511 'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
512
513 $ilDB->manipulate($query);
514
515 $query = 'DELETE FROM rbac_fa '.
516 'WHERE parent IN ( '.
517 $GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
518 'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
519
520 $ilDB->manipulate($query);
521
522 return true;
523 }

References $GLOBALS, $ilDB, and $query.

◆ deleteTemplate()

ilRbacAdmin::deleteTemplate (   $a_obj_id)

Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public.

Parameters
integerobject_id of role template
Returns
boolean

Definition at line 118 of file class.ilRbacAdmin.php.

119 {
120 global $ilDB;
121
122 if (!isset($a_obj_id))
123 {
124 $message = get_class($this)."::deleteTemplate(): No obj_id given!";
125 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
126 }
127
128 $query = 'DELETE FROM rbac_templates '.
129 'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
130 $res = $ilDB->manipulate($query);
131
132 $query = 'DELETE FROM rbac_fa '.
133 'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
134 $res = $ilDB->manipulate($query);
135
136 return true;
137 }

References $ilDB, $query, and $res.

◆ grantPermission()

ilRbacAdmin::grantPermission (   $a_rol_id,
  $a_ops,
  $a_ref_id 
)

Grants a permission to an object and a specific role.

Update of table rbac_pa @access public

Parameters
integerobject id of role
arrayarray of operation ids
integerreference id of that object which is granted the permissions
Returns
boolean

Definition at line 319 of file class.ilRbacAdmin.php.

320 {
321 global $ilDB;
322
323 if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id))
324 {
325 $this->ilErr->raiseError(get_class($this)."::grantPermission(): Missing parameter! ".
326 "role_id: ".$a_rol_id." ref_id: ".$a_ref_id." operations: ",$this->ilErr->WARNING);
327 }
328
329 if (!is_array($a_ops))
330 {
331 $this->ilErr->raiseError(get_class($this)."::grantPermission(): Wrong datatype for operations!",
332 $this->ilErr->WARNING);
333 }
334
335 /*
336 if (count($a_ops) == 0)
337 {
338 return false;
339 }
340 */
341 // exclude system role from rbac
342 if ($a_rol_id == SYSTEM_ROLE_ID)
343 {
344 return true;
345 }
346
347 // convert all values to integer
348 foreach ($a_ops as $key => $operation)
349 {
350 $a_ops[$key] = (int) $operation;
351 }
352
353 // Serialization des ops_id Arrays
354 $ops_ids = serialize($a_ops);
355
356 $query = 'DELETE FROM rbac_pa '.
357 'WHERE rol_id = %s '.
358 'AND ref_id = %s';
359 $res = $ilDB->queryF($query,array('integer','integer'),
360 array($a_rol_id,$a_ref_id));
361
362 if(!count($a_ops))
363 {
364 return false;
365 }
366
367 $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) ".
368 "VALUES ".
369 "(".$ilDB->quote($a_rol_id,'integer').",".$ilDB->quote($ops_ids,'text').",".$ilDB->quote($a_ref_id,'integer').")";
370 $res = $ilDB->manipulate($query);
371
372 return true;
373 }

References $ilDB, $query, and $res.

Referenced by adjustMovedObjectPermissions(), copyRolePermissions(), and initIntersectionPermissions().

+ Here is the caller graph for this function:

◆ initIntersectionPermissions()

ilRbacAdmin::initIntersectionPermissions (   $a_ref_id,
  $a_role_id,
  $a_role_parent,
  $a_template_id,
  $a_template_parent 
)

Init intersection permissions.

@global type $rbacreview

Parameters
type$a_ref_id
type$a_role_id
type$a_role_parent
type$a_template_id
type$a_template_parent
Returns
type

Definition at line 1120 of file class.ilRbacAdmin.php.

1121 {
1122 global $rbacreview;
1123
1124 if($rbacreview->isProtected($a_role_parent, $a_role_id))
1125 {
1126 // Assign object permissions
1127 $new_ops = $rbacreview->getOperationsOfRole(
1128 $a_role_id,
1129 ilObject::_lookupType($a_ref_id, true),
1130 $a_role_parent
1131 );
1132
1133 // set new permissions for object
1134 $this->grantPermission(
1135 $a_role_id,
1136 (array) $new_ops,
1137 $a_ref_id
1138 );
1139 return;
1140 }
1141 if(!$a_template_id)
1142 {
1143 return;
1144 }
1145 // create template permission intersection
1146 $this->copyRolePermissionIntersection(
1147 $a_template_id,
1148 $a_template_parent,
1149 $a_role_id,
1150 $a_role_parent,
1151 $a_ref_id,
1152 $a_role_id
1153 );
1154
1155 // assign role to folder
1156 $this->assignRoleToFolder(
1157 $a_role_id,
1158 $a_ref_id,
1159 'n'
1160 );
1161
1162 // Assign object permissions
1163 $new_ops = $rbacreview->getOperationsOfRole(
1164 $a_role_id,
1165 ilObject::_lookupType($a_ref_id, true),
1166 $a_ref_id
1167 );
1168
1169 // set new permissions for object
1170 $this->grantPermission(
1171 $a_role_id,
1172 (array) $new_ops,
1173 $a_ref_id
1174 );
1175
1176 return;
1177 }
ilObject\_lookupType
static _lookupType($a_id, $a_reference=false)
lookup object type
Definition: class.ilObject.php:1183
ilRbacAdmin\copyRolePermissionIntersection
copyRolePermissionIntersection($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
Copies the intersection of the template permissions of two roles to a third role.
Definition: class.ilRbacAdmin.php:669

References ilObject\_lookupType(), assignRoleToFolder(), copyRolePermissionIntersection(), and grantPermission().

Referenced by adjustMovedObjectPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ removeUser()

ilRbacAdmin::removeUser (   $a_usr_id)

deletes a user from rbac_ua all user <-> role relations are deleted @access public

Parameters
integeruser_id
Returns
boolean true on success

Definition at line 49 of file class.ilRbacAdmin.php.

50 {
51 global $ilDB;
52
53 if (!isset($a_usr_id))
54 {
55 $message = get_class($this)."::removeUser(): No usr_id given!";
56 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
57 }
58
59 $query = "DELETE FROM rbac_ua WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer');
60 $res = $ilDB->manipulate($query);
61
62 return true;
63 }

References $ilDB, $query, and $res.

◆ revokePermission()

ilRbacAdmin::revokePermission (   $a_ref_id,
  $a_rol_id = 0,
  $a_keep_protected = true 
)

Revokes permissions of an object of one role.

Update of table rbac_pa. Revokes all permission for all roles for that object (with this reference). When a role_id is given this applies only to that role @access public

Parameters
integerreference id of object where permissions should be revoked
integerrole_id (optional: if you want to revoke permissions of object only for a specific role)
Returns
boolean

Definition at line 384 of file class.ilRbacAdmin.php.

385 {
386 global $rbacreview,$log,$ilDB,$ilLog;
387
388 if (!isset($a_ref_id))
389 {
390 $ilLog->logStack();
391 $message = get_class($this)."::revokePermission(): Missing parameter! ref_id: ".$a_ref_id;
392 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
393 }
394#$log->write("ilRBACadmin::revokePermission(), 0");
395
396 // bypass protected status of roles
397 if ($a_keep_protected != true)
398 {
399 // exclude system role from rbac
400 if ($a_rol_id == SYSTEM_ROLE_ID)
401 {
402 return true;
403 }
404
405 if ($a_rol_id)
406 {
407 $and1 = " AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
408 }
409 else
410 {
411 $and1 = "";
412 }
413
414 $query = "DELETE FROM rbac_pa ".
415 "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer').
416 $and1;
417
418 $res = $ilDB->manipulate($query);
419
420 return true;
421 }
422
423 // consider protected status of roles
424
425 // in any case, get all roles in scope first
426 $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
427
428 if (!$a_rol_id)
429 {
430#$log->write("ilRBACadmin::revokePermission(), 1");
431
432 $role_ids = array();
433
434 foreach ($roles_in_scope as $role)
435 {
436 if ($role['protected'] == true)
437 {
438 continue;
439 }
440
441 $role_ids[] = $role['obj_id'];
442 }
443
444 // return if no role in array
445 if (!$role_ids)
446 {
447 return true;
448 }
449
450 $query = 'DELETE FROM rbac_pa '.
451 'WHERE '.$ilDB->in('rol_id',$role_ids,false,'integer').' '.
452 'AND ref_id = '.$ilDB->quote($a_ref_id,'integer');
453 $res = $ilDB->manipulate($query);
454 }
455 else
456 {
457#$log->write("ilRBACadmin::revokePermission(), 2");
458 // exclude system role from rbac
459 if ($a_rol_id == SYSTEM_ROLE_ID)
460 {
461 return true;
462 }
463
464 // exclude protected permission settings from revoking
465 if ($roles_in_scope[$a_rol_id]['protected'] == true)
466 {
467 return true;
468 }
469
470 $query = "DELETE FROM rbac_pa ".
471 "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer')." ".
472 "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
473 $res = $ilDB->manipulate($query);
474 }
475
476 return true;
477 }

References $ilDB, $ilLog, $log, $query, and $res.

Referenced by adjustMovedObjectPermissions(), and copyRolePermissions().

+ Here is the caller graph for this function:

◆ revokePermissionList()

ilRbacAdmin::revokePermissionList (   $a_ref_ids,
  $a_rol_id 
)

Revokes permissions of a LIST of objects of ONE role.

Update of table rbac_pa. @access public

Parameters
arraylist of reference_ids to revoke permissions
integerrole_id
Returns
boolean

Definition at line 532 of file class.ilRbacAdmin.php.

533 {
534 global $ilDB;
535
536 if (!isset($a_ref_ids) or !is_array($a_ref_ids))
537 {
538 $message = get_class($this)."::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: ".var_dump($a_ref_ids);
539 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
540 }
541
542 if (!isset($a_rol_id))
543 {
544 $message = get_class($this)."::revokePermissionList(): Missing parameter! rol_id: ".$a_rol_id;
545 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
546 }
547
548 // exclude system role from rbac
549 if ($a_rol_id == SYSTEM_ROLE_ID)
550 {
551 return true;
552 }
553
554 $query = "DELETE FROM rbac_pa ".
555 "WHERE ".$ilDB->in('ref_id',$a_ref_ids,false,'integer').' '.
556 "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
557 $res = $ilDB->manipulate($query);
558
559 return true;
560 }

References $ilDB, $query, and $res.

◆ revokeSubtreePermissions()

ilRbacAdmin::revokeSubtreePermissions (   $a_ref_id,
  $a_role_id 
)

Revoke subtree permissions.

Parameters
object$a_ref_id
object$a_role_id
Returns

Definition at line 485 of file class.ilRbacAdmin.php.

486 {
487 global $ilDB;
488
489 $query = 'DELETE FROM rbac_pa '.
490 'WHERE ref_id IN '.
491 '( '.$GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
492 'AND rol_id = '.$ilDB->quote($a_role_id,'integer');
493
494 $ilDB->manipulate($query);
495 return true;
496 }

References $ilDB, and $query.

◆ setProtected()

ilRbacAdmin::setProtected (   $a_ref_id,
  $a_role_id,
  $a_value 
)

Set protected @global $ilDB.

Parameters
type$a_ref_id
type$a_role_id
type$a_valuey or n
Returns
boolean

Definition at line 1048 of file class.ilRbacAdmin.php.

1049 {
1050 global $ilDB;
1051
1052 // ref_id not used yet. protected permission acts 'global' for each role,
1053 // regardless of any broken inheritance before
1054 $query = 'UPDATE rbac_fa '.
1055 'SET protected = '.$ilDB->quote($a_value,'text').' '.
1056 'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer');
1057 $res = $ilDB->manipulate($query);
1058 return true;
1059 }

References $ilDB, $query, and $res.

Referenced by copyRoleTemplatePermissions().

+ Here is the caller graph for this function:

◆ setRolePermission()

ilRbacAdmin::setRolePermission (   $a_rol_id,
  $a_type,
  $a_ops,
  $a_ref_id 
)

Inserts template permissions in rbac_templates for an specific object type.

Update of table rbac_templates @access public

Parameters
integerrole_id
stringobject type
arrayoperation_ids
integerref_id of role folder object
Returns
boolean

Definition at line 889 of file class.ilRbacAdmin.php.

890 {
891 global $ilDB;
892
893 if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id))
894 {
895 $message = get_class($this)."::setRolePermission(): Missing parameter!".
896 " role_id: ".$a_rol_id.
897 " type: ".$a_type.
898 " operations: ".$a_ops.
899 " ref_id: ".$a_ref_id;
900 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
901 }
902
903 if (!is_string($a_type) or empty($a_type))
904 {
905 $message = get_class($this)."::setRolePermission(): a_type is no string or empty!";
906 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
907 }
908
909 if (!is_array($a_ops) or empty($a_ops))
910 {
911 $message = get_class($this)."::setRolePermission(): a_ops is no array or empty!";
912 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
913 }
914
915 // exclude system role from rbac
916 if ($a_rol_id == SYSTEM_ROLE_ID)
917 {
918 return true;
919 }
920
921 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
922 'VALUES (?,?,?,?)';
923 $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
924 foreach ($a_ops as $op)
925 {
926 $res = $ilDB->execute($sta,array(
927 $a_rol_id,
928 $a_type,
929 $op,
930 $a_ref_id
931 ));
932 }
933
934 return true;
935 }

References $ilDB, $query, and $res.

The documentation for this class was generated from the following file: