ILIAS  release_5-1 Revision 5.0.0-5477-g43f3e3fab5f
class.ilRbacAdmin.php
Go to the documentation of this file.
1<?php
2/* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
3
4
19{
24 public function __construct()
25 {
26 global $ilDB,$ilErr,$ilias;
27
28 // set db & error handler
29 (isset($ilDB)) ? $this->ilDB =& $ilDB : $this->ilDB =& $ilias->db;
30
31 if (!isset($ilErr))
32 {
33 $ilErr = new ilErrorHandling();
34 $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK,array($ilErr,'errorHandler'));
35 }
36 else
37 {
38 $this->ilErr =& $ilErr;
39 }
40 }
41
48 public function setBlockedStatus($a_role_id, $a_ref_id, $a_blocked_status)
49 {
50 global $ilDB;
51
52 ilLoggerFactory::getLogger('crs')->logStack();
53 $query = 'UPDATE rbac_fa set blocked = '. $ilDB->quote($a_blocked_status,'integer').' '.
54 'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer').' '.
55 'AND parent = '.$ilDB->quote($a_ref_id,'integer');
56 $ilDB->manipulate($query);
57 }
58
66 public function removeUser($a_usr_id)
67 {
68 global $ilDB;
69
70 if (!isset($a_usr_id))
71 {
72 $message = get_class($this)."::removeUser(): No usr_id given!";
73 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
74 }
75
76 $query = "DELETE FROM rbac_ua WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer');
77 $res = $ilDB->manipulate($query);
78
79 return true;
80 }
81
89 public function deleteRole($a_rol_id,$a_ref_id)
90 {
91 global $lng,$ilDB;
92
93 if (!isset($a_rol_id) or !isset($a_ref_id))
94 {
95 $message = get_class($this)."::deleteRole(): Missing parameter! role_id: ".$a_rol_id." ref_id of role folder: ".$a_ref_id;
96 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
97 }
98
99 // exclude system role from rbac
100 if ($a_rol_id == SYSTEM_ROLE_ID)
101 {
102 $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"),$this->ilErr->MESSAGE);
103 }
104
105 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
107 $mapping->deleteRole($a_rol_id);
108
109
110 // TODO: check assigned users before deletion
111 // This is done in ilObjRole. Should be better moved to this place?
112
113 // delete user assignements
114 $query = "DELETE FROM rbac_ua ".
115 "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer');
116 $res = $ilDB->manipulate($query);
117
118 // delete permission assignments
119 $query = "DELETE FROM rbac_pa ".
120 "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
121 $res = $ilDB->manipulate($query);
122
123 //delete rbac_templates and rbac_fa
124 $this->deleteLocalRole($a_rol_id);
125
126 return true;
127 }
128
135 public function deleteTemplate($a_obj_id)
136 {
137 global $ilDB;
138
139 if (!isset($a_obj_id))
140 {
141 $message = get_class($this)."::deleteTemplate(): No obj_id given!";
142 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
143 }
144
145 $query = 'DELETE FROM rbac_templates '.
146 'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
147 $res = $ilDB->manipulate($query);
148
149 $query = 'DELETE FROM rbac_fa '.
150 'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
151 $res = $ilDB->manipulate($query);
152
153 return true;
154 }
155
163 public function deleteLocalRole($a_rol_id,$a_ref_id = 0)
164 {
165 global $ilDB;
166
167 if (!isset($a_rol_id))
168 {
169 $message = get_class($this)."::deleteLocalRole(): Missing parameter! role_id: '".$a_rol_id."'";
170 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
171 }
172
173 // exclude system role from rbac
174 if ($a_rol_id == SYSTEM_ROLE_ID)
175 {
176 return true;
177 }
178
179 if ($a_ref_id != 0)
180 {
181 $clause = 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' ';
182 }
183
184 $query = 'DELETE FROM rbac_fa '.
185 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
186 $clause;
187 $res = $ilDB->manipulate($query);
188
189 $query = 'DELETE FROM rbac_templates '.
190 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
191 $clause;
192 $res = $ilDB->manipulate($query);
193 return true;
194 }
195
202 public function assignUserLimited($a_role_id, $a_usr_id, $a_limit, $a_limited_roles = array())
203 {
204 global $ilDB;
205
206 $GLOBALS['ilDB']->lockTables(
207 array(
208 0 => array('name' => 'rbac_ua', 'type' => ilDB::LOCK_WRITE)
209 )
210 );
211
212 $limit_query = 'SELECT COUNT(*) num FROM rbac_ua '.
213 'WHERE '.$GLOBALS['ilDB']->in('rol_id',(array) $a_limited_roles,FALSE,'integer');
214 $res = $GLOBALS['ilDB']->query($limit_query);
215 $row = $res->fetchRow(DB_FETCHMODE_OBJECT);
216 if($row->num >= $a_limit)
217 {
218 $GLOBALS['ilDB']->unlockTables();
219 return FALSE;
220 }
221
222 $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
223 "VALUES (".
224 $ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_role_id,'integer').
225 ")";
226 $res = $ilDB->manipulate($query);
227
228 $GLOBALS['ilDB']->unlockTables();
229 $GLOBALS['rbacreview']->setAssignedCacheEntry($a_role_id,$a_usr_id,TRUE);
230
231 $this->addDesktopItem($a_role_id,$a_usr_id);
232
233 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
235 $mapping->assign($a_role_id,$a_usr_id);
236 return TRUE;
237 }
238
244 protected function addDesktopItem($a_rol_id, $a_usr_id)
245 {
246 include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
247 $role_desk_item_obj = new ilRoleDesktopItem($a_rol_id);
248 foreach($role_desk_item_obj->getAll() as $item_data)
249 {
250 include_once './Services/User/classes/class.ilObjUser.php';
251 ilObjUser::_addDesktopItem($a_usr_id, $item_data['item_id'], $item_data['item_type']);
252 }
253 }
254
255
265 public function assignUser($a_rol_id,$a_usr_id)
266 {
267 global $ilDB,$rbacreview;
268
269 if (!isset($a_rol_id) or !isset($a_usr_id))
270 {
271 $message = get_class($this)."::assignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
272 #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
273 }
274
275 // check if already assigned user id and role_id
276 $alreadyAssigned = $rbacreview->isAssigned($a_usr_id,$a_rol_id);
277
278 // enhanced: only if we haven't had this role for this user
279 if (!$alreadyAssigned)
280 {
281 $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
282 "VALUES (".$ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_rol_id,'integer').")";
283 $res = $ilDB->manipulate($query);
284
285 $this->addDesktopItem($a_rol_id, $a_usr_id);
286
287 $rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,true);
288 }
289
290 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
292 $mapping->assign($a_rol_id,$a_usr_id);
293
294
295 $ref_id = $GLOBALS['rbacreview']->getObjectReferenceOfRole($a_rol_id);
297 $type = ilObject::_lookupType($obj_id);
298
299 if(!$alreadyAssigned)
300 {
301 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event assign user');
302 $GLOBALS['ilAppEventHandler']->raise(
303 'Services/AccessControl',
304 'assignUser',
305 array(
306 'obj_id' => $obj_id,
307 'usr_id' => $a_usr_id,
308 'role_id' => $a_rol_id,
309 'type' => $type
310 )
311 );
312 }
313 return TRUE;
314 }
315
323 public function deassignUser($a_rol_id,$a_usr_id)
324 {
325 global $ilDB, $rbacreview;
326
327 if (!isset($a_rol_id) or !isset($a_usr_id))
328 {
329 $message = get_class($this)."::deassignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
330 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
331 }
332
333 $query = "DELETE FROM rbac_ua ".
334 "WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer')." ".
335 "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
336 $res = $ilDB->manipulate($query);
337
338 $rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,false);
339
340 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
342 $mapping->deassign($a_rol_id,$a_usr_id);
343
344 $ref_id = $GLOBALS['rbacreview']->getObjectReferenceOfRole($a_rol_id);
346 $type = ilObject::_lookupType($obj_id);
347
348 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event deassign user');
349 $GLOBALS['ilAppEventHandler']->raise(
350 'Services/AccessControl',
351 'deassignUser',
352 array(
353 'obj_id' => $obj_id,
354 'usr_id' => $a_usr_id,
355 'role_id' => $a_rol_id,
356 'type' => $type
357 )
358 );
359 return TRUE;
360 }
361
370 public function grantPermission($a_rol_id,$a_ops,$a_ref_id)
371 {
372 global $ilDB;
373
374 if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id))
375 {
376 $this->ilErr->raiseError(get_class($this)."::grantPermission(): Missing parameter! ".
377 "role_id: ".$a_rol_id." ref_id: ".$a_ref_id." operations: ",$this->ilErr->WARNING);
378 }
379
380 if (!is_array($a_ops))
381 {
382 $this->ilErr->raiseError(get_class($this)."::grantPermission(): Wrong datatype for operations!",
383 $this->ilErr->WARNING);
384 }
385
386 /*
387 if (count($a_ops) == 0)
388 {
389 return false;
390 }
391 */
392 // exclude system role from rbac
393 if ($a_rol_id == SYSTEM_ROLE_ID)
394 {
395 return true;
396 }
397
398 // convert all values to integer
399 foreach ($a_ops as $key => $operation)
400 {
401 $a_ops[$key] = (int) $operation;
402 }
403
404 // Serialization des ops_id Arrays
405 $ops_ids = serialize($a_ops);
406
407 $query = 'DELETE FROM rbac_pa '.
408 'WHERE rol_id = %s '.
409 'AND ref_id = %s';
410 $res = $ilDB->queryF($query,array('integer','integer'),
411 array($a_rol_id,$a_ref_id));
412
413 if(!count($a_ops))
414 {
415 return false;
416 }
417
418 $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) ".
419 "VALUES ".
420 "(".$ilDB->quote($a_rol_id,'integer').",".$ilDB->quote($ops_ids,'text').",".$ilDB->quote($a_ref_id,'integer').")";
421 $res = $ilDB->manipulate($query);
422
423 return true;
424 }
425
435 public function revokePermission($a_ref_id,$a_rol_id = 0,$a_keep_protected = true)
436 {
437 global $rbacreview,$log,$ilDB,$ilLog;
438
439 if (!isset($a_ref_id))
440 {
441 $ilLog->logStack();
442 $message = get_class($this)."::revokePermission(): Missing parameter! ref_id: ".$a_ref_id;
443 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
444 }
445#$log->write("ilRBACadmin::revokePermission(), 0");
446
447 // bypass protected status of roles
448 if ($a_keep_protected != true)
449 {
450 // exclude system role from rbac
451 if ($a_rol_id == SYSTEM_ROLE_ID)
452 {
453 return true;
454 }
455
456 if ($a_rol_id)
457 {
458 $and1 = " AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
459 }
460 else
461 {
462 $and1 = "";
463 }
464
465 $query = "DELETE FROM rbac_pa ".
466 "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer').
467 $and1;
468
469 $res = $ilDB->manipulate($query);
470
471 return true;
472 }
473
474 // consider protected status of roles
475
476 // in any case, get all roles in scope first
477 $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
478
479 if (!$a_rol_id)
480 {
481#$log->write("ilRBACadmin::revokePermission(), 1");
482
483 $role_ids = array();
484
485 foreach ($roles_in_scope as $role)
486 {
487 if ($role['protected'] == true)
488 {
489 continue;
490 }
491
492 $role_ids[] = $role['obj_id'];
493 }
494
495 // return if no role in array
496 if (!$role_ids)
497 {
498 return true;
499 }
500
501 $query = 'DELETE FROM rbac_pa '.
502 'WHERE '.$ilDB->in('rol_id',$role_ids,false,'integer').' '.
503 'AND ref_id = '.$ilDB->quote($a_ref_id,'integer');
504 $res = $ilDB->manipulate($query);
505 }
506 else
507 {
508#$log->write("ilRBACadmin::revokePermission(), 2");
509 // exclude system role from rbac
510 if ($a_rol_id == SYSTEM_ROLE_ID)
511 {
512 return true;
513 }
514
515 // exclude protected permission settings from revoking
516 if ($roles_in_scope[$a_rol_id]['protected'] == true)
517 {
518 return true;
519 }
520
521 $query = "DELETE FROM rbac_pa ".
522 "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer')." ".
523 "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
524 $res = $ilDB->manipulate($query);
525 }
526
527 return true;
528 }
529
536 public function revokeSubtreePermissions($a_ref_id,$a_role_id)
537 {
538 global $ilDB;
539
540 $query = 'DELETE FROM rbac_pa '.
541 'WHERE ref_id IN '.
542 '( '.$GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
543 'AND rol_id = '.$ilDB->quote($a_role_id,'integer');
544
545 $ilDB->manipulate($query);
546 return true;
547 }
548
555 public function deleteSubtreeTemplates($a_ref_id,$a_rol_id)
556 {
557 global $ilDB;
558
559 $query = 'DELETE FROM rbac_templates '.
560 'WHERE parent IN ( '.
561 $GLOBALS['tree']->getSubTreeQuery($a_ref_id, array('child')).' ) '.
562 'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
563
564 $ilDB->manipulate($query);
565
566 $query = 'DELETE FROM rbac_fa '.
567 'WHERE parent IN ( '.
568 $GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
569 'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
570
571 $ilDB->manipulate($query);
572
573 return true;
574 }
575
583 public function revokePermissionList($a_ref_ids,$a_rol_id)
584 {
585 global $ilDB;
586
587 if (!isset($a_ref_ids) or !is_array($a_ref_ids))
588 {
589 $message = get_class($this)."::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: ".var_dump($a_ref_ids);
590 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
591 }
592
593 if (!isset($a_rol_id))
594 {
595 $message = get_class($this)."::revokePermissionList(): Missing parameter! rol_id: ".$a_rol_id;
596 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
597 }
598
599 // exclude system role from rbac
600 if ($a_rol_id == SYSTEM_ROLE_ID)
601 {
602 return true;
603 }
604
605 $query = "DELETE FROM rbac_pa ".
606 "WHERE ".$ilDB->in('ref_id',$a_ref_ids,false,'integer').' '.
607 "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
608 $res = $ilDB->manipulate($query);
609
610 return true;
611 }
612
623 public function copyRolePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected = true)
624 {
625 global $tree,$rbacreview;
626
627 // Copy template permissions
628 $this->copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected);
629
630 $ops = $rbacreview->getRoleOperationsOnObject($a_source_id,$a_source_parent);
631
632 $this->revokePermission($a_dest_parent,$a_dest_id);
633 $this->grantPermission($a_dest_id,$ops,$a_dest_parent);
634 return true;
635 }
636
647 public function copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected = true)
648 {
649 global $rbacreview,$ilDB;
650
651 if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent))
652 {
653 $message = __METHOD__.": Missing parameter! source_id: ".$a_source_id.
654 " source_parent_id: ".$a_source_parent.
655 " dest_id : ".$a_dest_id.
656 " dest_parent_id: ".$a_dest_parent;
657 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
658 }
659
660 // exclude system role from rbac
661 if ($a_dest_id == SYSTEM_ROLE_ID)
662 {
663 return true;
664 }
665
666 // Read operations
667 $query = 'SELECT * FROM rbac_templates '.
668 'WHERE rol_id = '.$ilDB->quote($a_source_id,'integer').' '.
669 'AND parent = '.$ilDB->quote($a_source_parent,'integer');
670 $res = $ilDB->query($query);
671 $operations = array();
672 $rownum = 0;
673 while ($row = $ilDB->fetchObject($res))
674 {
675 $operations[$rownum]['type'] = $row->type;
676 $operations[$rownum]['ops_id'] = $row->ops_id;
677 $rownum++;
678 }
679
680 // Delete target permissions
681 $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
682 'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
683 $res = $ilDB->manipulate($query);
684
685 foreach($operations as $row => $op)
686 {
687 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
688 'VALUES ('.
689 $ilDB->quote($a_dest_id,'integer').",".
690 $ilDB->quote($op['type'],'text').",".
691 $ilDB->quote($op['ops_id'],'integer').",".
692 $ilDB->quote($a_dest_parent,'integer').")";
693 $ilDB->manipulate($query);
694 }
695
696 // copy also protection status if applicable
697 if ($a_consider_protected == true)
698 {
699 if ($rbacreview->isProtected($a_source_parent,$a_source_id))
700 {
701 $this->setProtected($a_dest_parent,$a_dest_id,'y');
702 }
703 }
704
705 return true;
706 }
720 public function copyRolePermissionIntersection($a_source1_id,$a_source1_parent,$a_source2_id,$a_source2_parent,$a_dest_parent,$a_dest_id)
721 {
722 global $rbacreview,$ilDB;
723
724 if (!isset($a_source1_id) or !isset($a_source1_parent)
725 or !isset($a_source2_id) or !isset($a_source2_parent)
726 or !isset($a_dest_id) or !isset($a_dest_parent))
727 {
728 $message = get_class($this)."::copyRolePermissionIntersection(): Missing parameter! source1_id: ".$a_source1_id.
729 " source1_parent: ".$a_source1_parent.
730 " source2_id: ".$a_source2_id.
731 " source2_parent: ".$a_source2_parent.
732 " dest_id: ".$a_dest_id.
733 " dest_parent_id: ".$a_dest_parent;
734 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
735 }
736
737 // exclude system role from rbac
738 if ($a_dest_id == SYSTEM_ROLE_ID)
739 {
740 return true;
741 }
742
743 if ($rbacreview->isProtected($a_source2_parent,$a_source2_id))
744 {
745 $GLOBALS['ilLog']->write(__METHOD__.': Role is protected');
746 return true;
747 }
748
749 $query = "SELECT s1.type, s1.ops_id ".
750 "FROM rbac_templates s1, rbac_templates s2 ".
751 "WHERE s1.rol_id = ".$ilDB->quote($a_source1_id,'integer')." ".
752 "AND s1.parent = ".$ilDB->quote($a_source1_parent,'integer')." ".
753 "AND s2.rol_id = ".$ilDB->quote($a_source2_id,'integer')." ".
754 "AND s2.parent = ".$ilDB->quote($a_source2_parent,'integer')." ".
755 "AND s1.type = s2.type ".
756 "AND s1.ops_id = s2.ops_id";
757 $res = $ilDB->query($query);
758 $operations = array();
759 $rowNum = 0;
760 while($row = $res->fetchRow(DB_FETCHMODE_OBJECT))
761 {
762 $operations[$rowNum]['type'] = $row->type;
763 $operations[$rowNum]['ops_id'] = $row->ops_id;
764
765 $rowNum++;
766 }
767
768 // Delete template permissions of target
769 $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
770 'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
771 $res = $ilDB->manipulate($query);
772
773 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
774 'VALUES (?,?,?,?)';
775 $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
776 foreach($operations as $key => $set)
777 {
778 $ilDB->execute($sta,array(
779 $a_dest_id,
780 $set['type'],
781 $set['ops_id'],
782 $a_dest_parent));
783 }
784 return true;
785 }
786
798 public function copyRolePermissionUnion(
799 $a_source1_id,
800 $a_source1_parent,
801 $a_source2_id,
802 $a_source2_parent,
803 $a_dest_id,
804 $a_dest_parent)
805 {
806 global $ilDB, $rbacreview;
807
808
809 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id,$a_source1_parent);
810 $s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id,$a_source2_parent);
811
812 $this->deleteRolePermission($a_dest_id, $a_dest_parent);
813
814 $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s1_ops,TRUE));
815 $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s2_ops,TRUE));
816
817 foreach($s1_ops as $type => $ops)
818 {
819 foreach($ops as $op)
820 {
821 // insert all permission of source 1
822 // #15469
823 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
824 'VALUES( '.
825 $ilDB->quote($a_dest_id,'integer').', '.
826 $ilDB->quote($type,'text').', '.
827 $ilDB->quote($op,'integer').', '.
828 $ilDB->quote($a_dest_parent,'integer').' '.
829 ')';
830 $ilDB->manipulate($query);
831 }
832 }
833
834 // and the other direction...
835 foreach($s2_ops as $type => $ops)
836 {
837 foreach($ops as $op)
838 {
839 if(!isset($s1_ops[$type]) or !in_array($op, $s1_ops[$type]))
840 {
841 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
842 'VALUES( '.
843 $ilDB->quote($a_dest_id,'integer').', '.
844 $ilDB->quote($type,'text').', '.
845 $ilDB->quote($op,'integer').', '.
846 $ilDB->quote($a_dest_parent,'integer').' '.
847 ')';
848 $ilDB->manipulate($query);
849 }
850 }
851 }
852
853 return true;
854 }
855
863 public function copyRolePermissionSubtract($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
864 {
865 global $rbacreview, $ilDB;
866
867 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source_id,$a_source_parent);
868 $d_ops = $rbacreview->getAllOperationsOfRole($a_dest_id,$a_dest_parent);
869
870 foreach($s1_ops as $type => $ops)
871 {
872 foreach($ops as $op)
873 {
874 if(isset($d_ops[$type]) and in_array($op, $d_ops[$type]))
875 {
876 $query = 'DELETE FROM rbac_templates '.
877 'WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
878 'AND type = '.$ilDB->quote($type,'text').' '.
879 'AND ops_id = '.$ilDB->quote($op,'integer').' '.
880 'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
881 $ilDB->manipulate($query);
882 }
883 }
884 }
885 return true;
886 }
887
888
899 public function deleteRolePermission($a_rol_id,$a_ref_id,$a_type = false)
900 {
901 global $ilDB;
902
903 if (!isset($a_rol_id) or !isset($a_ref_id))
904 {
905 $message = get_class($this)."::deleteRolePermission(): Missing parameter! role_id: ".$a_rol_id." ref_id: ".$a_ref_id;
906 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
907 }
908
909 // exclude system role from rbac
910 if ($a_rol_id == SYSTEM_ROLE_ID)
911 {
912 return true;
913 }
914
915 if ($a_type !== false)
916 {
917 $and_type = " AND type=".$ilDB->quote($a_type,'text')." ";
918 }
919
920 $query = 'DELETE FROM rbac_templates '.
921 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
922 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' '.
923 $and_type;
924
925 $res = $ilDB->manipulate($query);
926
927 return true;
928 }
929
940 public function setRolePermission($a_rol_id,$a_type,$a_ops,$a_ref_id)
941 {
942 global $ilDB;
943
944 if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id))
945 {
946 $message = get_class($this)."::setRolePermission(): Missing parameter!".
947 " role_id: ".$a_rol_id.
948 " type: ".$a_type.
949 " operations: ".$a_ops.
950 " ref_id: ".$a_ref_id;
951 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
952 }
953
954 if (!is_string($a_type) or empty($a_type))
955 {
956 $message = get_class($this)."::setRolePermission(): a_type is no string or empty!";
957 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
958 }
959
960 if (!is_array($a_ops) or empty($a_ops))
961 {
962 $message = get_class($this)."::setRolePermission(): a_ops is no array or empty!";
963 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
964 }
965
966 // exclude system role from rbac
967 if ($a_rol_id == SYSTEM_ROLE_ID)
968 {
969 return true;
970 }
971
972 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
973 'VALUES (?,?,?,?)';
974 $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
975 foreach ($a_ops as $op)
976 {
977 $res = $ilDB->execute($sta,array(
978 $a_rol_id,
979 $a_type,
980 $op,
981 $a_ref_id
982 ));
983 }
984
985 return true;
986 }
987
1001 public function assignRoleToFolder($a_rol_id,$a_parent,$a_assign = "y")
1002 {
1003 global $ilDB,$rbacreview;
1004
1005 if (!isset($a_rol_id) or !isset($a_parent))
1006 {
1007 $message = get_class($this)."::assignRoleToFolder(): Missing Parameter!".
1008 " role_id: ".$a_rol_id.
1009 " parent_id: ".$a_parent.
1010 " assign: ".$a_assign;
1011 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1012 }
1013
1014 // exclude system role from rbac
1015 if ($a_rol_id == SYSTEM_ROLE_ID)
1016 {
1017 return true;
1018 }
1019
1020 // if a wrong value is passed, always set assign to "n"
1021 if ($a_assign != "y")
1022 {
1023 $a_assign = "n";
1024 }
1025
1026 ilLoggerFactory::getLogger('ac')->debug('Assign role to folder: ' . $a_rol_id.' '. $a_parent);
1027
1028 $query = sprintf('INSERT INTO rbac_fa (rol_id, parent, assign, protected) '.
1029 'VALUES (%s,%s,%s,%s)',
1030 $ilDB->quote($a_rol_id,'integer'),
1031 $ilDB->quote($a_parent,'integer'),
1032 $ilDB->quote($a_assign,'text'),
1033 $ilDB->quote('n','text'));
1034 $res = $ilDB->manipulate($query);
1035
1036 return true;
1037 }
1038
1047 public function assignOperationToObject($a_type_id,$a_ops_id)
1048 {
1049 global $ilDB;
1050
1051 if (!isset($a_type_id) or !isset($a_ops_id))
1052 {
1053 $message = get_class($this)."::assignOperationToObject(): Missing parameter!".
1054 "type_id: ".$a_type_id.
1055 "ops_id: ".$a_ops_id;
1056 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1057 }
1058
1059 $query = "INSERT INTO rbac_ta (typ_id, ops_id) ".
1060 "VALUES(".$ilDB->quote($a_type_id,'integer').",".$ilDB->quote($a_ops_id,'integer').")";
1061 $res = $ilDB->manipulate($query);
1062 return true;
1063 }
1064
1073 function deassignOperationFromObject($a_type_id,$a_ops_id)
1074 {
1075 global $ilDB;
1076
1077 if (!isset($a_type_id) or !isset($a_ops_id))
1078 {
1079 $message = get_class($this)."::deassignPermissionFromObject(): Missing parameter!".
1080 "type_id: ".$a_type_id.
1081 "ops_id: ".$a_ops_id;
1082 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1083 }
1084
1085 $query = "DELETE FROM rbac_ta ".
1086 "WHERE typ_id = ".$ilDB->quote($a_type_id,'integer')." ".
1087 "AND ops_id = ".$ilDB->quote($a_ops_id,'integer');
1088 $res = $ilDB->manipulate($query);
1089
1090 return true;
1091 }
1092
1101 public function setProtected($a_ref_id,$a_role_id,$a_value)
1102 {
1103 global $ilDB;
1104
1105 // ref_id not used yet. protected permission acts 'global' for each role,
1106 // regardless of any broken inheritance before
1107 $query = 'UPDATE rbac_fa '.
1108 'SET protected = '.$ilDB->quote($a_value,'text').' '.
1109 'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer');
1110 $res = $ilDB->manipulate($query);
1111 return true;
1112 }
1113
1124 public function copyLocalRoles($a_source_id,$a_target_id)
1125 {
1126 global $rbacreview,$ilLog,$ilObjDataCache;
1127
1128 $real_local = array();
1129 foreach($rbacreview->getRolesOfRoleFolder($a_source_id,false) as $role_data)
1130 {
1131 $title = $ilObjDataCache->lookupTitle($role_data);
1132 if(substr($title,0,3) == 'il_')
1133 {
1134 continue;
1135 }
1136 $real_local[] = $role_data;
1137 }
1138 if(!count($real_local))
1139 {
1140 return true;
1141 }
1142 // Create role folder
1143 foreach($real_local as $role)
1144 {
1145 include_once ("./Services/AccessControl/classes/class.ilObjRole.php");
1146 $orig = new ilObjRole($role);
1147 $orig->read();
1148
1149 $ilLog->write(__METHOD__.': Start copying of role '.$orig->getTitle());
1150 $roleObj = new ilObjRole();
1151 $roleObj->setTitle($orig->getTitle());
1152 $roleObj->setDescription($orig->getDescription());
1153 $roleObj->setImportId($orig->getImportId());
1154 $roleObj->create();
1155
1156 $this->assignRoleToFolder($roleObj->getId(),$a_target_id,"y");
1157 $this->copyRolePermissions($role,$a_source_id,$a_target_id,$roleObj->getId(),true);
1158 $ilLog->write(__METHOD__.': Added new local role, id '.$roleObj->getId());
1159 }
1160
1161 }
1162
1173 public function initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
1174 {
1175 global $rbacreview;
1176
1177 if($rbacreview->isProtected($a_role_parent, $a_role_id))
1178 {
1179 // Assign object permissions
1180 $new_ops = $rbacreview->getOperationsOfRole(
1181 $a_role_id,
1182 ilObject::_lookupType($a_ref_id, true),
1183 $a_role_parent
1184 );
1185
1186 // set new permissions for object
1187 $this->grantPermission(
1188 $a_role_id,
1189 (array) $new_ops,
1190 $a_ref_id
1191 );
1192 return;
1193 }
1194 if(!$a_template_id)
1195 {
1196 return;
1197 }
1198 // create template permission intersection
1200 $a_template_id,
1201 $a_template_parent,
1202 $a_role_id,
1203 $a_role_parent,
1204 $a_ref_id,
1205 $a_role_id
1206 );
1207
1208 // assign role to folder
1209 $this->assignRoleToFolder(
1210 $a_role_id,
1211 $a_ref_id,
1212 'n'
1213 );
1214
1215 // Assign object permissions
1216 $new_ops = $rbacreview->getOperationsOfRole(
1217 $a_role_id,
1218 ilObject::_lookupType($a_ref_id, true),
1219 $a_ref_id
1220 );
1221
1222 // set new permissions for object
1223 $this->grantPermission(
1224 $a_role_id,
1225 (array) $new_ops,
1226 $a_ref_id
1227 );
1228
1229 return;
1230 }
1231
1239 protected function applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent)
1240 {
1241 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateObjSettings.php';
1243 if(!$tpl_id) {
1244 return;
1245 }
1246 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateActionFactory.php';
1247 foreach(ilDidacticTemplateActionFactory::getActionsByTemplateId($tpl_id) as $action) {
1248 if($action instanceof ilDidacticTemplateLocalRoleAction) {
1249 continue;
1250 }
1251 $action->setRefId($a_ref_id);
1252 $action->apply();
1253 }
1254 return;
1255 }
1256
1257
1269 public function adjustMovedObjectPermissions($a_ref_id,$a_old_parent)
1270 {
1271 global $rbacreview,$tree,$ilLog;
1272
1273 $new_parent = $tree->getParentId($a_ref_id);
1274 $old_context_roles = $rbacreview->getParentRoleIds($a_old_parent,false);
1275 $new_context_roles = $rbacreview->getParentRoleIds($new_parent,false);
1276
1277 $for_addition = $for_deletion = array();
1278 foreach($new_context_roles as $new_role_id => $new_role)
1279 {
1280 if(!isset($old_context_roles[$new_role_id]))
1281 {
1282 $for_addition[$new_role_id] = $new_role;
1283 }
1284 elseif($new_role['parent'] != $old_context_roles[$new_role_id]['parent'])
1285 {
1286 // handle stopped inheritance
1287 $for_deletion[$new_role_id] = $new_role;
1288 $for_addition[$new_role_id] = $new_role;
1289 }
1290 }
1291 foreach($old_context_roles as $old_role_id => $old_role)
1292 {
1293 if(!isset($new_context_roles[$old_role_id]))
1294 {
1295 $for_deletion[$old_role_id] = $old_role;
1296 }
1297 }
1298
1299 if(!count($for_deletion) and !count($for_addition))
1300 {
1301 $this->applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent);
1302 return true;
1303 }
1304
1305 include_once "Services/AccessControl/classes/class.ilRbacLog.php";
1306 $rbac_log_active = ilRbacLog::isActive();
1307 if($rbac_log_active)
1308 {
1309 $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
1310 }
1311
1312 foreach($nodes = $tree->getSubTree($tree->getNodeData($a_ref_id),true) as $node_data)
1313 {
1314 $node_id = $node_data['child'];
1315
1316 if($rbac_log_active)
1317 {
1318 $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
1319 }
1320
1321 // If $node_data['type'] is not set, this means there is a tree entry without
1322 // object_reference and/or object_data entry
1323 // Continue in this case
1324 if(!$node_data['type'])
1325 {
1326 $ilLog->write(__METHOD__.': No type give. Choosing next tree entry.');
1327 continue;
1328 }
1329
1330 if(!$node_id)
1331 {
1332 $ilLog->write(__METHOD__.': Missing subtree node_id');
1333 continue;
1334 }
1335
1336 foreach($for_deletion as $role_id => $role_data)
1337 {
1338 $this->deleteLocalRole($role_id,$node_id);
1339 $this->revokePermission($node_id,$role_id,false);
1340//var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
1341 }
1342 foreach($for_addition as $role_id => $role_data)
1343 {
1344 switch($node_data['type'])
1345 {
1346 case 'grp':
1347 include_once './Modules/Group/classes/class.ilObjGroup.php';
1348 $tpl_id = ilObjGroup::lookupGroupStatusTemplateId($node_data['obj_id']);
1350 $node_data['child'],
1351 $role_id,
1352 $role_data['parent'],
1353 $tpl_id,
1354 ROLE_FOLDER_ID
1355 );
1356 break;
1357
1358 case 'crs':
1359 include_once './Modules/Course/classes/class.ilObjCourse.php';
1362 $node_data['child'],
1363 $role_id,
1364 $role_data['parent'],
1365 $tpl_id,
1366 ROLE_FOLDER_ID
1367 );
1368 break;
1369
1370
1371 default:
1372 $this->grantPermission(
1373 $role_id,
1374 $ops = $rbacreview->getOperationsOfRole($role_id,$node_data['type'],$role_data['parent']),
1375 $node_id);
1376 break;
1377
1378
1379 }
1380
1381
1382//var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
1383 }
1384
1385 if($rbac_log_active)
1386 {
1387 $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
1388 $log = ilRbacLog::diffFaPa($log_old, $log_new);
1390 }
1391 }
1392
1393 $this->applyMovedObjectDidacticTemplates($a_ref_id,$a_old_parent);
1394
1395 }
1396
1397
1404 public function copyEffectiveRolePermissions($a_source_ref_id, $target_ref_id, $a_subtree_id)
1405 {
1406 global $rbacreview;
1407
1408 $parent_roles = $rbacreview->getParentRoleIds($a_source_ref_id, FALSE);
1409 $GLOBALS['ilLog']->write(__METHOD__.': '. print_r($parent_roles,TRUE));
1410
1411
1412
1413 }
1414
1415
1416
1417
1418} // END class.ilRbacAdmin
1419?>
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
const DB_FETCHMODE_OBJECT
Definition: class.ilDB.php:11
Database Wrapper.
Definition: class.ilDB.php:29
const LOCK_WRITE
Definition: class.ilDB.php:30
static getActionsByTemplateId($a_tpl_id)
Get actions of one template.
represents a creation of local roles action
static lookupTemplateId($a_ref_id)
Lookup template id @global ilDB $ilDB.
static _getInstance()
Get singleton instance of this class.
static getLogger($a_component_id)
Get component logger.
static lookupCourseNonMemberTemplatesId()
Lookup course non member id.
static lookupGroupStatusTemplateId($a_obj_id)
@global $ilDB $ilDB
Class ilObjRole.
static _addDesktopItem($a_usr_id, $a_item_id, $a_type, $a_par="")
add an item to user's personal desktop
static _lookupObjId($a_id)
static _lookupType($a_id, $a_reference=false)
lookup object type
Class ilRbacAdmin Core functions for role based access control.
setProtected($a_ref_id, $a_role_id, $a_value)
Set protected @global $ilDB.
revokePermission($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
Revokes permissions of an object of one role.
deleteRole($a_rol_id, $a_ref_id)
Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua,...
deleteSubtreeTemplates($a_ref_id, $a_rol_id)
Delete all template permissions of subtree nodes.
__construct()
Constructor @access public.
copyRolePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions and permission of one role to another.
deassignOperationFromObject($a_type_id, $a_ops_id)
Deassign an existing operation from an object Update of rbac_ta @access public.
adjustMovedObjectPermissions($a_ref_id, $a_old_parent)
Adjust permissions of moved objects.
assignUser($a_rol_id, $a_usr_id)
Assigns an user to a role.
assignRoleToFolder($a_rol_id, $a_parent, $a_assign="y")
Assigns a role to an role folder A role folder is an object to store roles.
removeUser($a_usr_id)
deletes a user from rbac_ua all user <-> role relations are deleted @access public
assignUserLimited($a_role_id, $a_usr_id, $a_limit, $a_limited_roles=array())
Assign user limited.
deleteLocalRole($a_rol_id, $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates @access public.
copyLocalRoles($a_source_id, $a_target_id)
Copy local roles This method creates a copy of all local role.
revokePermissionList($a_ref_ids, $a_rol_id)
Revokes permissions of a LIST of objects of ONE role.
setRolePermission($a_rol_id, $a_type, $a_ops, $a_ref_id)
Inserts template permissions in rbac_templates for an specific object type.
initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
Init intersection permissions.
copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions of one role to another.
applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent)
Apply didactic templates after object movement.
copyRolePermissionUnion( $a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_id, $a_dest_parent)
@global <type> $ilDB
deassignUser($a_rol_id, $a_usr_id)
Deassigns a user from a role.
copyEffectiveRolePermissions($a_source_ref_id, $target_ref_id, $a_subtree_id)
Copies all permission from source to target for all roles.
setBlockedStatus($a_role_id, $a_ref_id, $a_blocked_status)
Set blocked status.
revokeSubtreePermissions($a_ref_id, $a_role_id)
Revoke subtree permissions.
copyRolePermissionIntersection($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
Copies the intersection of the template permissions of two roles to a third role.
assignOperationToObject($a_type_id, $a_ops_id)
Assign an existing operation to an object Update of rbac_ta.
deleteTemplate($a_obj_id)
Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public...
grantPermission($a_rol_id, $a_ops, $a_ref_id)
Grants a permission to an object and a specific role.
deleteRolePermission($a_rol_id, $a_ref_id, $a_type=false)
Deletes all entries of a template.
addDesktopItem($a_rol_id, $a_usr_id)
Add desktop item.
copyRolePermissionSubtract($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
Subtract role permissions.
const MOVE_OBJECT
static diffFaPa(array $a_old, array $a_new)
static add($a_action, $a_ref_id, array $a_diff, $a_source_ref_id=false)
static gatherFaPa($a_ref_id, array $a_role_ids, $a_add_action=false)
static isActive()
if(!file_exists(getcwd().'/ilias.ini.php')) if(isset( $_GET["client_id"]))
registration confirmation script for ilias
Definition: confirmReg.php:20
$GLOBALS['PHPCAS_CLIENT']
This global variable is used by the interface class phpCAS.
Definition: CAS.php:276
global $lng
Definition: privfeed.php:40
$ref_id
Definition: sahs_server.php:39
global $ilDB