ILIAS  release_5-1 Revision 5.0.0-5477-g43f3e3fab5f
class.ilRbacAdmin.php
Go to the documentation of this file.
1 <?php
2 /* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
3 
4 
19 {
24  public function __construct()
25  {
26  global $ilDB,$ilErr,$ilias;
27 
28  // set db & error handler
29  (isset($ilDB)) ? $this->ilDB =& $ilDB : $this->ilDB =& $ilias->db;
30 
31  if (!isset($ilErr))
32  {
33  $ilErr = new ilErrorHandling();
34  $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK,array($ilErr,'errorHandler'));
35  }
36  else
37  {
38  $this->ilErr =& $ilErr;
39  }
40  }
41 
48  public function setBlockedStatus($a_role_id, $a_ref_id, $a_blocked_status)
49  {
50  global $ilDB;
51 
52  ilLoggerFactory::getLogger('crs')->logStack();
53  $query = 'UPDATE rbac_fa set blocked = '. $ilDB->quote($a_blocked_status,'integer').' '.
54  'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer').' '.
55  'AND parent = '.$ilDB->quote($a_ref_id,'integer');
56  $ilDB->manipulate($query);
57  }
58 
66  public function removeUser($a_usr_id)
67  {
68  global $ilDB;
69 
70  if (!isset($a_usr_id))
71  {
72  $message = get_class($this)."::removeUser(): No usr_id given!";
73  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
74  }
75 
76  $query = "DELETE FROM rbac_ua WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer');
77  $res = $ilDB->manipulate($query);
78 
79  return true;
80  }
81 
89  public function deleteRole($a_rol_id,$a_ref_id)
90  {
91  global $lng,$ilDB;
92 
93  if (!isset($a_rol_id) or !isset($a_ref_id))
94  {
95  $message = get_class($this)."::deleteRole(): Missing parameter! role_id: ".$a_rol_id." ref_id of role folder: ".$a_ref_id;
96  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
97  }
98 
99  // exclude system role from rbac
100  if ($a_rol_id == SYSTEM_ROLE_ID)
101  {
102  $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"),$this->ilErr->MESSAGE);
103  }
104 
105  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
107  $mapping->deleteRole($a_rol_id);
108 
109 
110  // TODO: check assigned users before deletion
111  // This is done in ilObjRole. Should be better moved to this place?
112 
113  // delete user assignements
114  $query = "DELETE FROM rbac_ua ".
115  "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer');
116  $res = $ilDB->manipulate($query);
117 
118  // delete permission assignments
119  $query = "DELETE FROM rbac_pa ".
120  "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
121  $res = $ilDB->manipulate($query);
122 
123  //delete rbac_templates and rbac_fa
124  $this->deleteLocalRole($a_rol_id);
125 
126  return true;
127  }
128 
135  public function deleteTemplate($a_obj_id)
136  {
137  global $ilDB;
138 
139  if (!isset($a_obj_id))
140  {
141  $message = get_class($this)."::deleteTemplate(): No obj_id given!";
142  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
143  }
144 
145  $query = 'DELETE FROM rbac_templates '.
146  'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
147  $res = $ilDB->manipulate($query);
148 
149  $query = 'DELETE FROM rbac_fa '.
150  'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
151  $res = $ilDB->manipulate($query);
152 
153  return true;
154  }
155 
163  public function deleteLocalRole($a_rol_id,$a_ref_id = 0)
164  {
165  global $ilDB;
166 
167  if (!isset($a_rol_id))
168  {
169  $message = get_class($this)."::deleteLocalRole(): Missing parameter! role_id: '".$a_rol_id."'";
170  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
171  }
172 
173  // exclude system role from rbac
174  if ($a_rol_id == SYSTEM_ROLE_ID)
175  {
176  return true;
177  }
178 
179  if ($a_ref_id != 0)
180  {
181  $clause = 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' ';
182  }
183 
184  $query = 'DELETE FROM rbac_fa '.
185  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
186  $clause;
187  $res = $ilDB->manipulate($query);
188 
189  $query = 'DELETE FROM rbac_templates '.
190  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
191  $clause;
192  $res = $ilDB->manipulate($query);
193  return true;
194  }
195 
202  public function assignUserLimited($a_role_id, $a_usr_id, $a_limit, $a_limited_roles = array())
203  {
204  global $ilDB;
205 
206  $GLOBALS['ilDB']->lockTables(
207  array(
208  0 => array('name' => 'rbac_ua', 'type' => ilDB::LOCK_WRITE)
209  )
210  );
211 
212  $limit_query = 'SELECT COUNT(*) num FROM rbac_ua '.
213  'WHERE '.$GLOBALS['ilDB']->in('rol_id',(array) $a_limited_roles,FALSE,'integer');
214  $res = $GLOBALS['ilDB']->query($limit_query);
215  $row = $res->fetchRow(DB_FETCHMODE_OBJECT);
216  if($row->num >= $a_limit)
217  {
218  $GLOBALS['ilDB']->unlockTables();
219  return FALSE;
220  }
221 
222  $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
223  "VALUES (".
224  $ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_role_id,'integer').
225  ")";
226  $res = $ilDB->manipulate($query);
227 
228  $GLOBALS['ilDB']->unlockTables();
229  $GLOBALS['rbacreview']->setAssignedCacheEntry($a_role_id,$a_usr_id,TRUE);
230 
231  $this->addDesktopItem($a_role_id,$a_usr_id);
232 
233  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
235  $mapping->assign($a_role_id,$a_usr_id);
236  return TRUE;
237  }
238 
244  protected function addDesktopItem($a_rol_id, $a_usr_id)
245  {
246  include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
247  $role_desk_item_obj = new ilRoleDesktopItem($a_rol_id);
248  foreach($role_desk_item_obj->getAll() as $item_data)
249  {
250  include_once './Services/User/classes/class.ilObjUser.php';
251  ilObjUser::_addDesktopItem($a_usr_id, $item_data['item_id'], $item_data['item_type']);
252  }
253  }
254 
255 
265  public function assignUser($a_rol_id,$a_usr_id)
266  {
267  global $ilDB,$rbacreview;
268 
269  if (!isset($a_rol_id) or !isset($a_usr_id))
270  {
271  $message = get_class($this)."::assignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
272  #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
273  }
274 
275  // check if already assigned user id and role_id
276  $alreadyAssigned = $rbacreview->isAssigned($a_usr_id,$a_rol_id);
277 
278  // enhanced: only if we haven't had this role for this user
279  if (!$alreadyAssigned)
280  {
281  $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
282  "VALUES (".$ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_rol_id,'integer').")";
283  $res = $ilDB->manipulate($query);
284 
285  $this->addDesktopItem($a_rol_id, $a_usr_id);
286 
287  $rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,true);
288  }
289 
290  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
292  $mapping->assign($a_rol_id,$a_usr_id);
293 
294 
295  $ref_id = $GLOBALS['rbacreview']->getObjectReferenceOfRole($a_rol_id);
296  $obj_id = ilObject::_lookupObjId($ref_id);
297  $type = ilObject::_lookupType($obj_id);
298 
299  if(!$alreadyAssigned)
300  {
301  ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event assign user');
302  $GLOBALS['ilAppEventHandler']->raise(
303  'Services/AccessControl',
304  'assignUser',
305  array(
306  'obj_id' => $obj_id,
307  'usr_id' => $a_usr_id,
308  'role_id' => $a_rol_id,
309  'type' => $type
310  )
311  );
312  }
313  return TRUE;
314  }
315 
323  public function deassignUser($a_rol_id,$a_usr_id)
324  {
325  global $ilDB, $rbacreview;
326 
327  if (!isset($a_rol_id) or !isset($a_usr_id))
328  {
329  $message = get_class($this)."::deassignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
330  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
331  }
332 
333  $query = "DELETE FROM rbac_ua ".
334  "WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer')." ".
335  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
336  $res = $ilDB->manipulate($query);
337 
338  $rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,false);
339 
340  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
342  $mapping->deassign($a_rol_id,$a_usr_id);
343 
344  $ref_id = $GLOBALS['rbacreview']->getObjectReferenceOfRole($a_rol_id);
345  $obj_id = ilObject::_lookupObjId($ref_id);
346  $type = ilObject::_lookupType($obj_id);
347 
348  ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event deassign user');
349  $GLOBALS['ilAppEventHandler']->raise(
350  'Services/AccessControl',
351  'deassignUser',
352  array(
353  'obj_id' => $obj_id,
354  'usr_id' => $a_usr_id,
355  'role_id' => $a_rol_id,
356  'type' => $type
357  )
358  );
359  return TRUE;
360  }
361 
370  public function grantPermission($a_rol_id,$a_ops,$a_ref_id)
371  {
372  global $ilDB;
373 
374  if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id))
375  {
376  $this->ilErr->raiseError(get_class($this)."::grantPermission(): Missing parameter! ".
377  "role_id: ".$a_rol_id." ref_id: ".$a_ref_id." operations: ",$this->ilErr->WARNING);
378  }
379 
380  if (!is_array($a_ops))
381  {
382  $this->ilErr->raiseError(get_class($this)."::grantPermission(): Wrong datatype for operations!",
383  $this->ilErr->WARNING);
384  }
385 
386  /*
387  if (count($a_ops) == 0)
388  {
389  return false;
390  }
391  */
392  // exclude system role from rbac
393  if ($a_rol_id == SYSTEM_ROLE_ID)
394  {
395  return true;
396  }
397 
398  // convert all values to integer
399  foreach ($a_ops as $key => $operation)
400  {
401  $a_ops[$key] = (int) $operation;
402  }
403 
404  // Serialization des ops_id Arrays
405  $ops_ids = serialize($a_ops);
406 
407  $query = 'DELETE FROM rbac_pa '.
408  'WHERE rol_id = %s '.
409  'AND ref_id = %s';
410  $res = $ilDB->queryF($query,array('integer','integer'),
411  array($a_rol_id,$a_ref_id));
412 
413  if(!count($a_ops))
414  {
415  return false;
416  }
417 
418  $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) ".
419  "VALUES ".
420  "(".$ilDB->quote($a_rol_id,'integer').",".$ilDB->quote($ops_ids,'text').",".$ilDB->quote($a_ref_id,'integer').")";
421  $res = $ilDB->manipulate($query);
422 
423  return true;
424  }
425 
435  public function revokePermission($a_ref_id,$a_rol_id = 0,$a_keep_protected = true)
436  {
437  global $rbacreview,$log,$ilDB,$ilLog;
438 
439  if (!isset($a_ref_id))
440  {
441  $ilLog->logStack();
442  $message = get_class($this)."::revokePermission(): Missing parameter! ref_id: ".$a_ref_id;
443  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
444  }
445 #$log->write("ilRBACadmin::revokePermission(), 0");
446 
447  // bypass protected status of roles
448  if ($a_keep_protected != true)
449  {
450  // exclude system role from rbac
451  if ($a_rol_id == SYSTEM_ROLE_ID)
452  {
453  return true;
454  }
455 
456  if ($a_rol_id)
457  {
458  $and1 = " AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
459  }
460  else
461  {
462  $and1 = "";
463  }
464 
465  $query = "DELETE FROM rbac_pa ".
466  "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer').
467  $and1;
468 
469  $res = $ilDB->manipulate($query);
470 
471  return true;
472  }
473 
474  // consider protected status of roles
475 
476  // in any case, get all roles in scope first
477  $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
478 
479  if (!$a_rol_id)
480  {
481 #$log->write("ilRBACadmin::revokePermission(), 1");
482 
483  $role_ids = array();
484 
485  foreach ($roles_in_scope as $role)
486  {
487  if ($role['protected'] == true)
488  {
489  continue;
490  }
491 
492  $role_ids[] = $role['obj_id'];
493  }
494 
495  // return if no role in array
496  if (!$role_ids)
497  {
498  return true;
499  }
500 
501  $query = 'DELETE FROM rbac_pa '.
502  'WHERE '.$ilDB->in('rol_id',$role_ids,false,'integer').' '.
503  'AND ref_id = '.$ilDB->quote($a_ref_id,'integer');
504  $res = $ilDB->manipulate($query);
505  }
506  else
507  {
508 #$log->write("ilRBACadmin::revokePermission(), 2");
509  // exclude system role from rbac
510  if ($a_rol_id == SYSTEM_ROLE_ID)
511  {
512  return true;
513  }
514 
515  // exclude protected permission settings from revoking
516  if ($roles_in_scope[$a_rol_id]['protected'] == true)
517  {
518  return true;
519  }
520 
521  $query = "DELETE FROM rbac_pa ".
522  "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer')." ".
523  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
524  $res = $ilDB->manipulate($query);
525  }
526 
527  return true;
528  }
529 
536  public function revokeSubtreePermissions($a_ref_id,$a_role_id)
537  {
538  global $ilDB;
539 
540  $query = 'DELETE FROM rbac_pa '.
541  'WHERE ref_id IN '.
542  '( '.$GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
543  'AND rol_id = '.$ilDB->quote($a_role_id,'integer');
544 
545  $ilDB->manipulate($query);
546  return true;
547  }
548 
555  public function deleteSubtreeTemplates($a_ref_id,$a_rol_id)
556  {
557  global $ilDB;
558 
559  $query = 'DELETE FROM rbac_templates '.
560  'WHERE parent IN ( '.
561  $GLOBALS['tree']->getSubTreeQuery($a_ref_id, array('child')).' ) '.
562  'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
563 
564  $ilDB->manipulate($query);
565 
566  $query = 'DELETE FROM rbac_fa '.
567  'WHERE parent IN ( '.
568  $GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
569  'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
570 
571  $ilDB->manipulate($query);
572 
573  return true;
574  }
575 
583  public function revokePermissionList($a_ref_ids,$a_rol_id)
584  {
585  global $ilDB;
586 
587  if (!isset($a_ref_ids) or !is_array($a_ref_ids))
588  {
589  $message = get_class($this)."::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: ".var_dump($a_ref_ids);
590  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
591  }
592 
593  if (!isset($a_rol_id))
594  {
595  $message = get_class($this)."::revokePermissionList(): Missing parameter! rol_id: ".$a_rol_id;
596  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
597  }
598 
599  // exclude system role from rbac
600  if ($a_rol_id == SYSTEM_ROLE_ID)
601  {
602  return true;
603  }
604 
605  $query = "DELETE FROM rbac_pa ".
606  "WHERE ".$ilDB->in('ref_id',$a_ref_ids,false,'integer').' '.
607  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
608  $res = $ilDB->manipulate($query);
609 
610  return true;
611  }
612 
623  public function copyRolePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected = true)
624  {
625  global $tree,$rbacreview;
626 
627  // Copy template permissions
628  $this->copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected);
629 
630  $ops = $rbacreview->getRoleOperationsOnObject($a_source_id,$a_source_parent);
631 
632  $this->revokePermission($a_dest_parent,$a_dest_id);
633  $this->grantPermission($a_dest_id,$ops,$a_dest_parent);
634  return true;
635  }
636 
647  public function copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected = true)
648  {
649  global $rbacreview,$ilDB;
650 
651  if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent))
652  {
653  $message = __METHOD__.": Missing parameter! source_id: ".$a_source_id.
654  " source_parent_id: ".$a_source_parent.
655  " dest_id : ".$a_dest_id.
656  " dest_parent_id: ".$a_dest_parent;
657  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
658  }
659 
660  // exclude system role from rbac
661  if ($a_dest_id == SYSTEM_ROLE_ID)
662  {
663  return true;
664  }
665 
666  // Read operations
667  $query = 'SELECT * FROM rbac_templates '.
668  'WHERE rol_id = '.$ilDB->quote($a_source_id,'integer').' '.
669  'AND parent = '.$ilDB->quote($a_source_parent,'integer');
670  $res = $ilDB->query($query);
671  $operations = array();
672  $rownum = 0;
673  while ($row = $ilDB->fetchObject($res))
674  {
675  $operations[$rownum]['type'] = $row->type;
676  $operations[$rownum]['ops_id'] = $row->ops_id;
677  $rownum++;
678  }
679 
680  // Delete target permissions
681  $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
682  'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
683  $res = $ilDB->manipulate($query);
684 
685  foreach($operations as $row => $op)
686  {
687  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
688  'VALUES ('.
689  $ilDB->quote($a_dest_id,'integer').",".
690  $ilDB->quote($op['type'],'text').",".
691  $ilDB->quote($op['ops_id'],'integer').",".
692  $ilDB->quote($a_dest_parent,'integer').")";
693  $ilDB->manipulate($query);
694  }
695 
696  // copy also protection status if applicable
697  if ($a_consider_protected == true)
698  {
699  if ($rbacreview->isProtected($a_source_parent,$a_source_id))
700  {
701  $this->setProtected($a_dest_parent,$a_dest_id,'y');
702  }
703  }
704 
705  return true;
706  }
720  public function copyRolePermissionIntersection($a_source1_id,$a_source1_parent,$a_source2_id,$a_source2_parent,$a_dest_parent,$a_dest_id)
721  {
722  global $rbacreview,$ilDB;
723 
724  if (!isset($a_source1_id) or !isset($a_source1_parent)
725  or !isset($a_source2_id) or !isset($a_source2_parent)
726  or !isset($a_dest_id) or !isset($a_dest_parent))
727  {
728  $message = get_class($this)."::copyRolePermissionIntersection(): Missing parameter! source1_id: ".$a_source1_id.
729  " source1_parent: ".$a_source1_parent.
730  " source2_id: ".$a_source2_id.
731  " source2_parent: ".$a_source2_parent.
732  " dest_id: ".$a_dest_id.
733  " dest_parent_id: ".$a_dest_parent;
734  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
735  }
736 
737  // exclude system role from rbac
738  if ($a_dest_id == SYSTEM_ROLE_ID)
739  {
740  return true;
741  }
742 
743  if ($rbacreview->isProtected($a_source2_parent,$a_source2_id))
744  {
745  $GLOBALS['ilLog']->write(__METHOD__.': Role is protected');
746  return true;
747  }
748 
749  $query = "SELECT s1.type, s1.ops_id ".
750  "FROM rbac_templates s1, rbac_templates s2 ".
751  "WHERE s1.rol_id = ".$ilDB->quote($a_source1_id,'integer')." ".
752  "AND s1.parent = ".$ilDB->quote($a_source1_parent,'integer')." ".
753  "AND s2.rol_id = ".$ilDB->quote($a_source2_id,'integer')." ".
754  "AND s2.parent = ".$ilDB->quote($a_source2_parent,'integer')." ".
755  "AND s1.type = s2.type ".
756  "AND s1.ops_id = s2.ops_id";
757  $res = $ilDB->query($query);
758  $operations = array();
759  $rowNum = 0;
760  while($row = $res->fetchRow(DB_FETCHMODE_OBJECT))
761  {
762  $operations[$rowNum]['type'] = $row->type;
763  $operations[$rowNum]['ops_id'] = $row->ops_id;
764 
765  $rowNum++;
766  }
767 
768  // Delete template permissions of target
769  $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
770  'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
771  $res = $ilDB->manipulate($query);
772 
773  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
774  'VALUES (?,?,?,?)';
775  $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
776  foreach($operations as $key => $set)
777  {
778  $ilDB->execute($sta,array(
779  $a_dest_id,
780  $set['type'],
781  $set['ops_id'],
782  $a_dest_parent));
783  }
784  return true;
785  }
786 
798  public function copyRolePermissionUnion(
799  $a_source1_id,
800  $a_source1_parent,
801  $a_source2_id,
802  $a_source2_parent,
803  $a_dest_id,
804  $a_dest_parent)
805  {
806  global $ilDB, $rbacreview;
807 
808 
809  $s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id,$a_source1_parent);
810  $s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id,$a_source2_parent);
811 
812  $this->deleteRolePermission($a_dest_id, $a_dest_parent);
813 
814  $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s1_ops,TRUE));
815  $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s2_ops,TRUE));
816 
817  foreach($s1_ops as $type => $ops)
818  {
819  foreach($ops as $op)
820  {
821  // insert all permission of source 1
822  // #15469
823  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
824  'VALUES( '.
825  $ilDB->quote($a_dest_id,'integer').', '.
826  $ilDB->quote($type,'text').', '.
827  $ilDB->quote($op,'integer').', '.
828  $ilDB->quote($a_dest_parent,'integer').' '.
829  ')';
830  $ilDB->manipulate($query);
831  }
832  }
833 
834  // and the other direction...
835  foreach($s2_ops as $type => $ops)
836  {
837  foreach($ops as $op)
838  {
839  if(!isset($s1_ops[$type]) or !in_array($op, $s1_ops[$type]))
840  {
841  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
842  'VALUES( '.
843  $ilDB->quote($a_dest_id,'integer').', '.
844  $ilDB->quote($type,'text').', '.
845  $ilDB->quote($op,'integer').', '.
846  $ilDB->quote($a_dest_parent,'integer').' '.
847  ')';
848  $ilDB->manipulate($query);
849  }
850  }
851  }
852 
853  return true;
854  }
855 
863  public function copyRolePermissionSubtract($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
864  {
865  global $rbacreview, $ilDB;
866 
867  $s1_ops = $rbacreview->getAllOperationsOfRole($a_source_id,$a_source_parent);
868  $d_ops = $rbacreview->getAllOperationsOfRole($a_dest_id,$a_dest_parent);
869 
870  foreach($s1_ops as $type => $ops)
871  {
872  foreach($ops as $op)
873  {
874  if(isset($d_ops[$type]) and in_array($op, $d_ops[$type]))
875  {
876  $query = 'DELETE FROM rbac_templates '.
877  'WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
878  'AND type = '.$ilDB->quote($type,'text').' '.
879  'AND ops_id = '.$ilDB->quote($op,'integer').' '.
880  'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
881  $ilDB->manipulate($query);
882  }
883  }
884  }
885  return true;
886  }
887 
888 
899  public function deleteRolePermission($a_rol_id,$a_ref_id,$a_type = false)
900  {
901  global $ilDB;
902 
903  if (!isset($a_rol_id) or !isset($a_ref_id))
904  {
905  $message = get_class($this)."::deleteRolePermission(): Missing parameter! role_id: ".$a_rol_id." ref_id: ".$a_ref_id;
906  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
907  }
908 
909  // exclude system role from rbac
910  if ($a_rol_id == SYSTEM_ROLE_ID)
911  {
912  return true;
913  }
914 
915  if ($a_type !== false)
916  {
917  $and_type = " AND type=".$ilDB->quote($a_type,'text')." ";
918  }
919 
920  $query = 'DELETE FROM rbac_templates '.
921  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
922  'AND parent = '.$ilDB->quote($a_ref_id,'integer').' '.
923  $and_type;
924 
925  $res = $ilDB->manipulate($query);
926 
927  return true;
928  }
929 
940  public function setRolePermission($a_rol_id,$a_type,$a_ops,$a_ref_id)
941  {
942  global $ilDB;
943 
944  if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id))
945  {
946  $message = get_class($this)."::setRolePermission(): Missing parameter!".
947  " role_id: ".$a_rol_id.
948  " type: ".$a_type.
949  " operations: ".$a_ops.
950  " ref_id: ".$a_ref_id;
951  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
952  }
953 
954  if (!is_string($a_type) or empty($a_type))
955  {
956  $message = get_class($this)."::setRolePermission(): a_type is no string or empty!";
957  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
958  }
959 
960  if (!is_array($a_ops) or empty($a_ops))
961  {
962  $message = get_class($this)."::setRolePermission(): a_ops is no array or empty!";
963  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
964  }
965 
966  // exclude system role from rbac
967  if ($a_rol_id == SYSTEM_ROLE_ID)
968  {
969  return true;
970  }
971 
972  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
973  'VALUES (?,?,?,?)';
974  $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
975  foreach ($a_ops as $op)
976  {
977  $res = $ilDB->execute($sta,array(
978  $a_rol_id,
979  $a_type,
980  $op,
981  $a_ref_id
982  ));
983  }
984 
985  return true;
986  }
987 
1001  public function assignRoleToFolder($a_rol_id,$a_parent,$a_assign = "y")
1002  {
1003  global $ilDB,$rbacreview;
1004 
1005  if (!isset($a_rol_id) or !isset($a_parent))
1006  {
1007  $message = get_class($this)."::assignRoleToFolder(): Missing Parameter!".
1008  " role_id: ".$a_rol_id.
1009  " parent_id: ".$a_parent.
1010  " assign: ".$a_assign;
1011  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1012  }
1013 
1014  // exclude system role from rbac
1015  if ($a_rol_id == SYSTEM_ROLE_ID)
1016  {
1017  return true;
1018  }
1019 
1020  // if a wrong value is passed, always set assign to "n"
1021  if ($a_assign != "y")
1022  {
1023  $a_assign = "n";
1024  }
1025 
1026  ilLoggerFactory::getLogger('ac')->debug('Assign role to folder: ' . $a_rol_id.' '. $a_parent);
1027 
1028  $query = sprintf('INSERT INTO rbac_fa (rol_id, parent, assign, protected) '.
1029  'VALUES (%s,%s,%s,%s)',
1030  $ilDB->quote($a_rol_id,'integer'),
1031  $ilDB->quote($a_parent,'integer'),
1032  $ilDB->quote($a_assign,'text'),
1033  $ilDB->quote('n','text'));
1034  $res = $ilDB->manipulate($query);
1035 
1036  return true;
1037  }
1038 
1047  public function assignOperationToObject($a_type_id,$a_ops_id)
1048  {
1049  global $ilDB;
1050 
1051  if (!isset($a_type_id) or !isset($a_ops_id))
1052  {
1053  $message = get_class($this)."::assignOperationToObject(): Missing parameter!".
1054  "type_id: ".$a_type_id.
1055  "ops_id: ".$a_ops_id;
1056  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1057  }
1058 
1059  $query = "INSERT INTO rbac_ta (typ_id, ops_id) ".
1060  "VALUES(".$ilDB->quote($a_type_id,'integer').",".$ilDB->quote($a_ops_id,'integer').")";
1061  $res = $ilDB->manipulate($query);
1062  return true;
1063  }
1064 
1073  function deassignOperationFromObject($a_type_id,$a_ops_id)
1074  {
1075  global $ilDB;
1076 
1077  if (!isset($a_type_id) or !isset($a_ops_id))
1078  {
1079  $message = get_class($this)."::deassignPermissionFromObject(): Missing parameter!".
1080  "type_id: ".$a_type_id.
1081  "ops_id: ".$a_ops_id;
1082  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1083  }
1084 
1085  $query = "DELETE FROM rbac_ta ".
1086  "WHERE typ_id = ".$ilDB->quote($a_type_id,'integer')." ".
1087  "AND ops_id = ".$ilDB->quote($a_ops_id,'integer');
1088  $res = $ilDB->manipulate($query);
1089 
1090  return true;
1091  }
1092 
1101  public function setProtected($a_ref_id,$a_role_id,$a_value)
1102  {
1103  global $ilDB;
1104 
1105  // ref_id not used yet. protected permission acts 'global' for each role,
1106  // regardless of any broken inheritance before
1107  $query = 'UPDATE rbac_fa '.
1108  'SET protected = '.$ilDB->quote($a_value,'text').' '.
1109  'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer');
1110  $res = $ilDB->manipulate($query);
1111  return true;
1112  }
1113 
1124  public function copyLocalRoles($a_source_id,$a_target_id)
1125  {
1126  global $rbacreview,$ilLog,$ilObjDataCache;
1127 
1128  $real_local = array();
1129  foreach($rbacreview->getRolesOfRoleFolder($a_source_id,false) as $role_data)
1130  {
1131  $title = $ilObjDataCache->lookupTitle($role_data);
1132  if(substr($title,0,3) == 'il_')
1133  {
1134  continue;
1135  }
1136  $real_local[] = $role_data;
1137  }
1138  if(!count($real_local))
1139  {
1140  return true;
1141  }
1142  // Create role folder
1143  foreach($real_local as $role)
1144  {
1145  include_once ("./Services/AccessControl/classes/class.ilObjRole.php");
1146  $orig = new ilObjRole($role);
1147  $orig->read();
1148 
1149  $ilLog->write(__METHOD__.': Start copying of role '.$orig->getTitle());
1150  $roleObj = new ilObjRole();
1151  $roleObj->setTitle($orig->getTitle());
1152  $roleObj->setDescription($orig->getDescription());
1153  $roleObj->setImportId($orig->getImportId());
1154  $roleObj->create();
1155 
1156  $this->assignRoleToFolder($roleObj->getId(),$a_target_id,"y");
1157  $this->copyRolePermissions($role,$a_source_id,$a_target_id,$roleObj->getId(),true);
1158  $ilLog->write(__METHOD__.': Added new local role, id '.$roleObj->getId());
1159  }
1160 
1161  }
1162 
1173  public function initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
1174  {
1175  global $rbacreview;
1176 
1177  if($rbacreview->isProtected($a_role_parent, $a_role_id))
1178  {
1179  // Assign object permissions
1180  $new_ops = $rbacreview->getOperationsOfRole(
1181  $a_role_id,
1182  ilObject::_lookupType($a_ref_id, true),
1183  $a_role_parent
1184  );
1185 
1186  // set new permissions for object
1187  $this->grantPermission(
1188  $a_role_id,
1189  (array) $new_ops,
1190  $a_ref_id
1191  );
1192  return;
1193  }
1194  if(!$a_template_id)
1195  {
1196  return;
1197  }
1198  // create template permission intersection
1200  $a_template_id,
1201  $a_template_parent,
1202  $a_role_id,
1203  $a_role_parent,
1204  $a_ref_id,
1205  $a_role_id
1206  );
1207 
1208  // assign role to folder
1209  $this->assignRoleToFolder(
1210  $a_role_id,
1211  $a_ref_id,
1212  'n'
1213  );
1214 
1215  // Assign object permissions
1216  $new_ops = $rbacreview->getOperationsOfRole(
1217  $a_role_id,
1218  ilObject::_lookupType($a_ref_id, true),
1219  $a_ref_id
1220  );
1221 
1222  // set new permissions for object
1223  $this->grantPermission(
1224  $a_role_id,
1225  (array) $new_ops,
1226  $a_ref_id
1227  );
1228 
1229  return;
1230  }
1231 
1239  protected function applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent)
1240  {
1241  include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateObjSettings.php';
1243  if(!$tpl_id) {
1244  return;
1245  }
1246  include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateActionFactory.php';
1247  foreach(ilDidacticTemplateActionFactory::getActionsByTemplateId($tpl_id) as $action) {
1248  if($action instanceof ilDidacticTemplateLocalRoleAction) {
1249  continue;
1250  }
1251  $action->setRefId($a_ref_id);
1252  $action->apply();
1253  }
1254  return;
1255  }
1256 
1257 
1269  public function adjustMovedObjectPermissions($a_ref_id,$a_old_parent)
1270  {
1271  global $rbacreview,$tree,$ilLog;
1272 
1273  $new_parent = $tree->getParentId($a_ref_id);
1274  $old_context_roles = $rbacreview->getParentRoleIds($a_old_parent,false);
1275  $new_context_roles = $rbacreview->getParentRoleIds($new_parent,false);
1276 
1277  $for_addition = $for_deletion = array();
1278  foreach($new_context_roles as $new_role_id => $new_role)
1279  {
1280  if(!isset($old_context_roles[$new_role_id]))
1281  {
1282  $for_addition[$new_role_id] = $new_role;
1283  }
1284  elseif($new_role['parent'] != $old_context_roles[$new_role_id]['parent'])
1285  {
1286  // handle stopped inheritance
1287  $for_deletion[$new_role_id] = $new_role;
1288  $for_addition[$new_role_id] = $new_role;
1289  }
1290  }
1291  foreach($old_context_roles as $old_role_id => $old_role)
1292  {
1293  if(!isset($new_context_roles[$old_role_id]))
1294  {
1295  $for_deletion[$old_role_id] = $old_role;
1296  }
1297  }
1298 
1299  if(!count($for_deletion) and !count($for_addition))
1300  {
1301  $this->applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent);
1302  return true;
1303  }
1304 
1305  include_once "Services/AccessControl/classes/class.ilRbacLog.php";
1306  $rbac_log_active = ilRbacLog::isActive();
1307  if($rbac_log_active)
1308  {
1309  $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
1310  }
1311 
1312  foreach($nodes = $tree->getSubTree($tree->getNodeData($a_ref_id),true) as $node_data)
1313  {
1314  $node_id = $node_data['child'];
1315 
1316  if($rbac_log_active)
1317  {
1318  $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
1319  }
1320 
1321  // If $node_data['type'] is not set, this means there is a tree entry without
1322  // object_reference and/or object_data entry
1323  // Continue in this case
1324  if(!$node_data['type'])
1325  {
1326  $ilLog->write(__METHOD__.': No type give. Choosing next tree entry.');
1327  continue;
1328  }
1329 
1330  if(!$node_id)
1331  {
1332  $ilLog->write(__METHOD__.': Missing subtree node_id');
1333  continue;
1334  }
1335 
1336  foreach($for_deletion as $role_id => $role_data)
1337  {
1338  $this->deleteLocalRole($role_id,$node_id);
1339  $this->revokePermission($node_id,$role_id,false);
1340 //var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
1341  }
1342  foreach($for_addition as $role_id => $role_data)
1343  {
1344  switch($node_data['type'])
1345  {
1346  case 'grp':
1347  include_once './Modules/Group/classes/class.ilObjGroup.php';
1348  $tpl_id = ilObjGroup::lookupGroupStatusTemplateId($node_data['obj_id']);
1350  $node_data['child'],
1351  $role_id,
1352  $role_data['parent'],
1353  $tpl_id,
1354  ROLE_FOLDER_ID
1355  );
1356  break;
1357 
1358  case 'crs':
1359  include_once './Modules/Course/classes/class.ilObjCourse.php';
1362  $node_data['child'],
1363  $role_id,
1364  $role_data['parent'],
1365  $tpl_id,
1366  ROLE_FOLDER_ID
1367  );
1368  break;
1369 
1370 
1371  default:
1372  $this->grantPermission(
1373  $role_id,
1374  $ops = $rbacreview->getOperationsOfRole($role_id,$node_data['type'],$role_data['parent']),
1375  $node_id);
1376  break;
1377 
1378 
1379  }
1380 
1381 
1382 //var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
1383  }
1384 
1385  if($rbac_log_active)
1386  {
1387  $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
1388  $log = ilRbacLog::diffFaPa($log_old, $log_new);
1390  }
1391  }
1392 
1393  $this->applyMovedObjectDidacticTemplates($a_ref_id,$a_old_parent);
1394 
1395  }
1396 
1397 
1404  public function copyEffectiveRolePermissions($a_source_ref_id, $target_ref_id, $a_subtree_id)
1405  {
1406  global $rbacreview;
1407 
1408  $parent_roles = $rbacreview->getParentRoleIds($a_source_ref_id, FALSE);
1409  $GLOBALS['ilLog']->write(__METHOD__.': '. print_r($parent_roles,TRUE));
1410 
1411 
1412 
1413  }
1414 
1415 
1416 
1417 
1418 } // END class.ilRbacAdmin
1419 ?>
static lookupTemplateId($a_ref_id)
Lookup template id ilDB $ilDB.
static lookupGroupStatusTemplateId($a_obj_id)
$ilDB $ilDB
Class ilObjRole.
applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent)
Apply didactic templates after object movement.
removeUser($a_usr_id)
deletes a user from rbac_ua all user <-> role relations are deleted public
Class ilObjRoleGUI.
deleteRolePermission($a_rol_id, $a_ref_id, $a_type=false)
Deletes all entries of a template.
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
deassignOperationFromObject($a_type_id, $a_ops_id)
Deassign an existing operation from an object Update of rbac_ta public.
static lookupCourseNonMemberTemplatesId()
Lookup course non member id.
revokeSubtreePermissions($a_ref_id, $a_role_id)
Revoke subtree permissions.
setBlockedStatus($a_role_id, $a_ref_id, $a_blocked_status)
Set blocked status.
adjustMovedObjectPermissions($a_ref_id, $a_old_parent)
Adjust permissions of moved objects.
copyRolePermissionUnion( $a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_id, $a_dest_parent)
<type> $ilDB
static isActive()
deleteSubtreeTemplates($a_ref_id, $a_rol_id)
Delete all template permissions of subtree nodes.
assignUser($a_rol_id, $a_usr_id)
Assigns an user to a role.
setRolePermission($a_rol_id, $a_type, $a_ops, $a_ref_id)
Inserts template permissions in rbac_templates for an specific object type.
copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions of one role to another.
static gatherFaPa($a_ref_id, array $a_role_ids, $a_add_action=false)
static diffFaPa(array $a_old, array $a_new)
const DB_FETCHMODE_OBJECT
Definition: class.ilDB.php:11
deassignUser($a_rol_id, $a_usr_id)
Deassigns a user from a role.
copyEffectiveRolePermissions($a_source_ref_id, $target_ref_id, $a_subtree_id)
Copies all permission from source to target for all roles.
deleteLocalRole($a_rol_id, $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates public.
static _getInstance()
Get singleton instance of this class.
initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
Init intersection permissions.
assignUserLimited($a_role_id, $a_usr_id, $a_limit, $a_limited_roles=array())
Assign user limited.
addDesktopItem($a_rol_id, $a_usr_id)
Add desktop item.
setProtected($a_ref_id, $a_role_id, $a_value)
Set protected $ilDB.
copyLocalRoles($a_source_id, $a_target_id)
Copy local roles This method creates a copy of all local role.
static _lookupObjId($a_id)
copyRolePermissionIntersection($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
Copies the intersection of the template permissions of two roles to a third role. ...
const LOCK_WRITE
Definition: class.ilDB.php:30
grantPermission($a_rol_id, $a_ops, $a_ref_id)
Grants a permission to an object and a specific role.
revokePermissionList($a_ref_ids, $a_rol_id)
Revokes permissions of a LIST of objects of ONE role.
static _lookupType($a_id, $a_reference=false)
lookup object type
copyRolePermissionSubtract($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
Subtract role permissions.
__construct()
Constructor public.
copyRolePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions and permission of one role to another.
deleteRole($a_rol_id, $a_ref_id)
Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa public.
if(!file_exists(getcwd().'/ilias.ini.php')) if(isset( $_GET["client_id"]))
registration confirmation script for ilias
Definition: confirmReg.php:20
static _addDesktopItem($a_usr_id, $a_item_id, $a_type, $a_par="")
add an item to user&#39;s personal desktop
represents a creation of local roles action
Database Wrapper.
Definition: class.ilDB.php:28
$ref_id
Definition: sahs_server.php:39
global $lng
Definition: privfeed.php:40
assignOperationToObject($a_type_id, $a_ops_id)
Assign an existing operation to an object Update of rbac_ta.
static add($a_action, $a_ref_id, array $a_diff, $a_source_ref_id=false)
revokePermission($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
Revokes permissions of an object of one role.
global $ilDB
deleteTemplate($a_obj_id)
Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa public...
const MOVE_OBJECT
static getLogger($a_component_id)
Get component logger.
Class ilRbacAdmin Core functions for role based access control.
$GLOBALS['PHPCAS_CLIENT']
This global variable is used by the interface class phpCAS.
Definition: CAS.php:276
assignRoleToFolder($a_rol_id, $a_parent, $a_assign="y")
Assigns a role to an role folder A role folder is an object to store roles.
static getActionsByTemplateId($a_tpl_id)
Get actions of one template.