ILIAS  release_5-1 Revision 5.0.0-5477-g43f3e3fab5f
ilRbacAdmin Class Reference

Class ilRbacAdmin Core functions for role based access control. More...

+ Collaboration diagram for ilRbacAdmin:

Public Member Functions

 __construct ()
 Constructor public. More...
 
 setBlockedStatus ($a_role_id, $a_ref_id, $a_blocked_status)
 Set blocked status. More...
 
 removeUser ($a_usr_id)
 deletes a user from rbac_ua all user <-> role relations are deleted public More...
 
 deleteRole ($a_rol_id, $a_ref_id)
 Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa public. More...
 
 deleteTemplate ($a_obj_id)
 Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa public. More...
 
 deleteLocalRole ($a_rol_id, $a_ref_id=0)
 Deletes a local role and entries in rbac_fa and rbac_templates public. More...
 
 assignUserLimited ($a_role_id, $a_usr_id, $a_limit, $a_limited_roles=array())
 Assign user limited. More...
 
 assignUser ($a_rol_id, $a_usr_id)
 Assigns an user to a role. More...
 
 deassignUser ($a_rol_id, $a_usr_id)
 Deassigns a user from a role. More...
 
 grantPermission ($a_rol_id, $a_ops, $a_ref_id)
 Grants a permission to an object and a specific role. More...
 
 revokePermission ($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
 Revokes permissions of an object of one role. More...
 
 revokeSubtreePermissions ($a_ref_id, $a_role_id)
 Revoke subtree permissions. More...
 
 deleteSubtreeTemplates ($a_ref_id, $a_rol_id)
 Delete all template permissions of subtree nodes. More...
 
 revokePermissionList ($a_ref_ids, $a_rol_id)
 Revokes permissions of a LIST of objects of ONE role. More...
 
 copyRolePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions and permission of one role to another. More...
 
 copyRoleTemplatePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions of one role to another. More...
 
 copyRolePermissionIntersection ($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
 Copies the intersection of the template permissions of two roles to a third role. More...
 
 copyRolePermissionUnion ( $a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_id, $a_dest_parent)
 <type> $ilDB More...
 
 copyRolePermissionSubtract ($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
 Subtract role permissions. More...
 
 deleteRolePermission ($a_rol_id, $a_ref_id, $a_type=false)
 Deletes all entries of a template. More...
 
 setRolePermission ($a_rol_id, $a_type, $a_ops, $a_ref_id)
 Inserts template permissions in rbac_templates for an specific object type. More...
 
 assignRoleToFolder ($a_rol_id, $a_parent, $a_assign="y")
 Assigns a role to an role folder A role folder is an object to store roles. More...
 
 assignOperationToObject ($a_type_id, $a_ops_id)
 Assign an existing operation to an object Update of rbac_ta. More...
 
 deassignOperationFromObject ($a_type_id, $a_ops_id)
 Deassign an existing operation from an object Update of rbac_ta public. More...
 
 setProtected ($a_ref_id, $a_role_id, $a_value)
 Set protected $ilDB. More...
 
 copyLocalRoles ($a_source_id, $a_target_id)
 Copy local roles This method creates a copy of all local role. More...
 
 initIntersectionPermissions ($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
 Init intersection permissions. More...
 
 adjustMovedObjectPermissions ($a_ref_id, $a_old_parent)
 Adjust permissions of moved objects. More...
 
 copyEffectiveRolePermissions ($a_source_ref_id, $target_ref_id, $a_subtree_id)
 Copies all permission from source to target for all roles. More...
 

Protected Member Functions

 addDesktopItem ($a_rol_id, $a_usr_id)
 Add desktop item. More...
 
 applyMovedObjectDidacticTemplates ($a_ref_id, $a_old_parent)
 Apply didactic templates after object movement. More...
 

Detailed Description

Class ilRbacAdmin Core functions for role based access control.

Creation and maintenance of Relations. The main relations of Rbac are user <-> role (UR) assignment relation and the permission <-> role (PR) assignment relation. This class contains methods to 'create' and 'delete' instances of the (UR) relation e.g.: assignUser(), deassignUser() Required methods for the PR relation are grantPermission(), revokePermission()

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
$Id$

Definition at line 18 of file class.ilRbacAdmin.php.

Constructor & Destructor Documentation

◆ __construct()

ilRbacAdmin::__construct ( )

Constructor public.

Definition at line 24 of file class.ilRbacAdmin.php.

References $ilDB, $ilErr, if, and PEAR_ERROR_CALLBACK.

25  {
26  global $ilDB,$ilErr,$ilias;
27 
28  // set db & error handler
29  (isset($ilDB)) ? $this->ilDB =& $ilDB : $this->ilDB =& $ilias->db;
30 
31  if (!isset($ilErr))
32  {
33  $ilErr = new ilErrorHandling();
34  $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK,array($ilErr,'errorHandler'));
35  }
36  else
37  {
38  $this->ilErr =& $ilErr;
39  }
40  }
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
if(!file_exists(getcwd().'/ilias.ini.php')) if(isset( $_GET["client_id"]))
registration confirmation script for ilias
Definition: confirmReg.php:20
Database Wrapper.
Definition: class.ilDB.php:28
global $ilDB

Member Function Documentation

◆ addDesktopItem()

ilRbacAdmin::addDesktopItem (   $a_rol_id,
  $a_usr_id 
)
protected

Add desktop item.

Parameters
type$a_rol_id
type$a_usr_id

Definition at line 244 of file class.ilRbacAdmin.php.

References ilObjUser\_addDesktopItem().

Referenced by assignUser(), and assignUserLimited().

245  {
246  include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
247  $role_desk_item_obj = new ilRoleDesktopItem($a_rol_id);
248  foreach($role_desk_item_obj->getAll() as $item_data)
249  {
250  include_once './Services/User/classes/class.ilObjUser.php';
251  ilObjUser::_addDesktopItem($a_usr_id, $item_data['item_id'], $item_data['item_type']);
252  }
253  }
Class ilObjRoleGUI.
static _addDesktopItem($a_usr_id, $a_item_id, $a_type, $a_par="")
add an item to user&#39;s personal desktop
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ adjustMovedObjectPermissions()

ilRbacAdmin::adjustMovedObjectPermissions (   $a_ref_id,
  $a_old_parent 
)

Adjust permissions of moved objects.

  • Delete permissions of parent roles that do not exist in new context
  • Delete role templates of parent roles that do not exist in new context
  • Add permissions for parent roles that did not exist in old context

public

Parameters
intref id of moved object
intref_id of old parent

Definition at line 1269 of file class.ilRbacAdmin.php.

References $ilLog, $log, ilRbacLog\add(), applyMovedObjectDidacticTemplates(), deleteLocalRole(), ilRbacLog\diffFaPa(), ilRbacLog\gatherFaPa(), grantPermission(), initIntersectionPermissions(), ilRbacLog\isActive(), ilObjCourse\lookupCourseNonMemberTemplatesId(), ilObjGroup\lookupGroupStatusTemplateId(), ilRbacLog\MOVE_OBJECT, and revokePermission().

1270  {
1271  global $rbacreview,$tree,$ilLog;
1272 
1273  $new_parent = $tree->getParentId($a_ref_id);
1274  $old_context_roles = $rbacreview->getParentRoleIds($a_old_parent,false);
1275  $new_context_roles = $rbacreview->getParentRoleIds($new_parent,false);
1276 
1277  $for_addition = $for_deletion = array();
1278  foreach($new_context_roles as $new_role_id => $new_role)
1279  {
1280  if(!isset($old_context_roles[$new_role_id]))
1281  {
1282  $for_addition[$new_role_id] = $new_role;
1283  }
1284  elseif($new_role['parent'] != $old_context_roles[$new_role_id]['parent'])
1285  {
1286  // handle stopped inheritance
1287  $for_deletion[$new_role_id] = $new_role;
1288  $for_addition[$new_role_id] = $new_role;
1289  }
1290  }
1291  foreach($old_context_roles as $old_role_id => $old_role)
1292  {
1293  if(!isset($new_context_roles[$old_role_id]))
1294  {
1295  $for_deletion[$old_role_id] = $old_role;
1296  }
1297  }
1298 
1299  if(!count($for_deletion) and !count($for_addition))
1300  {
1301  $this->applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent);
1302  return true;
1303  }
1304 
1305  include_once "Services/AccessControl/classes/class.ilRbacLog.php";
1306  $rbac_log_active = ilRbacLog::isActive();
1307  if($rbac_log_active)
1308  {
1309  $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
1310  }
1311 
1312  foreach($nodes = $tree->getSubTree($tree->getNodeData($a_ref_id),true) as $node_data)
1313  {
1314  $node_id = $node_data['child'];
1315 
1316  if($rbac_log_active)
1317  {
1318  $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
1319  }
1320 
1321  // If $node_data['type'] is not set, this means there is a tree entry without
1322  // object_reference and/or object_data entry
1323  // Continue in this case
1324  if(!$node_data['type'])
1325  {
1326  $ilLog->write(__METHOD__.': No type give. Choosing next tree entry.');
1327  continue;
1328  }
1329 
1330  if(!$node_id)
1331  {
1332  $ilLog->write(__METHOD__.': Missing subtree node_id');
1333  continue;
1334  }
1335 
1336  foreach($for_deletion as $role_id => $role_data)
1337  {
1338  $this->deleteLocalRole($role_id,$node_id);
1339  $this->revokePermission($node_id,$role_id,false);
1340 //var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
1341  }
1342  foreach($for_addition as $role_id => $role_data)
1343  {
1344  switch($node_data['type'])
1345  {
1346  case 'grp':
1347  include_once './Modules/Group/classes/class.ilObjGroup.php';
1348  $tpl_id = ilObjGroup::lookupGroupStatusTemplateId($node_data['obj_id']);
1350  $node_data['child'],
1351  $role_id,
1352  $role_data['parent'],
1353  $tpl_id,
1354  ROLE_FOLDER_ID
1355  );
1356  break;
1357 
1358  case 'crs':
1359  include_once './Modules/Course/classes/class.ilObjCourse.php';
1362  $node_data['child'],
1363  $role_id,
1364  $role_data['parent'],
1365  $tpl_id,
1366  ROLE_FOLDER_ID
1367  );
1368  break;
1369 
1370 
1371  default:
1372  $this->grantPermission(
1373  $role_id,
1374  $ops = $rbacreview->getOperationsOfRole($role_id,$node_data['type'],$role_data['parent']),
1375  $node_id);
1376  break;
1377 
1378 
1379  }
1380 
1381 
1382 //var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
1383  }
1384 
1385  if($rbac_log_active)
1386  {
1387  $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
1388  $log = ilRbacLog::diffFaPa($log_old, $log_new);
1390  }
1391  }
1392 
1393  $this->applyMovedObjectDidacticTemplates($a_ref_id,$a_old_parent);
1394 
1395  }
static lookupGroupStatusTemplateId($a_obj_id)
$ilDB $ilDB
applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent)
Apply didactic templates after object movement.
static lookupCourseNonMemberTemplatesId()
Lookup course non member id.
static isActive()
static gatherFaPa($a_ref_id, array $a_role_ids, $a_add_action=false)
static diffFaPa(array $a_old, array $a_new)
deleteLocalRole($a_rol_id, $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates public.
initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
Init intersection permissions.
grantPermission($a_rol_id, $a_ops, $a_ref_id)
Grants a permission to an object and a specific role.
static add($a_action, $a_ref_id, array $a_diff, $a_source_ref_id=false)
revokePermission($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
Revokes permissions of an object of one role.
const MOVE_OBJECT
+ Here is the call graph for this function:

◆ applyMovedObjectDidacticTemplates()

ilRbacAdmin::applyMovedObjectDidacticTemplates (   $a_ref_id,
  $a_old_parent 
)
protected

Apply didactic templates after object movement.

Parameters
int$a_ref_id
int$a_old_parent
Deprecated:
since version 5.1.0 will be removed with 5.4 and implemented using event handler

Definition at line 1239 of file class.ilRbacAdmin.php.

References ilDidacticTemplateActionFactory\getActionsByTemplateId(), and ilDidacticTemplateObjSettings\lookupTemplateId().

Referenced by adjustMovedObjectPermissions().

1240  {
1241  include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateObjSettings.php';
1243  if(!$tpl_id) {
1244  return;
1245  }
1246  include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateActionFactory.php';
1247  foreach(ilDidacticTemplateActionFactory::getActionsByTemplateId($tpl_id) as $action) {
1248  if($action instanceof ilDidacticTemplateLocalRoleAction) {
1249  continue;
1250  }
1251  $action->setRefId($a_ref_id);
1252  $action->apply();
1253  }
1254  return;
1255  }
static lookupTemplateId($a_ref_id)
Lookup template id ilDB $ilDB.
represents a creation of local roles action
static getActionsByTemplateId($a_tpl_id)
Get actions of one template.
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ assignOperationToObject()

ilRbacAdmin::assignOperationToObject (   $a_type_id,
  $a_ops_id 
)

Assign an existing operation to an object Update of rbac_ta.

public

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 1047 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

1048  {
1049  global $ilDB;
1050 
1051  if (!isset($a_type_id) or !isset($a_ops_id))
1052  {
1053  $message = get_class($this)."::assignOperationToObject(): Missing parameter!".
1054  "type_id: ".$a_type_id.
1055  "ops_id: ".$a_ops_id;
1056  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1057  }
1058 
1059  $query = "INSERT INTO rbac_ta (typ_id, ops_id) ".
1060  "VALUES(".$ilDB->quote($a_type_id,'integer').",".$ilDB->quote($a_ops_id,'integer').")";
1061  $res = $ilDB->manipulate($query);
1062  return true;
1063  }
global $ilDB

◆ assignRoleToFolder()

ilRbacAdmin::assignRoleToFolder (   $a_rol_id,
  $a_parent,
  $a_assign = "y" 
)

Assigns a role to an role folder A role folder is an object to store roles.

Every role is assigned to minimum one role folder If the inheritance of a role is stopped, a new role template will created, and the role is assigned to minimum two role folders. All roles with stopped inheritance need the flag '$a_assign = false'

public

Parameters
integerobject id of role
integerref_id of role folder
stringassignable('y','n'); default: 'y'
Returns
boolean

Definition at line 1001 of file class.ilRbacAdmin.php.

References $ilDB, $query, $res, and ilLoggerFactory\getLogger().

Referenced by copyLocalRoles(), and initIntersectionPermissions().

1002  {
1003  global $ilDB,$rbacreview;
1004 
1005  if (!isset($a_rol_id) or !isset($a_parent))
1006  {
1007  $message = get_class($this)."::assignRoleToFolder(): Missing Parameter!".
1008  " role_id: ".$a_rol_id.
1009  " parent_id: ".$a_parent.
1010  " assign: ".$a_assign;
1011  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1012  }
1013 
1014  // exclude system role from rbac
1015  if ($a_rol_id == SYSTEM_ROLE_ID)
1016  {
1017  return true;
1018  }
1019 
1020  // if a wrong value is passed, always set assign to "n"
1021  if ($a_assign != "y")
1022  {
1023  $a_assign = "n";
1024  }
1025 
1026  ilLoggerFactory::getLogger('ac')->debug('Assign role to folder: ' . $a_rol_id.' '. $a_parent);
1027 
1028  $query = sprintf('INSERT INTO rbac_fa (rol_id, parent, assign, protected) '.
1029  'VALUES (%s,%s,%s,%s)',
1030  $ilDB->quote($a_rol_id,'integer'),
1031  $ilDB->quote($a_parent,'integer'),
1032  $ilDB->quote($a_assign,'text'),
1033  $ilDB->quote('n','text'));
1034  $res = $ilDB->manipulate($query);
1035 
1036  return true;
1037  }
global $ilDB
static getLogger($a_component_id)
Get component logger.
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ assignUser()

ilRbacAdmin::assignUser (   $a_rol_id,
  $a_usr_id 
)

Assigns an user to a role.

Update of table rbac_ua TODO: remove deprecated 3rd parameter sometime public

Parameters
integerobject_id of role
integerobject_id of user
booleantrue means default role (optional
Returns
boolean

Definition at line 265 of file class.ilRbacAdmin.php.

References $GLOBALS, $ilDB, $query, $ref_id, $res, ilLDAPRoleGroupMapping\_getInstance(), ilObject\_lookupObjId(), ilObject\_lookupType(), addDesktopItem(), and ilLoggerFactory\getInstance().

266  {
267  global $ilDB,$rbacreview;
268 
269  if (!isset($a_rol_id) or !isset($a_usr_id))
270  {
271  $message = get_class($this)."::assignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
272  #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
273  }
274 
275  // check if already assigned user id and role_id
276  $alreadyAssigned = $rbacreview->isAssigned($a_usr_id,$a_rol_id);
277 
278  // enhanced: only if we haven't had this role for this user
279  if (!$alreadyAssigned)
280  {
281  $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
282  "VALUES (".$ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_rol_id,'integer').")";
283  $res = $ilDB->manipulate($query);
284 
285  $this->addDesktopItem($a_rol_id, $a_usr_id);
286 
287  $rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,true);
288  }
289 
290  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
292  $mapping->assign($a_rol_id,$a_usr_id);
293 
294 
295  $ref_id = $GLOBALS['rbacreview']->getObjectReferenceOfRole($a_rol_id);
296  $obj_id = ilObject::_lookupObjId($ref_id);
297  $type = ilObject::_lookupType($obj_id);
298 
299  if(!$alreadyAssigned)
300  {
301  ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event assign user');
302  $GLOBALS['ilAppEventHandler']->raise(
303  'Services/AccessControl',
304  'assignUser',
305  array(
306  'obj_id' => $obj_id,
307  'usr_id' => $a_usr_id,
308  'role_id' => $a_rol_id,
309  'type' => $type
310  )
311  );
312  }
313  return TRUE;
314  }
static _getInstance()
Get singleton instance of this class.
addDesktopItem($a_rol_id, $a_usr_id)
Add desktop item.
static _lookupObjId($a_id)
static _lookupType($a_id, $a_reference=false)
lookup object type
$ref_id
Definition: sahs_server.php:39
global $ilDB
$GLOBALS['PHPCAS_CLIENT']
This global variable is used by the interface class phpCAS.
Definition: CAS.php:276
+ Here is the call graph for this function:

◆ assignUserLimited()

ilRbacAdmin::assignUserLimited (   $a_role_id,
  $a_usr_id,
  $a_limit,
  $a_limited_roles = array() 
)

Assign user limited.

Parameters
type$a_role_id
type$a_usr_id
type$a_limit

Definition at line 202 of file class.ilRbacAdmin.php.

References $GLOBALS, $ilDB, $query, $res, $row, ilLDAPRoleGroupMapping\_getInstance(), addDesktopItem(), DB_FETCHMODE_OBJECT, and ilDB\LOCK_WRITE.

203  {
204  global $ilDB;
205 
206  $GLOBALS['ilDB']->lockTables(
207  array(
208  0 => array('name' => 'rbac_ua', 'type' => ilDB::LOCK_WRITE)
209  )
210  );
211 
212  $limit_query = 'SELECT COUNT(*) num FROM rbac_ua '.
213  'WHERE '.$GLOBALS['ilDB']->in('rol_id',(array) $a_limited_roles,FALSE,'integer');
214  $res = $GLOBALS['ilDB']->query($limit_query);
215  $row = $res->fetchRow(DB_FETCHMODE_OBJECT);
216  if($row->num >= $a_limit)
217  {
218  $GLOBALS['ilDB']->unlockTables();
219  return FALSE;
220  }
221 
222  $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
223  "VALUES (".
224  $ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_role_id,'integer').
225  ")";
226  $res = $ilDB->manipulate($query);
227 
228  $GLOBALS['ilDB']->unlockTables();
229  $GLOBALS['rbacreview']->setAssignedCacheEntry($a_role_id,$a_usr_id,TRUE);
230 
231  $this->addDesktopItem($a_role_id,$a_usr_id);
232 
233  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
235  $mapping->assign($a_role_id,$a_usr_id);
236  return TRUE;
237  }
const DB_FETCHMODE_OBJECT
Definition: class.ilDB.php:11
static _getInstance()
Get singleton instance of this class.
addDesktopItem($a_rol_id, $a_usr_id)
Add desktop item.
const LOCK_WRITE
Definition: class.ilDB.php:30
global $ilDB
$GLOBALS['PHPCAS_CLIENT']
This global variable is used by the interface class phpCAS.
Definition: CAS.php:276
+ Here is the call graph for this function:

◆ copyEffectiveRolePermissions()

ilRbacAdmin::copyEffectiveRolePermissions (   $a_source_ref_id,
  $target_ref_id,
  $a_subtree_id 
)

Copies all permission from source to target for all roles.

Parameters
type$a_source_ref_id
type$target_ref_id
type$a_subtree_id

Definition at line 1404 of file class.ilRbacAdmin.php.

References $GLOBALS.

1405  {
1406  global $rbacreview;
1407 
1408  $parent_roles = $rbacreview->getParentRoleIds($a_source_ref_id, FALSE);
1409  $GLOBALS['ilLog']->write(__METHOD__.': '. print_r($parent_roles,TRUE));
1410 
1411 
1412 
1413  }
$GLOBALS['PHPCAS_CLIENT']
This global variable is used by the interface class phpCAS.
Definition: CAS.php:276

◆ copyLocalRoles()

ilRbacAdmin::copyLocalRoles (   $a_source_id,
  $a_target_id 
)

Copy local roles This method creates a copy of all local role.

Note: auto generated roles are excluded

public

Parameters
intsource id of object (not role folder)
inttarget id of object

Definition at line 1124 of file class.ilRbacAdmin.php.

References $ilLog, assignRoleToFolder(), and copyRolePermissions().

1125  {
1126  global $rbacreview,$ilLog,$ilObjDataCache;
1127 
1128  $real_local = array();
1129  foreach($rbacreview->getRolesOfRoleFolder($a_source_id,false) as $role_data)
1130  {
1131  $title = $ilObjDataCache->lookupTitle($role_data);
1132  if(substr($title,0,3) == 'il_')
1133  {
1134  continue;
1135  }
1136  $real_local[] = $role_data;
1137  }
1138  if(!count($real_local))
1139  {
1140  return true;
1141  }
1142  // Create role folder
1143  foreach($real_local as $role)
1144  {
1145  include_once ("./Services/AccessControl/classes/class.ilObjRole.php");
1146  $orig = new ilObjRole($role);
1147  $orig->read();
1148 
1149  $ilLog->write(__METHOD__.': Start copying of role '.$orig->getTitle());
1150  $roleObj = new ilObjRole();
1151  $roleObj->setTitle($orig->getTitle());
1152  $roleObj->setDescription($orig->getDescription());
1153  $roleObj->setImportId($orig->getImportId());
1154  $roleObj->create();
1155 
1156  $this->assignRoleToFolder($roleObj->getId(),$a_target_id,"y");
1157  $this->copyRolePermissions($role,$a_source_id,$a_target_id,$roleObj->getId(),true);
1158  $ilLog->write(__METHOD__.': Added new local role, id '.$roleObj->getId());
1159  }
1160 
1161  }
Class ilObjRole.
copyRolePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions and permission of one role to another.
assignRoleToFolder($a_rol_id, $a_parent, $a_assign="y")
Assigns a role to an role folder A role folder is an object to store roles.
+ Here is the call graph for this function:

◆ copyRolePermissionIntersection()

ilRbacAdmin::copyRolePermissionIntersection (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_parent,
  $a_dest_id 
)

Copies the intersection of the template permissions of two roles to a third role.

public

Parameters
integer$a_source1_idrole_id source
integer$a_source1_parentparent_id source
integer$a_source2_idrole_id source
integer$a_source2_parentparent_id source
integer$a_dest_idrole_id destination
integer$a_dest_parentparent_id destination
Returns
boolean

Definition at line 720 of file class.ilRbacAdmin.php.

References $GLOBALS, $ilDB, $query, $res, $row, and DB_FETCHMODE_OBJECT.

Referenced by initIntersectionPermissions().

721  {
722  global $rbacreview,$ilDB;
723 
724  if (!isset($a_source1_id) or !isset($a_source1_parent)
725  or !isset($a_source2_id) or !isset($a_source2_parent)
726  or !isset($a_dest_id) or !isset($a_dest_parent))
727  {
728  $message = get_class($this)."::copyRolePermissionIntersection(): Missing parameter! source1_id: ".$a_source1_id.
729  " source1_parent: ".$a_source1_parent.
730  " source2_id: ".$a_source2_id.
731  " source2_parent: ".$a_source2_parent.
732  " dest_id: ".$a_dest_id.
733  " dest_parent_id: ".$a_dest_parent;
734  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
735  }
736 
737  // exclude system role from rbac
738  if ($a_dest_id == SYSTEM_ROLE_ID)
739  {
740  return true;
741  }
742 
743  if ($rbacreview->isProtected($a_source2_parent,$a_source2_id))
744  {
745  $GLOBALS['ilLog']->write(__METHOD__.': Role is protected');
746  return true;
747  }
748 
749  $query = "SELECT s1.type, s1.ops_id ".
750  "FROM rbac_templates s1, rbac_templates s2 ".
751  "WHERE s1.rol_id = ".$ilDB->quote($a_source1_id,'integer')." ".
752  "AND s1.parent = ".$ilDB->quote($a_source1_parent,'integer')." ".
753  "AND s2.rol_id = ".$ilDB->quote($a_source2_id,'integer')." ".
754  "AND s2.parent = ".$ilDB->quote($a_source2_parent,'integer')." ".
755  "AND s1.type = s2.type ".
756  "AND s1.ops_id = s2.ops_id";
757  $res = $ilDB->query($query);
758  $operations = array();
759  $rowNum = 0;
760  while($row = $res->fetchRow(DB_FETCHMODE_OBJECT))
761  {
762  $operations[$rowNum]['type'] = $row->type;
763  $operations[$rowNum]['ops_id'] = $row->ops_id;
764 
765  $rowNum++;
766  }
767 
768  // Delete template permissions of target
769  $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
770  'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
771  $res = $ilDB->manipulate($query);
772 
773  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
774  'VALUES (?,?,?,?)';
775  $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
776  foreach($operations as $key => $set)
777  {
778  $ilDB->execute($sta,array(
779  $a_dest_id,
780  $set['type'],
781  $set['ops_id'],
782  $a_dest_parent));
783  }
784  return true;
785  }
const DB_FETCHMODE_OBJECT
Definition: class.ilDB.php:11
global $ilDB
$GLOBALS['PHPCAS_CLIENT']
This global variable is used by the interface class phpCAS.
Definition: CAS.php:276
+ Here is the caller graph for this function:

◆ copyRolePermissions()

ilRbacAdmin::copyRolePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions and permission of one role to another.

public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 623 of file class.ilRbacAdmin.php.

References copyRoleTemplatePermissions(), grantPermission(), and revokePermission().

Referenced by copyLocalRoles().

624  {
625  global $tree,$rbacreview;
626 
627  // Copy template permissions
628  $this->copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected);
629 
630  $ops = $rbacreview->getRoleOperationsOnObject($a_source_id,$a_source_parent);
631 
632  $this->revokePermission($a_dest_parent,$a_dest_id);
633  $this->grantPermission($a_dest_id,$ops,$a_dest_parent);
634  return true;
635  }
copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions of one role to another.
grantPermission($a_rol_id, $a_ops, $a_ref_id)
Grants a permission to an object and a specific role.
revokePermission($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
Revokes permissions of an object of one role.
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ copyRolePermissionSubtract()

ilRbacAdmin::copyRolePermissionSubtract (   $a_source_id,
  $a_source_parent,
  $a_dest_id,
  $a_dest_parent 
)

Subtract role permissions.

Parameters
type$a_source_id
type$a_source_parent
type$a_dest_id
type$a_dest_parent

Definition at line 863 of file class.ilRbacAdmin.php.

References $ilDB, and $query.

864  {
865  global $rbacreview, $ilDB;
866 
867  $s1_ops = $rbacreview->getAllOperationsOfRole($a_source_id,$a_source_parent);
868  $d_ops = $rbacreview->getAllOperationsOfRole($a_dest_id,$a_dest_parent);
869 
870  foreach($s1_ops as $type => $ops)
871  {
872  foreach($ops as $op)
873  {
874  if(isset($d_ops[$type]) and in_array($op, $d_ops[$type]))
875  {
876  $query = 'DELETE FROM rbac_templates '.
877  'WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
878  'AND type = '.$ilDB->quote($type,'text').' '.
879  'AND ops_id = '.$ilDB->quote($op,'integer').' '.
880  'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
881  $ilDB->manipulate($query);
882  }
883  }
884  }
885  return true;
886  }
global $ilDB

◆ copyRolePermissionUnion()

ilRbacAdmin::copyRolePermissionUnion (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_id,
  $a_dest_parent 
)

<type> $ilDB

Parameters
<type>$a_source1_id
<type>$a_source1_parent
<type>$a_source2_id
<type>$a_source2_parent
<type>$a_dest_id
<type>$a_dest_parent
Returns
<type>

Definition at line 798 of file class.ilRbacAdmin.php.

References $GLOBALS, $ilDB, $query, and deleteRolePermission().

805  {
806  global $ilDB, $rbacreview;
807 
808 
809  $s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id,$a_source1_parent);
810  $s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id,$a_source2_parent);
811 
812  $this->deleteRolePermission($a_dest_id, $a_dest_parent);
813 
814  $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s1_ops,TRUE));
815  $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s2_ops,TRUE));
816 
817  foreach($s1_ops as $type => $ops)
818  {
819  foreach($ops as $op)
820  {
821  // insert all permission of source 1
822  // #15469
823  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
824  'VALUES( '.
825  $ilDB->quote($a_dest_id,'integer').', '.
826  $ilDB->quote($type,'text').', '.
827  $ilDB->quote($op,'integer').', '.
828  $ilDB->quote($a_dest_parent,'integer').' '.
829  ')';
830  $ilDB->manipulate($query);
831  }
832  }
833 
834  // and the other direction...
835  foreach($s2_ops as $type => $ops)
836  {
837  foreach($ops as $op)
838  {
839  if(!isset($s1_ops[$type]) or !in_array($op, $s1_ops[$type]))
840  {
841  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
842  'VALUES( '.
843  $ilDB->quote($a_dest_id,'integer').', '.
844  $ilDB->quote($type,'text').', '.
845  $ilDB->quote($op,'integer').', '.
846  $ilDB->quote($a_dest_parent,'integer').' '.
847  ')';
848  $ilDB->manipulate($query);
849  }
850  }
851  }
852 
853  return true;
854  }
deleteRolePermission($a_rol_id, $a_ref_id, $a_type=false)
Deletes all entries of a template.
global $ilDB
$GLOBALS['PHPCAS_CLIENT']
This global variable is used by the interface class phpCAS.
Definition: CAS.php:276
+ Here is the call graph for this function:

◆ copyRoleTemplatePermissions()

ilRbacAdmin::copyRoleTemplatePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions of one role to another.

It's also possible to copy template permissions from/to RoleTemplateObject public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 647 of file class.ilRbacAdmin.php.

References $ilDB, $query, $res, $row, and setProtected().

Referenced by copyRolePermissions().

648  {
649  global $rbacreview,$ilDB;
650 
651  if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent))
652  {
653  $message = __METHOD__.": Missing parameter! source_id: ".$a_source_id.
654  " source_parent_id: ".$a_source_parent.
655  " dest_id : ".$a_dest_id.
656  " dest_parent_id: ".$a_dest_parent;
657  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
658  }
659 
660  // exclude system role from rbac
661  if ($a_dest_id == SYSTEM_ROLE_ID)
662  {
663  return true;
664  }
665 
666  // Read operations
667  $query = 'SELECT * FROM rbac_templates '.
668  'WHERE rol_id = '.$ilDB->quote($a_source_id,'integer').' '.
669  'AND parent = '.$ilDB->quote($a_source_parent,'integer');
670  $res = $ilDB->query($query);
671  $operations = array();
672  $rownum = 0;
673  while ($row = $ilDB->fetchObject($res))
674  {
675  $operations[$rownum]['type'] = $row->type;
676  $operations[$rownum]['ops_id'] = $row->ops_id;
677  $rownum++;
678  }
679 
680  // Delete target permissions
681  $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
682  'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
683  $res = $ilDB->manipulate($query);
684 
685  foreach($operations as $row => $op)
686  {
687  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
688  'VALUES ('.
689  $ilDB->quote($a_dest_id,'integer').",".
690  $ilDB->quote($op['type'],'text').",".
691  $ilDB->quote($op['ops_id'],'integer').",".
692  $ilDB->quote($a_dest_parent,'integer').")";
693  $ilDB->manipulate($query);
694  }
695 
696  // copy also protection status if applicable
697  if ($a_consider_protected == true)
698  {
699  if ($rbacreview->isProtected($a_source_parent,$a_source_id))
700  {
701  $this->setProtected($a_dest_parent,$a_dest_id,'y');
702  }
703  }
704 
705  return true;
706  }
setProtected($a_ref_id, $a_role_id, $a_value)
Set protected $ilDB.
global $ilDB
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deassignOperationFromObject()

ilRbacAdmin::deassignOperationFromObject (   $a_type_id,
  $a_ops_id 
)

Deassign an existing operation from an object Update of rbac_ta public.

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 1073 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

1074  {
1075  global $ilDB;
1076 
1077  if (!isset($a_type_id) or !isset($a_ops_id))
1078  {
1079  $message = get_class($this)."::deassignPermissionFromObject(): Missing parameter!".
1080  "type_id: ".$a_type_id.
1081  "ops_id: ".$a_ops_id;
1082  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1083  }
1084 
1085  $query = "DELETE FROM rbac_ta ".
1086  "WHERE typ_id = ".$ilDB->quote($a_type_id,'integer')." ".
1087  "AND ops_id = ".$ilDB->quote($a_ops_id,'integer');
1088  $res = $ilDB->manipulate($query);
1089 
1090  return true;
1091  }
global $ilDB

◆ deassignUser()

ilRbacAdmin::deassignUser (   $a_rol_id,
  $a_usr_id 
)

Deassigns a user from a role.

Update of table rbac_ua public

Parameters
integerobject id of role
integerobject id of user
Returns
boolean true on success

Definition at line 323 of file class.ilRbacAdmin.php.

References $GLOBALS, $ilDB, $query, $ref_id, $res, ilLDAPRoleGroupMapping\_getInstance(), ilObject\_lookupObjId(), ilObject\_lookupType(), and ilLoggerFactory\getInstance().

324  {
325  global $ilDB, $rbacreview;
326 
327  if (!isset($a_rol_id) or !isset($a_usr_id))
328  {
329  $message = get_class($this)."::deassignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
330  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
331  }
332 
333  $query = "DELETE FROM rbac_ua ".
334  "WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer')." ".
335  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
336  $res = $ilDB->manipulate($query);
337 
338  $rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,false);
339 
340  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
342  $mapping->deassign($a_rol_id,$a_usr_id);
343 
344  $ref_id = $GLOBALS['rbacreview']->getObjectReferenceOfRole($a_rol_id);
345  $obj_id = ilObject::_lookupObjId($ref_id);
346  $type = ilObject::_lookupType($obj_id);
347 
348  ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event deassign user');
349  $GLOBALS['ilAppEventHandler']->raise(
350  'Services/AccessControl',
351  'deassignUser',
352  array(
353  'obj_id' => $obj_id,
354  'usr_id' => $a_usr_id,
355  'role_id' => $a_rol_id,
356  'type' => $type
357  )
358  );
359  return TRUE;
360  }
static _getInstance()
Get singleton instance of this class.
static _lookupObjId($a_id)
static _lookupType($a_id, $a_reference=false)
lookup object type
$ref_id
Definition: sahs_server.php:39
global $ilDB
$GLOBALS['PHPCAS_CLIENT']
This global variable is used by the interface class phpCAS.
Definition: CAS.php:276
+ Here is the call graph for this function:

◆ deleteLocalRole()

ilRbacAdmin::deleteLocalRole (   $a_rol_id,
  $a_ref_id = 0 
)

Deletes a local role and entries in rbac_fa and rbac_templates public.

Parameters
integerobject_id of role
integerref_id of role folder (optional)
Returns
boolean true on success

Definition at line 163 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

Referenced by adjustMovedObjectPermissions(), and deleteRole().

164  {
165  global $ilDB;
166 
167  if (!isset($a_rol_id))
168  {
169  $message = get_class($this)."::deleteLocalRole(): Missing parameter! role_id: '".$a_rol_id."'";
170  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
171  }
172 
173  // exclude system role from rbac
174  if ($a_rol_id == SYSTEM_ROLE_ID)
175  {
176  return true;
177  }
178 
179  if ($a_ref_id != 0)
180  {
181  $clause = 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' ';
182  }
183 
184  $query = 'DELETE FROM rbac_fa '.
185  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
186  $clause;
187  $res = $ilDB->manipulate($query);
188 
189  $query = 'DELETE FROM rbac_templates '.
190  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
191  $clause;
192  $res = $ilDB->manipulate($query);
193  return true;
194  }
global $ilDB
+ Here is the caller graph for this function:

◆ deleteRole()

ilRbacAdmin::deleteRole (   $a_rol_id,
  $a_ref_id 
)

Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa public.

Parameters
integerobj_id of role (role_id)
integerref_id of role folder (ref_id)
Returns
boolean true on success

Definition at line 89 of file class.ilRbacAdmin.php.

References $ilDB, $lng, $query, $res, ilLDAPRoleGroupMapping\_getInstance(), and deleteLocalRole().

90  {
91  global $lng,$ilDB;
92 
93  if (!isset($a_rol_id) or !isset($a_ref_id))
94  {
95  $message = get_class($this)."::deleteRole(): Missing parameter! role_id: ".$a_rol_id." ref_id of role folder: ".$a_ref_id;
96  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
97  }
98 
99  // exclude system role from rbac
100  if ($a_rol_id == SYSTEM_ROLE_ID)
101  {
102  $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"),$this->ilErr->MESSAGE);
103  }
104 
105  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
107  $mapping->deleteRole($a_rol_id);
108 
109 
110  // TODO: check assigned users before deletion
111  // This is done in ilObjRole. Should be better moved to this place?
112 
113  // delete user assignements
114  $query = "DELETE FROM rbac_ua ".
115  "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer');
116  $res = $ilDB->manipulate($query);
117 
118  // delete permission assignments
119  $query = "DELETE FROM rbac_pa ".
120  "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
121  $res = $ilDB->manipulate($query);
122 
123  //delete rbac_templates and rbac_fa
124  $this->deleteLocalRole($a_rol_id);
125 
126  return true;
127  }
deleteLocalRole($a_rol_id, $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates public.
static _getInstance()
Get singleton instance of this class.
global $lng
Definition: privfeed.php:40
global $ilDB
+ Here is the call graph for this function:

◆ deleteRolePermission()

ilRbacAdmin::deleteRolePermission (   $a_rol_id,
  $a_ref_id,
  $a_type = false 
)

Deletes all entries of a template.

If an object type is given for third parameter only the entries for that object type are deleted Update of table rbac_templates. public

Parameters
integerobject id of role
integerref_id of role folder
stringobject type (optional)
Returns
boolean

Definition at line 899 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

Referenced by copyRolePermissionUnion().

900  {
901  global $ilDB;
902 
903  if (!isset($a_rol_id) or !isset($a_ref_id))
904  {
905  $message = get_class($this)."::deleteRolePermission(): Missing parameter! role_id: ".$a_rol_id." ref_id: ".$a_ref_id;
906  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
907  }
908 
909  // exclude system role from rbac
910  if ($a_rol_id == SYSTEM_ROLE_ID)
911  {
912  return true;
913  }
914 
915  if ($a_type !== false)
916  {
917  $and_type = " AND type=".$ilDB->quote($a_type,'text')." ";
918  }
919 
920  $query = 'DELETE FROM rbac_templates '.
921  'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
922  'AND parent = '.$ilDB->quote($a_ref_id,'integer').' '.
923  $and_type;
924 
925  $res = $ilDB->manipulate($query);
926 
927  return true;
928  }
global $ilDB
+ Here is the caller graph for this function:

◆ deleteSubtreeTemplates()

ilRbacAdmin::deleteSubtreeTemplates (   $a_ref_id,
  $a_rol_id 
)

Delete all template permissions of subtree nodes.

Parameters
object$a_ref_id
object$a_rol_id
Returns

Definition at line 555 of file class.ilRbacAdmin.php.

References $GLOBALS, $ilDB, and $query.

556  {
557  global $ilDB;
558 
559  $query = 'DELETE FROM rbac_templates '.
560  'WHERE parent IN ( '.
561  $GLOBALS['tree']->getSubTreeQuery($a_ref_id, array('child')).' ) '.
562  'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
563 
564  $ilDB->manipulate($query);
565 
566  $query = 'DELETE FROM rbac_fa '.
567  'WHERE parent IN ( '.
568  $GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
569  'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
570 
571  $ilDB->manipulate($query);
572 
573  return true;
574  }
global $ilDB
$GLOBALS['PHPCAS_CLIENT']
This global variable is used by the interface class phpCAS.
Definition: CAS.php:276

◆ deleteTemplate()

ilRbacAdmin::deleteTemplate (   $a_obj_id)

Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa public.

Parameters
integerobject_id of role template
Returns
boolean

Definition at line 135 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

136  {
137  global $ilDB;
138 
139  if (!isset($a_obj_id))
140  {
141  $message = get_class($this)."::deleteTemplate(): No obj_id given!";
142  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
143  }
144 
145  $query = 'DELETE FROM rbac_templates '.
146  'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
147  $res = $ilDB->manipulate($query);
148 
149  $query = 'DELETE FROM rbac_fa '.
150  'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
151  $res = $ilDB->manipulate($query);
152 
153  return true;
154  }
global $ilDB

◆ grantPermission()

ilRbacAdmin::grantPermission (   $a_rol_id,
  $a_ops,
  $a_ref_id 
)

Grants a permission to an object and a specific role.

Update of table rbac_pa public

Parameters
integerobject id of role
arrayarray of operation ids
integerreference id of that object which is granted the permissions
Returns
boolean

Definition at line 370 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

Referenced by adjustMovedObjectPermissions(), copyRolePermissions(), and initIntersectionPermissions().

371  {
372  global $ilDB;
373 
374  if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id))
375  {
376  $this->ilErr->raiseError(get_class($this)."::grantPermission(): Missing parameter! ".
377  "role_id: ".$a_rol_id." ref_id: ".$a_ref_id." operations: ",$this->ilErr->WARNING);
378  }
379 
380  if (!is_array($a_ops))
381  {
382  $this->ilErr->raiseError(get_class($this)."::grantPermission(): Wrong datatype for operations!",
383  $this->ilErr->WARNING);
384  }
385 
386  /*
387  if (count($a_ops) == 0)
388  {
389  return false;
390  }
391  */
392  // exclude system role from rbac
393  if ($a_rol_id == SYSTEM_ROLE_ID)
394  {
395  return true;
396  }
397 
398  // convert all values to integer
399  foreach ($a_ops as $key => $operation)
400  {
401  $a_ops[$key] = (int) $operation;
402  }
403 
404  // Serialization des ops_id Arrays
405  $ops_ids = serialize($a_ops);
406 
407  $query = 'DELETE FROM rbac_pa '.
408  'WHERE rol_id = %s '.
409  'AND ref_id = %s';
410  $res = $ilDB->queryF($query,array('integer','integer'),
411  array($a_rol_id,$a_ref_id));
412 
413  if(!count($a_ops))
414  {
415  return false;
416  }
417 
418  $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) ".
419  "VALUES ".
420  "(".$ilDB->quote($a_rol_id,'integer').",".$ilDB->quote($ops_ids,'text').",".$ilDB->quote($a_ref_id,'integer').")";
421  $res = $ilDB->manipulate($query);
422 
423  return true;
424  }
global $ilDB
+ Here is the caller graph for this function:

◆ initIntersectionPermissions()

ilRbacAdmin::initIntersectionPermissions (   $a_ref_id,
  $a_role_id,
  $a_role_parent,
  $a_template_id,
  $a_template_parent 
)

Init intersection permissions.

type $rbacreview

Parameters
type$a_ref_id
type$a_role_id
type$a_role_parent
type$a_template_id
type$a_template_parent
Returns
type

Definition at line 1173 of file class.ilRbacAdmin.php.

References ilObject\_lookupType(), assignRoleToFolder(), copyRolePermissionIntersection(), and grantPermission().

Referenced by adjustMovedObjectPermissions().

1174  {
1175  global $rbacreview;
1176 
1177  if($rbacreview->isProtected($a_role_parent, $a_role_id))
1178  {
1179  // Assign object permissions
1180  $new_ops = $rbacreview->getOperationsOfRole(
1181  $a_role_id,
1182  ilObject::_lookupType($a_ref_id, true),
1183  $a_role_parent
1184  );
1185 
1186  // set new permissions for object
1187  $this->grantPermission(
1188  $a_role_id,
1189  (array) $new_ops,
1190  $a_ref_id
1191  );
1192  return;
1193  }
1194  if(!$a_template_id)
1195  {
1196  return;
1197  }
1198  // create template permission intersection
1200  $a_template_id,
1201  $a_template_parent,
1202  $a_role_id,
1203  $a_role_parent,
1204  $a_ref_id,
1205  $a_role_id
1206  );
1207 
1208  // assign role to folder
1209  $this->assignRoleToFolder(
1210  $a_role_id,
1211  $a_ref_id,
1212  'n'
1213  );
1214 
1215  // Assign object permissions
1216  $new_ops = $rbacreview->getOperationsOfRole(
1217  $a_role_id,
1218  ilObject::_lookupType($a_ref_id, true),
1219  $a_ref_id
1220  );
1221 
1222  // set new permissions for object
1223  $this->grantPermission(
1224  $a_role_id,
1225  (array) $new_ops,
1226  $a_ref_id
1227  );
1228 
1229  return;
1230  }
copyRolePermissionIntersection($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
Copies the intersection of the template permissions of two roles to a third role. ...
grantPermission($a_rol_id, $a_ops, $a_ref_id)
Grants a permission to an object and a specific role.
static _lookupType($a_id, $a_reference=false)
lookup object type
assignRoleToFolder($a_rol_id, $a_parent, $a_assign="y")
Assigns a role to an role folder A role folder is an object to store roles.
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ removeUser()

ilRbacAdmin::removeUser (   $a_usr_id)

deletes a user from rbac_ua all user <-> role relations are deleted public

Parameters
integeruser_id
Returns
boolean true on success

Definition at line 66 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

67  {
68  global $ilDB;
69 
70  if (!isset($a_usr_id))
71  {
72  $message = get_class($this)."::removeUser(): No usr_id given!";
73  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
74  }
75 
76  $query = "DELETE FROM rbac_ua WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer');
77  $res = $ilDB->manipulate($query);
78 
79  return true;
80  }
global $ilDB

◆ revokePermission()

ilRbacAdmin::revokePermission (   $a_ref_id,
  $a_rol_id = 0,
  $a_keep_protected = true 
)

Revokes permissions of an object of one role.

Update of table rbac_pa. Revokes all permission for all roles for that object (with this reference). When a role_id is given this applies only to that role public

Parameters
integerreference id of object where permissions should be revoked
integerrole_id (optional: if you want to revoke permissions of object only for a specific role)
Returns
boolean

Definition at line 435 of file class.ilRbacAdmin.php.

References $ilDB, $ilLog, $log, $query, and $res.

Referenced by adjustMovedObjectPermissions(), and copyRolePermissions().

436  {
437  global $rbacreview,$log,$ilDB,$ilLog;
438 
439  if (!isset($a_ref_id))
440  {
441  $ilLog->logStack();
442  $message = get_class($this)."::revokePermission(): Missing parameter! ref_id: ".$a_ref_id;
443  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
444  }
445 #$log->write("ilRBACadmin::revokePermission(), 0");
446 
447  // bypass protected status of roles
448  if ($a_keep_protected != true)
449  {
450  // exclude system role from rbac
451  if ($a_rol_id == SYSTEM_ROLE_ID)
452  {
453  return true;
454  }
455 
456  if ($a_rol_id)
457  {
458  $and1 = " AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
459  }
460  else
461  {
462  $and1 = "";
463  }
464 
465  $query = "DELETE FROM rbac_pa ".
466  "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer').
467  $and1;
468 
469  $res = $ilDB->manipulate($query);
470 
471  return true;
472  }
473 
474  // consider protected status of roles
475 
476  // in any case, get all roles in scope first
477  $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
478 
479  if (!$a_rol_id)
480  {
481 #$log->write("ilRBACadmin::revokePermission(), 1");
482 
483  $role_ids = array();
484 
485  foreach ($roles_in_scope as $role)
486  {
487  if ($role['protected'] == true)
488  {
489  continue;
490  }
491 
492  $role_ids[] = $role['obj_id'];
493  }
494 
495  // return if no role in array
496  if (!$role_ids)
497  {
498  return true;
499  }
500 
501  $query = 'DELETE FROM rbac_pa '.
502  'WHERE '.$ilDB->in('rol_id',$role_ids,false,'integer').' '.
503  'AND ref_id = '.$ilDB->quote($a_ref_id,'integer');
504  $res = $ilDB->manipulate($query);
505  }
506  else
507  {
508 #$log->write("ilRBACadmin::revokePermission(), 2");
509  // exclude system role from rbac
510  if ($a_rol_id == SYSTEM_ROLE_ID)
511  {
512  return true;
513  }
514 
515  // exclude protected permission settings from revoking
516  if ($roles_in_scope[$a_rol_id]['protected'] == true)
517  {
518  return true;
519  }
520 
521  $query = "DELETE FROM rbac_pa ".
522  "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer')." ".
523  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
524  $res = $ilDB->manipulate($query);
525  }
526 
527  return true;
528  }
global $ilDB
+ Here is the caller graph for this function:

◆ revokePermissionList()

ilRbacAdmin::revokePermissionList (   $a_ref_ids,
  $a_rol_id 
)

Revokes permissions of a LIST of objects of ONE role.

Update of table rbac_pa. public

Parameters
arraylist of reference_ids to revoke permissions
integerrole_id
Returns
boolean

Definition at line 583 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

584  {
585  global $ilDB;
586 
587  if (!isset($a_ref_ids) or !is_array($a_ref_ids))
588  {
589  $message = get_class($this)."::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: ".var_dump($a_ref_ids);
590  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
591  }
592 
593  if (!isset($a_rol_id))
594  {
595  $message = get_class($this)."::revokePermissionList(): Missing parameter! rol_id: ".$a_rol_id;
596  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
597  }
598 
599  // exclude system role from rbac
600  if ($a_rol_id == SYSTEM_ROLE_ID)
601  {
602  return true;
603  }
604 
605  $query = "DELETE FROM rbac_pa ".
606  "WHERE ".$ilDB->in('ref_id',$a_ref_ids,false,'integer').' '.
607  "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
608  $res = $ilDB->manipulate($query);
609 
610  return true;
611  }
global $ilDB

◆ revokeSubtreePermissions()

ilRbacAdmin::revokeSubtreePermissions (   $a_ref_id,
  $a_role_id 
)

Revoke subtree permissions.

Parameters
object$a_ref_id
object$a_role_id
Returns

Definition at line 536 of file class.ilRbacAdmin.php.

References $ilDB, and $query.

537  {
538  global $ilDB;
539 
540  $query = 'DELETE FROM rbac_pa '.
541  'WHERE ref_id IN '.
542  '( '.$GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
543  'AND rol_id = '.$ilDB->quote($a_role_id,'integer');
544 
545  $ilDB->manipulate($query);
546  return true;
547  }
global $ilDB

◆ setBlockedStatus()

ilRbacAdmin::setBlockedStatus (   $a_role_id,
  $a_ref_id,
  $a_blocked_status 
)

Set blocked status.

Parameters
type$a_role_id
type$a_ref_id
type$a_blocked_status

Definition at line 48 of file class.ilRbacAdmin.php.

References $ilDB, $query, and ilLoggerFactory\getLogger().

49  {
50  global $ilDB;
51 
52  ilLoggerFactory::getLogger('crs')->logStack();
53  $query = 'UPDATE rbac_fa set blocked = '. $ilDB->quote($a_blocked_status,'integer').' '.
54  'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer').' '.
55  'AND parent = '.$ilDB->quote($a_ref_id,'integer');
56  $ilDB->manipulate($query);
57  }
global $ilDB
static getLogger($a_component_id)
Get component logger.
+ Here is the call graph for this function:

◆ setProtected()

ilRbacAdmin::setProtected (   $a_ref_id,
  $a_role_id,
  $a_value 
)

Set protected $ilDB.

Parameters
type$a_ref_id
type$a_role_id
type$a_valuey or n
Returns
boolean

Definition at line 1101 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

Referenced by copyRoleTemplatePermissions().

1102  {
1103  global $ilDB;
1104 
1105  // ref_id not used yet. protected permission acts 'global' for each role,
1106  // regardless of any broken inheritance before
1107  $query = 'UPDATE rbac_fa '.
1108  'SET protected = '.$ilDB->quote($a_value,'text').' '.
1109  'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer');
1110  $res = $ilDB->manipulate($query);
1111  return true;
1112  }
global $ilDB
+ Here is the caller graph for this function:

◆ setRolePermission()

ilRbacAdmin::setRolePermission (   $a_rol_id,
  $a_type,
  $a_ops,
  $a_ref_id 
)

Inserts template permissions in rbac_templates for an specific object type.

Update of table rbac_templates public

Parameters
integerrole_id
stringobject type
arrayoperation_ids
integerref_id of role folder object
Returns
boolean

Definition at line 940 of file class.ilRbacAdmin.php.

References $ilDB, $query, and $res.

941  {
942  global $ilDB;
943 
944  if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id))
945  {
946  $message = get_class($this)."::setRolePermission(): Missing parameter!".
947  " role_id: ".$a_rol_id.
948  " type: ".$a_type.
949  " operations: ".$a_ops.
950  " ref_id: ".$a_ref_id;
951  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
952  }
953 
954  if (!is_string($a_type) or empty($a_type))
955  {
956  $message = get_class($this)."::setRolePermission(): a_type is no string or empty!";
957  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
958  }
959 
960  if (!is_array($a_ops) or empty($a_ops))
961  {
962  $message = get_class($this)."::setRolePermission(): a_ops is no array or empty!";
963  $this->ilErr->raiseError($message,$this->ilErr->WARNING);
964  }
965 
966  // exclude system role from rbac
967  if ($a_rol_id == SYSTEM_ROLE_ID)
968  {
969  return true;
970  }
971 
972  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
973  'VALUES (?,?,?,?)';
974  $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
975  foreach ($a_ops as $op)
976  {
977  $res = $ilDB->execute($sta,array(
978  $a_rol_id,
979  $a_type,
980  $op,
981  $a_ref_id
982  ));
983  }
984 
985  return true;
986  }
global $ilDB

The documentation for this class was generated from the following file: