ILIAS  release_5-1 Revision 5.0.0-5477-g43f3e3fab5f
Public Member Functions | Static Public Member Functions | Data Fields | Protected Member Functions | Protected Attributes | Static Protected Attributes | Private Member Functions | Static Private Attributes
ilRbacSystem Class Reference
Services/AccessControl

class ilRbacSystem system function like checkAccess, addActiveRole ... Supporting system functions are required for session management and in making access control decisions. More...

+ Collaboration diagram for ilRbacSystem:

Public Member Functions

 checkAccess ($a_operations, $a_ref_id, $a_type="")
 checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this method you check the permissions a use may have due to its roles on an specific object. More...
 
 checkAccessOfUser ($a_user_id, $a_operations, $a_ref_id, $a_type="")
 
 preloadRbacPaCache ($a_ref_ids, $a_user_id)
 Preload rbac_pa cache. More...
 
 checkPermission ($a_ref_id, $a_rol_id, $a_operation)
 check if a specific role has the permission '$a_operation' of an object @access public More...
 
 __filterOwnerPermissions ($a_user_id, $a_operations, $a_ref_id)
 
 initMemberView ()
 Init member view. More...
 
 addTemporaryRole ($a_usr_id, $a_role_id)
 
 resetPACache ($a_usr_id, $a_ref_id)
 

Static Public Member Functions

static getInstance ()
 
static resetCaches ()
 Reset internal caches. More...
 

Data Fields

 $ilias
 

Protected Member Functions

 __construct ()
 Constructor @access public. More...
 

Protected Attributes

 $mem_view
 

Static Protected Attributes

static $instance = null
 
static $user_role_cache = array()
 

Private Member Functions

 fetchAssignedRoles ($a_usr_id, $a_ref_id)
 Fetch assigned roles This method caches the assigned roles per user
More...
 

Static Private Attributes

static $_paCache = null
 
static $_checkAccessOfUserCache = null
 

Detailed Description

class ilRbacSystem system function like checkAccess, addActiveRole ... Supporting system functions are required for session management and in making access control decisions.

This class depends on the session since we offer the possiblility to add or delete active roles during one session.

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
$Id$

Definition at line 16 of file class.ilRbacSystem.php.

Constructor & Destructor Documentation

◆ __construct()

ilRbacSystem::__construct ( )
protected

Constructor @access public.

Definition at line 35 of file class.ilRbacSystem.php.

36 {
37 global $ilDB,$ilErr,$ilias;
38
39 $this->ilias =& $ilias;
40
41 // set db & error handler
42 (isset($ilDB)) ? $this->ilDB =& $ilDB : $this->ilDB =& $ilias->db;
43
44 if (!isset($ilErr))
45 {
46 $ilErr = new ilErrorHandling();
47 $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK,array($ilErr,'errorHandler'));
48 }
49 else
50 {
51 $this->ilErr =& $ilErr;
52 }
53 }
PEAR_ERROR_CALLBACK
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
ilDB
Database Wrapper.
Definition: class.ilDB.php:29
if
if(!file_exists(getcwd().'/ilias.ini.php')) if(isset( $_GET["client_id"]))
registration confirmation script for ilias
Definition: confirmReg.php:20
$ilErr
$ilErr
Definition: inc.setup_header.php:67
ilias
redirection script todo: (a better solution should control the processing via a xml file)
$ilDB
global $ilDB
Definition: storeScorm2004.php:19

References $ilDB, $ilErr, $ilias, if, and PEAR_ERROR_CALLBACK.

Member Function Documentation

◆ __filterOwnerPermissions()

ilRbacSystem::__filterOwnerPermissions (   $a_user_id,
  $a_operations,
  $a_ref_id 
)

Definition at line 329 of file class.ilRbacSystem.php.

330 {
331 global $ilObjDataCache,$ilUser;
332
333 // member view constraints
334 if($this->mem_view['active'] and $a_user_id == $ilUser->getId())
335 {
336 if(in_array($a_ref_id, $this->mem_view['items']))
337 {
338 return $a_operations;
339 }
340 }
341
342 if($a_user_id != $ilObjDataCache->lookupOwner($ilObjDataCache->lookupObjId($a_ref_id)))
343 {
344 return $a_operations;
345 }
346 // Is owner
347 $new_ops = false;
348 foreach(explode(",",$a_operations) as $operation)
349 {
350 if($operation != 'cat_administrate_users' and $operation != 'edit_permission' and $operation != 'edit_learning_progress' and $operation != 'read_learning_progress' and !preg_match('/^create/',$operation))
351 {
352 continue;
353 }
354 if(!strlen($new_ops))
355 {
356 $new_ops = $operation;
357 }
358 else
359 {
360 $new_ops .= (','.$operation);
361 }
362 }
363 return $new_ops;
364
365
366 }
$ilUser
global $ilUser
Definition: imgupload.php:15

References $ilUser.

Referenced by checkAccessOfUser().

+ Here is the caller graph for this function:

◆ addTemporaryRole()

ilRbacSystem::addTemporaryRole (   $a_usr_id,
  $a_role_id 
)

Definition at line 453 of file class.ilRbacSystem.php.

454 {
455 if(!in_array($a_role_id, self::$user_role_cache[$a_usr_id]))
456 {
457 self::$user_role_cache[$a_usr_id][] = $a_role_id;
458 }
459 }

◆ checkAccess()

ilRbacSystem::checkAccess (   $a_operations,
  $a_ref_id,
  $a_type = "" 
)

checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this method you check the permissions a use may have due to its roles on an specific object.

The first parameter are the operation(s) the user must have The second & third parameter specifies the object where the operation(s) may apply to The last parameter is only required, if you ask for the 'create' operation. Here you specify the object type which you want to create.

example: $rbacSystem->checkAccess("visible,read",23); Here you ask if the user is allowed to see ('visible') and access the object by reading it ('read'). The reference_id is 23 in the tree structure.

@access public

Parameters
stringone or more operations, separated by commas (i.e.: visible,read,join)
integerthe child_id in tree (usually a reference_id, no object_id !!)
stringthe type definition abbreviation (i.e.: frm,grp,crs)
Returns
boolean returns true if ALL passed operations are given, otherwise false

Definition at line 93 of file class.ilRbacSystem.php.

94 {
95 global $ilUser,$ilBench;
96
97 $ilBench->start("RBAC", "system_checkAccess");
98
99 $result = $this->checkAccessOfUser($ilUser->getId(), $a_operations, $a_ref_id, $a_type);
100
101 $ilBench->stop("RBAC", "system_checkAccess");
102
103 return $result;
104 }
$result
$result
Definition: CleanUpTest.php:407
ilRbacSystem\checkAccessOfUser
checkAccessOfUser($a_user_id, $a_operations, $a_ref_id, $a_type="")
Definition: class.ilRbacSystem.php:106
$ilBench
global $ilBench
Definition: ilias.php:18

References $ilBench, $ilUser, $result, and checkAccessOfUser().

Referenced by initMemberView().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ checkAccessOfUser()

ilRbacSystem::checkAccessOfUser (   $a_user_id,
  $a_operations,
  $a_ref_id,
  $a_type = "" 
)

Definition at line 106 of file class.ilRbacSystem.php.

107 {
108 global $ilUser, $rbacreview,$ilObjDataCache,$ilDB,$ilLog;
109
110 // Create the user cache key
111 $cacheKey = $a_user_id.':'.$a_operations.':'.$a_ref_id.':'.$a_type;
112
113 // Create the cache if it does not yet exist
114 if (! is_array(self::$_checkAccessOfUserCache)) {
115 self::$_checkAccessOfUserCache = array();
116 }
117
118 // Try to return result from cache
119 if (array_key_exists($cacheKey, self::$_checkAccessOfUserCache)) {
120 return self::$_checkAccessOfUserCache[$cacheKey];
121 }
122
123
124 // DISABLED
125 // Check For owner
126 // Owners do always have full access to their objects
127 // Excluded are the permissions create and perm
128 // This method call return all operations that are NOT granted by the owner status
129 if(!$a_operations = $this->__filterOwnerPermissions($a_user_id,$a_operations,$a_ref_id))
130 {
131 // Store positive outcome in cache.
132 // Note: we only cache up to 1000 results to avoid memory overflows
133 if (count(self::$_checkAccessOfUserCache) < 1000) {
134 self::$_checkAccessOfUserCache[$cacheKey] = true;
135 }
136 return true;
137 }
138
139
140 // get roles using role cache
141 $roles = $this->fetchAssignedRoles($a_user_id,$a_ref_id);
142
143 // exclude system role from rbac
144 if (in_array(SYSTEM_ROLE_ID, $roles))
145 {
146 // Store positive outcome in cache.
147 // Note: we only cache up to 1000 results to avoid memory overflows
148 if (count(self::$_checkAccessOfUserCache) < 1000) {
149 self::$_checkAccessOfUserCache[$cacheKey] = true;
150 }
151 return true;
152 }
153
154 if (!isset($a_operations) or !isset($a_ref_id))
155 {
156 $GLOBALS['ilLog']->logStack();
157 $this->ilErr->raiseError(get_class($this)."::checkAccess(): Missing parameter! ".
158 "ref_id: ".$a_ref_id." operations: ".$a_operations,$this->ilErr->WARNING);
159 }
160
161 if (!is_string($a_operations))
162 {
163 $GLOBALS['ilLog']->logStack();
164 $this->ilErr->raiseError(get_class($this)."::checkAccess(): Wrong datatype for operations!",$this->ilErr->WARNING);
165 }
166
167 // Create the PA cache if it does not exist yet
168 $paCacheKey = $a_user_id.':'.$a_ref_id;
169 if (! is_array(self::$_paCache)) {
170 self::$_paCache = array();
171 }
172
173 if (array_key_exists($paCacheKey, self::$_paCache)) {
174 // Return result from PA cache
175 $ops = self::$_paCache[$paCacheKey];
176 }
177 else
178 {
179 // Data is not in PA cache, perform database query
180 $q = "SELECT * FROM rbac_pa ".
181 "WHERE ref_id = ".$ilDB->quote($a_ref_id, 'integer');
182
183 $r = $this->ilDB->query($q);
184
185 $ops = array();
186
187 while ($row = $r->fetchRow(DB_FETCHMODE_OBJECT))
188 {
189 if (in_array($row->rol_id, $roles))
190 {
191 $ops = array_merge($ops,unserialize(stripslashes($row->ops_id)));
192 }
193 }
194 // Cache up to 1000 entries in the PA cache
195 if (count(self::$_paCache) < 1000)
196 {
197 self::$_paCache[$paCacheKey] = $ops;
198 }
199 }
200
201 $operations = explode(",",$a_operations);
202 foreach ($operations as $operation)
203 {
204 if ($operation == "create")
205 {
206 if (empty($a_type))
207 {
208 $this->ilErr->raiseError(get_class($this)."::CheckAccess(): Expect a type definition for checking a 'create' permission",
209 $this->ilErr->WARNING);
210 }
211
212 $ops_id = ilRbacReview::_getOperationIdByName($operation."_".$a_type);
213 }
214 else
215 {
216 $ops_id = ilRbacReview::_getOperationIdByName($operation);
217 }
218 if (! in_array($ops_id,(array) $ops))
219 {
220 //$ilLog->write('PERMISSION: '.$a_ref_id.' -> '.$a_ops_id.' failed');
221 // Store negative outcome in cache.
222 // Note: we only cache up to 1000 results to avoid memory overflows
223 if (count(self::$_checkAccessOfUserCache) < 1000)
224 {
225 self::$_checkAccessOfUserCache[$cacheKey] = false;
226 }
227 return false;
228 }
229 }
230
231 // Store positive outcome in cache.
232 // Note: we only cache up to 1000 results to avoid memory overflows
233 if (count(self::$_checkAccessOfUserCache) < 1000)
234 {
235 //$ilLog->write('PERMISSION: '.$a_ref_id.' -> '.$ops_id.' granted');
236 self::$_checkAccessOfUserCache[$cacheKey] = true;
237 }
238 return true;
239 }
DB_FETCHMODE_OBJECT
const DB_FETCHMODE_OBJECT
Definition: class.ilDB.php:11
ilDB\query
query($sql, $a_handle_error=true)
Query.
Definition: class.ilDB.php:1450
ilRbacReview\_getOperationIdByName
static _getOperationIdByName($a_operation)
get operation id by name of operation @access public @access static
Definition: class.ilRbacReview.php:1839
ilRbacSystem\fetchAssignedRoles
fetchAssignedRoles($a_usr_id, $a_ref_id)
Fetch assigned roles This method caches the assigned roles per user
Definition: class.ilRbacSystem.php:376
ilRbacSystem\__filterOwnerPermissions
__filterOwnerPermissions($a_user_id, $a_operations, $a_ref_id)
Definition: class.ilRbacSystem.php:329
$r
$r
Definition: example_031.php:79
$GLOBALS
$GLOBALS['PHPCAS_CLIENT']
This global variable is used by the interface class phpCAS.
Definition: CAS.php:276
$ilLog
$ilLog
Definition: inc.setup_header.php:136

References $GLOBALS, $ilDB, $ilLog, $ilUser, $r, $row, __filterOwnerPermissions(), ilRbacReview\_getOperationIdByName(), DB_FETCHMODE_OBJECT, fetchAssignedRoles(), and ilDB\query().

Referenced by checkAccess().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ checkPermission()

ilRbacSystem::checkPermission (   $a_ref_id,
  $a_rol_id,
  $a_operation 
)

check if a specific role has the permission '$a_operation' of an object @access public

Parameters
integerreference id of object
integerrole id
stringthe permission to check
Returns
boolean

Definition at line 303 of file class.ilRbacSystem.php.

304 {
305 global $ilDB;
306
307 $ops = array();
308
309 $query = 'SELECT ops_id FROM rbac_operations '.
310 'WHERE operation = '.$ilDB->quote($a_operation,'text');
311 $res = $ilDB->query($query);
312 while($row = $ilDB->fetchObject($res))
313 {
314 $ops_id = $row->ops_id;
315 }
316
317 $query = "SELECT * FROM rbac_pa ".
318 "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer')." ".
319 "AND ref_id = ".$ilDB->quote($a_ref_id,'integer')." ";
320 $res = $ilDB->query($query);
321
322 while($row = $ilDB->fetchObject($res))
323 {
324 $ops = array_merge($ops,unserialize($row->ops_id));
325 }
326 return in_array($ops_id,$ops);
327 }

References $ilDB, $query, $res, and $row.

◆ fetchAssignedRoles()

ilRbacSystem::fetchAssignedRoles (   $a_usr_id,
  $a_ref_id 
)
private

Fetch assigned roles This method caches the assigned roles per user

@access private

Parameters
intuser id

Definition at line 376 of file class.ilRbacSystem.php.

377 {
378 global $ilUser,$rbacreview;
379
380 // Member view constraints
381 if($this->mem_view['active'] and $a_usr_id == $ilUser->getId())
382 {
383 // check if current ref_id is subitem of active container
384 if(in_array($a_ref_id, $this->mem_view['items']) and $this->mem_view['role'])
385 {
386 // Return default member role
387 return array($this->mem_view['role']);
388 }
389 }
390
391 if(isset(self::$user_role_cache[$a_usr_id]) and is_array(self::$user_role_cache))
392 {
393 return self::$user_role_cache[$a_usr_id];
394 }
395
396
397
398 return self::$user_role_cache[$a_usr_id] = $rbacreview->assignedRoles($a_usr_id);
399 }

References $ilUser.

Referenced by checkAccessOfUser(), and preloadRbacPaCache().

+ Here is the caller graph for this function:

◆ getInstance()

static ilRbacSystem::getInstance ( )
static

Definition at line 55 of file class.ilRbacSystem.php.

56 {
57 if(self::$instance)
58 {
59 return self::$instance;
60 }
61 return self::$instance = new ilRbacSystem();
62 }
ilRbacSystem
class ilRbacSystem system function like checkAccess, addActiveRole ... Supporting system functions ar...
Definition: class.ilRbacSystem.php:17

References $instance.

Referenced by ilInitialisation\initAccessHandling().

+ Here is the caller graph for this function:

◆ initMemberView()

ilRbacSystem::initMemberView ( )

Init member view.

Returns

Definition at line 405 of file class.ilRbacSystem.php.

406 {
407 include_once './Services/Container/classes/class.ilMemberViewSettings.php';
408 $settings = ilMemberViewSettings::getInstance();
409
410 // disable member view
411 if(
412 isset($_GET['mv']) &&
413 $_GET['mv'] == 0
414 )
415 {
416 // force deactivation
417 $settings->toggleActivation((int) $_GET['ref_id'], false);
418 }
419 if(
420 isset($_GET['mv']) &&
421 $_GET['mv'] == 1
422 )
423 {
424 if($this->checkAccess('write', (int) $_GET['ref_id']))
425 {
426 $settings->toggleActivation((int) $_GET['ref_id'], true);
427 // reset caches
428 self::resetCaches();
429 }
430 }
431
432 if(!$settings->isActive())
433 {
434 $this->mem_view['active'] = false;
435 $this->mem_view['items'] = array();
436 $this->mem_view['role'] = 0;
437 }
438 else
439 {
440 global $tree;
441
442 $this->mem_view['active'] = true;
443 $this->mem_view['items'] = $tree->getSubTreeIds($settings->getContainer());
444 $this->mem_view['items'] = array_merge($this->mem_view['items'],array($settings->getContainer()));
445
446 include_once './Services/Membership/classes/class.ilParticipants.php';
447 $this->mem_view['role'] = ilParticipants::getDefaultMemberRole($settings->getContainer());
448
449 }
450 return true;
451 }
$_GET
$_GET["client_id"]
Definition: cfg.phpunit.template.php:12
ilMemberViewSettings\getInstance
static getInstance()
Get instance.
Definition: class.ilMemberViewSettings.php:53
ilParticipants\getDefaultMemberRole
static getDefaultMemberRole($a_ref_id)
Definition: class.ilParticipants.php:367
ilRbacSystem\resetCaches
static resetCaches()
Reset internal caches.
Definition: class.ilRbacSystem.php:67
ilRbacSystem\checkAccess
checkAccess($a_operations, $a_ref_id, $a_type="")
checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this ...
Definition: class.ilRbacSystem.php:93

References $_GET, checkAccess(), ilParticipants\getDefaultMemberRole(), ilMemberViewSettings\getInstance(), and resetCaches().

+ Here is the call graph for this function:

◆ preloadRbacPaCache()

ilRbacSystem::preloadRbacPaCache (   $a_ref_ids,
  $a_user_id 
)

Preload rbac_pa cache.

Parameters

return

Definition at line 247 of file class.ilRbacSystem.php.

248 {
249 global $ilDB;
250
251 if (!is_array($a_ref_ids))
252 {
253 return;
254 }
255
256 $ref_ids = array();
257 foreach ($a_ref_ids as $ref_id)
258 {
259 if (!isset(self::$_paCache[$a_user_id.":".$ref_id]))
260 {
261 $roles[$ref_id] = $this->fetchAssignedRoles($a_user_id, $ref_id);
262 $ops[$ref_id] = array();
263 $ref_ids[] = $ref_id;
264 }
265 }
266
267 if (count($ref_ids) > 0)
268 {
269
270 // Data is not in PA cache, perform database query
271 $q = "SELECT * FROM rbac_pa ".
272 "WHERE ".$ilDB->in("ref_id", $ref_ids, false, "integer");
273
274 $r = $this->ilDB->query($q);
275
276 while ($row = $r->fetchRow(DB_FETCHMODE_OBJECT))
277 {
278 if (in_array($row->rol_id, $roles[$row->ref_id]))
279 {
280 $ops[$row->ref_id] = array_merge($ops[$row->ref_id],
281 unserialize(stripslashes($row->ops_id)));
282 }
283 }
284 foreach ($a_ref_ids as $ref_id)
285 {
286 // #11313
287 if (!isset(self::$_paCache[$a_user_id.":".$ref_id]))
288 {
289 self::$_paCache[$a_user_id.":".$ref_id] = $ops[$ref_id];
290 }
291 }
292 }
293 }
$ref_id
$ref_id
Definition: sahs_server.php:39

References $ilDB, $r, $ref_id, $row, DB_FETCHMODE_OBJECT, fetchAssignedRoles(), and ilDB\query().

+ Here is the call graph for this function:

◆ resetCaches()

static ilRbacSystem::resetCaches ( )
static

Reset internal caches.

Definition at line 67 of file class.ilRbacSystem.php.

68 {
69 self::$user_role_cache = array();
70 self::$_paCache = null;
71 self::$_checkAccessOfUserCache = null;
72 }

Referenced by initMemberView().

+ Here is the caller graph for this function:

◆ resetPACache()

ilRbacSystem::resetPACache (   $a_usr_id,
  $a_ref_id 
)

Definition at line 461 of file class.ilRbacSystem.php.

462 {
463 $paCacheKey = $a_usr_id.':'.$a_ref_id;
464 unset(self::$_paCache[$paCacheKey]);
465 }

Field Documentation

◆ $_checkAccessOfUserCache

ilRbacSystem::$_checkAccessOfUserCache = null
staticprivate

Definition at line 29 of file class.ilRbacSystem.php.

◆ $_paCache

ilRbacSystem::$_paCache = null
staticprivate

Definition at line 26 of file class.ilRbacSystem.php.

◆ $ilias

ilRbacSystem::$ilias

Definition at line 23 of file class.ilRbacSystem.php.

Referenced by __construct().

◆ $instance

ilRbacSystem::$instance = null
staticprotected

Definition at line 18 of file class.ilRbacSystem.php.

Referenced by getInstance().

◆ $mem_view

ilRbacSystem::$mem_view
protected

Definition at line 20 of file class.ilRbacSystem.php.

◆ $user_role_cache

ilRbacSystem::$user_role_cache = array()
staticprotected

Definition at line 22 of file class.ilRbacSystem.php.

The documentation for this class was generated from the following file: