ILIAS  release_5-1 Revision 5.0.0-5477-g43f3e3fab5f
Public Member Functions | Protected Member Functions
ilRbacAdmin Class Reference
Services/AccessControl

Class ilRbacAdmin Core functions for role based access control. More...

+ Collaboration diagram for ilRbacAdmin:

Public Member Functions

 __construct ()
 Constructor @access public. More...
 
 setBlockedStatus ($a_role_id, $a_ref_id, $a_blocked_status)
 Set blocked status. More...
 
 removeUser ($a_usr_id)
 deletes a user from rbac_ua all user <-> role relations are deleted @access public More...
 
 deleteRole ($a_rol_id, $a_ref_id)
 Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa @access public. More...
 
 deleteTemplate ($a_obj_id)
 Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public. More...
 
 deleteLocalRole ($a_rol_id, $a_ref_id=0)
 Deletes a local role and entries in rbac_fa and rbac_templates @access public. More...
 
 assignUserLimited ($a_role_id, $a_usr_id, $a_limit, $a_limited_roles=array())
 Assign user limited. More...
 
 assignUser ($a_rol_id, $a_usr_id)
 Assigns an user to a role. More...
 
 deassignUser ($a_rol_id, $a_usr_id)
 Deassigns a user from a role. More...
 
 grantPermission ($a_rol_id, $a_ops, $a_ref_id)
 Grants a permission to an object and a specific role. More...
 
 revokePermission ($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
 Revokes permissions of an object of one role. More...
 
 revokeSubtreePermissions ($a_ref_id, $a_role_id)
 Revoke subtree permissions. More...
 
 deleteSubtreeTemplates ($a_ref_id, $a_rol_id)
 Delete all template permissions of subtree nodes. More...
 
 revokePermissionList ($a_ref_ids, $a_rol_id)
 Revokes permissions of a LIST of objects of ONE role. More...
 
 copyRolePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions and permission of one role to another. More...
 
 copyRoleTemplatePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions of one role to another. More...
 
 copyRolePermissionIntersection ($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
 Copies the intersection of the template permissions of two roles to a third role. More...
 
 copyRolePermissionUnion ( $a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_id, $a_dest_parent)
 @global <type> $ilDB More...
 
 copyRolePermissionSubtract ($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
 Subtract role permissions. More...
 
 deleteRolePermission ($a_rol_id, $a_ref_id, $a_type=false)
 Deletes all entries of a template. More...
 
 setRolePermission ($a_rol_id, $a_type, $a_ops, $a_ref_id)
 Inserts template permissions in rbac_templates for an specific object type. More...
 
 assignRoleToFolder ($a_rol_id, $a_parent, $a_assign="y")
 Assigns a role to an role folder A role folder is an object to store roles. More...
 
 assignOperationToObject ($a_type_id, $a_ops_id)
 Assign an existing operation to an object Update of rbac_ta. More...
 
 deassignOperationFromObject ($a_type_id, $a_ops_id)
 Deassign an existing operation from an object Update of rbac_ta @access public. More...
 
 setProtected ($a_ref_id, $a_role_id, $a_value)
 Set protected @global $ilDB. More...
 
 copyLocalRoles ($a_source_id, $a_target_id)
 Copy local roles This method creates a copy of all local role. More...
 
 initIntersectionPermissions ($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
 Init intersection permissions. More...
 
 adjustMovedObjectPermissions ($a_ref_id, $a_old_parent)
 Adjust permissions of moved objects. More...
 
 copyEffectiveRolePermissions ($a_source_ref_id, $target_ref_id, $a_subtree_id)
 Copies all permission from source to target for all roles. More...
 

Protected Member Functions

 addDesktopItem ($a_rol_id, $a_usr_id)
 Add desktop item. More...
 
 applyMovedObjectDidacticTemplates ($a_ref_id, $a_old_parent)
 Apply didactic templates after object movement. More...
 

Detailed Description

Class ilRbacAdmin Core functions for role based access control.

Creation and maintenance of Relations. The main relations of Rbac are user <-> role (UR) assignment relation and the permission <-> role (PR) assignment relation. This class contains methods to 'create' and 'delete' instances of the (UR) relation e.g.: assignUser(), deassignUser() Required methods for the PR relation are grantPermission(), revokePermission()

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
$Id$

Definition at line 18 of file class.ilRbacAdmin.php.

Constructor & Destructor Documentation

◆ __construct()

ilRbacAdmin::__construct ( )

Constructor @access public.

Definition at line 24 of file class.ilRbacAdmin.php.

25 {
26 global $ilDB,$ilErr,$ilias;
27
28 // set db & error handler
29 (isset($ilDB)) ? $this->ilDB =& $ilDB : $this->ilDB =& $ilias->db;
30
31 if (!isset($ilErr))
32 {
33 $ilErr = new ilErrorHandling();
34 $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK,array($ilErr,'errorHandler'));
35 }
36 else
37 {
38 $this->ilErr =& $ilErr;
39 }
40 }
PEAR_ERROR_CALLBACK
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
ilDB
Database Wrapper.
Definition: class.ilDB.php:29
if
if(!file_exists(getcwd().'/ilias.ini.php')) if(isset( $_GET["client_id"]))
registration confirmation script for ilias
Definition: confirmReg.php:20
$ilErr
$ilErr
Definition: inc.setup_header.php:67
$ilDB
global $ilDB
Definition: storeScorm2004.php:19

References $ilDB, $ilErr, if, and PEAR_ERROR_CALLBACK.

Member Function Documentation

◆ addDesktopItem()

ilRbacAdmin::addDesktopItem (   $a_rol_id,
  $a_usr_id 
)
protected

Add desktop item.

Parameters
type$a_rol_id
type$a_usr_id

Definition at line 244 of file class.ilRbacAdmin.php.

245 {
246 include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
247 $role_desk_item_obj = new ilRoleDesktopItem($a_rol_id);
248 foreach($role_desk_item_obj->getAll() as $item_data)
249 {
250 include_once './Services/User/classes/class.ilObjUser.php';
251 ilObjUser::_addDesktopItem($a_usr_id, $item_data['item_id'], $item_data['item_type']);
252 }
253 }
ilObjUser\_addDesktopItem
static _addDesktopItem($a_usr_id, $a_item_id, $a_type, $a_par="")
add an item to user's personal desktop
Definition: class.ilObjUser.php:3056

References ilObjUser\_addDesktopItem().

Referenced by assignUser(), and assignUserLimited().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ adjustMovedObjectPermissions()

ilRbacAdmin::adjustMovedObjectPermissions (   $a_ref_id,
  $a_old_parent 
)

Adjust permissions of moved objects.

  • Delete permissions of parent roles that do not exist in new context
  • Delete role templates of parent roles that do not exist in new context
  • Add permissions for parent roles that did not exist in old context

@access public

Parameters
intref id of moved object
intref_id of old parent

Definition at line 1269 of file class.ilRbacAdmin.php.

1270 {
1271 global $rbacreview,$tree,$ilLog;
1272
1273 $new_parent = $tree->getParentId($a_ref_id);
1274 $old_context_roles = $rbacreview->getParentRoleIds($a_old_parent,false);
1275 $new_context_roles = $rbacreview->getParentRoleIds($new_parent,false);
1276
1277 $for_addition = $for_deletion = array();
1278 foreach($new_context_roles as $new_role_id => $new_role)
1279 {
1280 if(!isset($old_context_roles[$new_role_id]))
1281 {
1282 $for_addition[$new_role_id] = $new_role;
1283 }
1284 elseif($new_role['parent'] != $old_context_roles[$new_role_id]['parent'])
1285 {
1286 // handle stopped inheritance
1287 $for_deletion[$new_role_id] = $new_role;
1288 $for_addition[$new_role_id] = $new_role;
1289 }
1290 }
1291 foreach($old_context_roles as $old_role_id => $old_role)
1292 {
1293 if(!isset($new_context_roles[$old_role_id]))
1294 {
1295 $for_deletion[$old_role_id] = $old_role;
1296 }
1297 }
1298
1299 if(!count($for_deletion) and !count($for_addition))
1300 {
1301 $this->applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent);
1302 return true;
1303 }
1304
1305 include_once "Services/AccessControl/classes/class.ilRbacLog.php";
1306 $rbac_log_active = ilRbacLog::isActive();
1307 if($rbac_log_active)
1308 {
1309 $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
1310 }
1311
1312 foreach($nodes = $tree->getSubTree($tree->getNodeData($a_ref_id),true) as $node_data)
1313 {
1314 $node_id = $node_data['child'];
1315
1316 if($rbac_log_active)
1317 {
1318 $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
1319 }
1320
1321 // If $node_data['type'] is not set, this means there is a tree entry without
1322 // object_reference and/or object_data entry
1323 // Continue in this case
1324 if(!$node_data['type'])
1325 {
1326 $ilLog->write(__METHOD__.': No type give. Choosing next tree entry.');
1327 continue;
1328 }
1329
1330 if(!$node_id)
1331 {
1332 $ilLog->write(__METHOD__.': Missing subtree node_id');
1333 continue;
1334 }
1335
1336 foreach($for_deletion as $role_id => $role_data)
1337 {
1338 $this->deleteLocalRole($role_id,$node_id);
1339 $this->revokePermission($node_id,$role_id,false);
1340//var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
1341 }
1342 foreach($for_addition as $role_id => $role_data)
1343 {
1344 switch($node_data['type'])
1345 {
1346 case 'grp':
1347 include_once './Modules/Group/classes/class.ilObjGroup.php';
1348 $tpl_id = ilObjGroup::lookupGroupStatusTemplateId($node_data['obj_id']);
1349 $this->initIntersectionPermissions(
1350 $node_data['child'],
1351 $role_id,
1352 $role_data['parent'],
1353 $tpl_id,
1354 ROLE_FOLDER_ID
1355 );
1356 break;
1357
1358 case 'crs':
1359 include_once './Modules/Course/classes/class.ilObjCourse.php';
1360 $tpl_id = ilObjCourse::lookupCourseNonMemberTemplatesId();
1361 $this->initIntersectionPermissions(
1362 $node_data['child'],
1363 $role_id,
1364 $role_data['parent'],
1365 $tpl_id,
1366 ROLE_FOLDER_ID
1367 );
1368 break;
1369
1370
1371 default:
1372 $this->grantPermission(
1373 $role_id,
1374 $ops = $rbacreview->getOperationsOfRole($role_id,$node_data['type'],$role_data['parent']),
1375 $node_id);
1376 break;
1377
1378
1379 }
1380
1381
1382//var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
1383 }
1384
1385 if($rbac_log_active)
1386 {
1387 $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
1388 $log = ilRbacLog::diffFaPa($log_old, $log_new);
1389 ilRbacLog::add(ilRbacLog::MOVE_OBJECT, $node_id, $log);
1390 }
1391 }
1392
1393 $this->applyMovedObjectDidacticTemplates($a_ref_id,$a_old_parent);
1394
1395 }
ilObjCourse\lookupCourseNonMemberTemplatesId
static lookupCourseNonMemberTemplatesId()
Lookup course non member id.
Definition: class.ilObjCourse.php:1669
ilObjGroup\lookupGroupStatusTemplateId
static lookupGroupStatusTemplateId($a_obj_id)
@global $ilDB $ilDB
Definition: class.ilObjGroup.php:1262
ilRbacAdmin\revokePermission
revokePermission($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
Revokes permissions of an object of one role.
Definition: class.ilRbacAdmin.php:435
ilRbacAdmin\deleteLocalRole
deleteLocalRole($a_rol_id, $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates @access public.
Definition: class.ilRbacAdmin.php:163
ilRbacAdmin\initIntersectionPermissions
initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
Init intersection permissions.
Definition: class.ilRbacAdmin.php:1173
ilRbacAdmin\applyMovedObjectDidacticTemplates
applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent)
Apply didactic templates after object movement.
Definition: class.ilRbacAdmin.php:1239
ilRbacAdmin\grantPermission
grantPermission($a_rol_id, $a_ops, $a_ref_id)
Grants a permission to an object and a specific role.
Definition: class.ilRbacAdmin.php:370
ilRbacLog\MOVE_OBJECT
const MOVE_OBJECT
Definition: class.ilRbacLog.php:17
ilRbacLog\diffFaPa
static diffFaPa(array $a_old, array $a_new)
Definition: class.ilRbacLog.php:77
ilRbacLog\add
static add($a_action, $a_ref_id, array $a_diff, $a_source_ref_id=false)
Definition: class.ilRbacLog.php:162
ilRbacLog\gatherFaPa
static gatherFaPa($a_ref_id, array $a_role_ids, $a_add_action=false)
Definition: class.ilRbacLog.php:36
ilRbacLog\isActive
static isActive()
Definition: class.ilRbacLog.php:25
$ilLog
$ilLog
Definition: inc.setup_header.php:136
$log
$log
Definition: inc.setup_header.php:135

References $ilLog, $log, ilRbacLog\add(), applyMovedObjectDidacticTemplates(), deleteLocalRole(), ilRbacLog\diffFaPa(), ilRbacLog\gatherFaPa(), grantPermission(), initIntersectionPermissions(), ilRbacLog\isActive(), ilObjCourse\lookupCourseNonMemberTemplatesId(), ilObjGroup\lookupGroupStatusTemplateId(), ilRbacLog\MOVE_OBJECT, and revokePermission().

+ Here is the call graph for this function:

◆ applyMovedObjectDidacticTemplates()

ilRbacAdmin::applyMovedObjectDidacticTemplates (   $a_ref_id,
  $a_old_parent 
)
protected

Apply didactic templates after object movement.

Parameters
int$a_ref_id
int$a_old_parent
Deprecated:
since version 5.1.0 will be removed with 5.4 and implemented using event handler

Definition at line 1239 of file class.ilRbacAdmin.php.

1240 {
1241 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateObjSettings.php';
1242 $tpl_id = ilDidacticTemplateObjSettings::lookupTemplateId($a_ref_id);
1243 if(!$tpl_id) {
1244 return;
1245 }
1246 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateActionFactory.php';
1247 foreach(ilDidacticTemplateActionFactory::getActionsByTemplateId($tpl_id) as $action) {
1248 if($action instanceof ilDidacticTemplateLocalRoleAction) {
1249 continue;
1250 }
1251 $action->setRefId($a_ref_id);
1252 $action->apply();
1253 }
1254 return;
1255 }
ilDidacticTemplateActionFactory\getActionsByTemplateId
static getActionsByTemplateId($a_tpl_id)
Get actions of one template.
Definition: class.ilDidacticTemplateActionFactory.php:68
ilDidacticTemplateLocalRoleAction
represents a creation of local roles action
Definition: class.ilDidacticTemplateLocalRoleAction.php:13
ilDidacticTemplateObjSettings\lookupTemplateId
static lookupTemplateId($a_ref_id)
Lookup template id @global ilDB $ilDB.
Definition: class.ilDidacticTemplateObjSettings.php:19

References ilDidacticTemplateActionFactory\getActionsByTemplateId(), and ilDidacticTemplateObjSettings\lookupTemplateId().

Referenced by adjustMovedObjectPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ assignOperationToObject()

ilRbacAdmin::assignOperationToObject (   $a_type_id,
  $a_ops_id 
)

Assign an existing operation to an object Update of rbac_ta.

@access public

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 1047 of file class.ilRbacAdmin.php.

1048 {
1049 global $ilDB;
1050
1051 if (!isset($a_type_id) or !isset($a_ops_id))
1052 {
1053 $message = get_class($this)."::assignOperationToObject(): Missing parameter!".
1054 "type_id: ".$a_type_id.
1055 "ops_id: ".$a_ops_id;
1056 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1057 }
1058
1059 $query = "INSERT INTO rbac_ta (typ_id, ops_id) ".
1060 "VALUES(".$ilDB->quote($a_type_id,'integer').",".$ilDB->quote($a_ops_id,'integer').")";
1061 $res = $ilDB->manipulate($query);
1062 return true;
1063 }

References $ilDB, $query, and $res.

◆ assignRoleToFolder()

ilRbacAdmin::assignRoleToFolder (   $a_rol_id,
  $a_parent,
  $a_assign = "y" 
)

Assigns a role to an role folder A role folder is an object to store roles.

Every role is assigned to minimum one role folder If the inheritance of a role is stopped, a new role template will created, and the role is assigned to minimum two role folders. All roles with stopped inheritance need the flag '$a_assign = false'

@access public

Parameters
integerobject id of role
integerref_id of role folder
stringassignable('y','n'); default: 'y'
Returns
boolean

Definition at line 1001 of file class.ilRbacAdmin.php.

1002 {
1003 global $ilDB,$rbacreview;
1004
1005 if (!isset($a_rol_id) or !isset($a_parent))
1006 {
1007 $message = get_class($this)."::assignRoleToFolder(): Missing Parameter!".
1008 " role_id: ".$a_rol_id.
1009 " parent_id: ".$a_parent.
1010 " assign: ".$a_assign;
1011 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1012 }
1013
1014 // exclude system role from rbac
1015 if ($a_rol_id == SYSTEM_ROLE_ID)
1016 {
1017 return true;
1018 }
1019
1020 // if a wrong value is passed, always set assign to "n"
1021 if ($a_assign != "y")
1022 {
1023 $a_assign = "n";
1024 }
1025
1026 ilLoggerFactory::getLogger('ac')->debug('Assign role to folder: ' . $a_rol_id.' '. $a_parent);
1027
1028 $query = sprintf('INSERT INTO rbac_fa (rol_id, parent, assign, protected) '.
1029 'VALUES (%s,%s,%s,%s)',
1030 $ilDB->quote($a_rol_id,'integer'),
1031 $ilDB->quote($a_parent,'integer'),
1032 $ilDB->quote($a_assign,'text'),
1033 $ilDB->quote('n','text'));
1034 $res = $ilDB->manipulate($query);
1035
1036 return true;
1037 }
ilLoggerFactory\getLogger
static getLogger($a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:82

References $ilDB, $query, $res, and ilLoggerFactory\getLogger().

Referenced by copyLocalRoles(), and initIntersectionPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ assignUser()

ilRbacAdmin::assignUser (   $a_rol_id,
  $a_usr_id 
)

Assigns an user to a role.

Update of table rbac_ua TODO: remove deprecated 3rd parameter sometime @access public

Parameters
integerobject_id of role
integerobject_id of user
booleantrue means default role (optional
Returns
boolean

Definition at line 265 of file class.ilRbacAdmin.php.

266 {
267 global $ilDB,$rbacreview;
268
269 if (!isset($a_rol_id) or !isset($a_usr_id))
270 {
271 $message = get_class($this)."::assignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
272 #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
273 }
274
275 // check if already assigned user id and role_id
276 $alreadyAssigned = $rbacreview->isAssigned($a_usr_id,$a_rol_id);
277
278 // enhanced: only if we haven't had this role for this user
279 if (!$alreadyAssigned)
280 {
281 $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
282 "VALUES (".$ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_rol_id,'integer').")";
283 $res = $ilDB->manipulate($query);
284
285 $this->addDesktopItem($a_rol_id, $a_usr_id);
286
287 $rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,true);
288 }
289
290 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
291 $mapping = ilLDAPRoleGroupMapping::_getInstance();
292 $mapping->assign($a_rol_id,$a_usr_id);
293
294
295 $ref_id = $GLOBALS['rbacreview']->getObjectReferenceOfRole($a_rol_id);
296 $obj_id = ilObject::_lookupObjId($ref_id);
297 $type = ilObject::_lookupType($obj_id);
298
299 if(!$alreadyAssigned)
300 {
301 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event assign user');
302 $GLOBALS['ilAppEventHandler']->raise(
303 'Services/AccessControl',
304 'assignUser',
305 array(
306 'obj_id' => $obj_id,
307 'usr_id' => $a_usr_id,
308 'role_id' => $a_rol_id,
309 'type' => $type
310 )
311 );
312 }
313 return TRUE;
314 }
ilLDAPRoleGroupMapping\_getInstance
static _getInstance()
Get singleton instance of this class.
Definition: class.ilLDAPRoleGroupMapping.php:64
ilObject\_lookupObjId
static _lookupObjId($a_id)
Definition: class.ilObject.php:1041
ilObject\_lookupType
static _lookupType($a_id, $a_reference=false)
lookup object type
Definition: class.ilObject.php:1196
ilRbacAdmin\addDesktopItem
addDesktopItem($a_rol_id, $a_usr_id)
Add desktop item.
Definition: class.ilRbacAdmin.php:244
$GLOBALS
$GLOBALS['PHPCAS_CLIENT']
This global variable is used by the interface class phpCAS.
Definition: CAS.php:276
$ref_id
$ref_id
Definition: sahs_server.php:39

References $GLOBALS, $ilDB, $query, $ref_id, $res, ilLDAPRoleGroupMapping\_getInstance(), ilObject\_lookupObjId(), ilObject\_lookupType(), addDesktopItem(), and ilLoggerFactory\getInstance().

+ Here is the call graph for this function:

◆ assignUserLimited()

ilRbacAdmin::assignUserLimited (   $a_role_id,
  $a_usr_id,
  $a_limit,
  $a_limited_roles = array() 
)

Assign user limited.

Parameters
type$a_role_id
type$a_usr_id
type$a_limit

Definition at line 202 of file class.ilRbacAdmin.php.

203 {
204 global $ilDB;
205
206 $GLOBALS['ilDB']->lockTables(
207 array(
208 0 => array('name' => 'rbac_ua', 'type' => ilDB::LOCK_WRITE)
209 )
210 );
211
212 $limit_query = 'SELECT COUNT(*) num FROM rbac_ua '.
213 'WHERE '.$GLOBALS['ilDB']->in('rol_id',(array) $a_limited_roles,FALSE,'integer');
214 $res = $GLOBALS['ilDB']->query($limit_query);
215 $row = $res->fetchRow(DB_FETCHMODE_OBJECT);
216 if($row->num >= $a_limit)
217 {
218 $GLOBALS['ilDB']->unlockTables();
219 return FALSE;
220 }
221
222 $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
223 "VALUES (".
224 $ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_role_id,'integer').
225 ")";
226 $res = $ilDB->manipulate($query);
227
228 $GLOBALS['ilDB']->unlockTables();
229 $GLOBALS['rbacreview']->setAssignedCacheEntry($a_role_id,$a_usr_id,TRUE);
230
231 $this->addDesktopItem($a_role_id,$a_usr_id);
232
233 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
234 $mapping = ilLDAPRoleGroupMapping::_getInstance();
235 $mapping->assign($a_role_id,$a_usr_id);
236 return TRUE;
237 }
DB_FETCHMODE_OBJECT
const DB_FETCHMODE_OBJECT
Definition: class.ilDB.php:11
ilDB\LOCK_WRITE
const LOCK_WRITE
Definition: class.ilDB.php:30

References $GLOBALS, $ilDB, $query, $res, $row, ilLDAPRoleGroupMapping\_getInstance(), addDesktopItem(), DB_FETCHMODE_OBJECT, and ilDB\LOCK_WRITE.

+ Here is the call graph for this function:

◆ copyEffectiveRolePermissions()

ilRbacAdmin::copyEffectiveRolePermissions (   $a_source_ref_id,
  $target_ref_id,
  $a_subtree_id 
)

Copies all permission from source to target for all roles.

Parameters
type$a_source_ref_id
type$target_ref_id
type$a_subtree_id

Definition at line 1404 of file class.ilRbacAdmin.php.

1405 {
1406 global $rbacreview;
1407
1408 $parent_roles = $rbacreview->getParentRoleIds($a_source_ref_id, FALSE);
1409 $GLOBALS['ilLog']->write(__METHOD__.': '. print_r($parent_roles,TRUE));
1410
1411
1412
1413 }

References $GLOBALS.

◆ copyLocalRoles()

ilRbacAdmin::copyLocalRoles (   $a_source_id,
  $a_target_id 
)

Copy local roles This method creates a copy of all local role.

Note: auto generated roles are excluded

@access public

Parameters
intsource id of object (not role folder)
inttarget id of object

Definition at line 1124 of file class.ilRbacAdmin.php.

1125 {
1126 global $rbacreview,$ilLog,$ilObjDataCache;
1127
1128 $real_local = array();
1129 foreach($rbacreview->getRolesOfRoleFolder($a_source_id,false) as $role_data)
1130 {
1131 $title = $ilObjDataCache->lookupTitle($role_data);
1132 if(substr($title,0,3) == 'il_')
1133 {
1134 continue;
1135 }
1136 $real_local[] = $role_data;
1137 }
1138 if(!count($real_local))
1139 {
1140 return true;
1141 }
1142 // Create role folder
1143 foreach($real_local as $role)
1144 {
1145 include_once ("./Services/AccessControl/classes/class.ilObjRole.php");
1146 $orig = new ilObjRole($role);
1147 $orig->read();
1148
1149 $ilLog->write(__METHOD__.': Start copying of role '.$orig->getTitle());
1150 $roleObj = new ilObjRole();
1151 $roleObj->setTitle($orig->getTitle());
1152 $roleObj->setDescription($orig->getDescription());
1153 $roleObj->setImportId($orig->getImportId());
1154 $roleObj->create();
1155
1156 $this->assignRoleToFolder($roleObj->getId(),$a_target_id,"y");
1157 $this->copyRolePermissions($role,$a_source_id,$a_target_id,$roleObj->getId(),true);
1158 $ilLog->write(__METHOD__.': Added new local role, id '.$roleObj->getId());
1159 }
1160
1161 }
ilObjRole
Class ilObjRole.
Definition: class.ilObjRole.php:16
ilRbacAdmin\copyRolePermissions
copyRolePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions and permission of one role to another.
Definition: class.ilRbacAdmin.php:623
ilRbacAdmin\assignRoleToFolder
assignRoleToFolder($a_rol_id, $a_parent, $a_assign="y")
Assigns a role to an role folder A role folder is an object to store roles.
Definition: class.ilRbacAdmin.php:1001

References $ilLog, assignRoleToFolder(), and copyRolePermissions().

+ Here is the call graph for this function:

◆ copyRolePermissionIntersection()

ilRbacAdmin::copyRolePermissionIntersection (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_parent,
  $a_dest_id 
)

Copies the intersection of the template permissions of two roles to a third role.

@access public

Parameters
integer$a_source1_idrole_id source
integer$a_source1_parentparent_id source
integer$a_source2_idrole_id source
integer$a_source2_parentparent_id source
integer$a_dest_idrole_id destination
integer$a_dest_parentparent_id destination
Returns
boolean

Definition at line 720 of file class.ilRbacAdmin.php.

721 {
722 global $rbacreview,$ilDB;
723
724 if (!isset($a_source1_id) or !isset($a_source1_parent)
725 or !isset($a_source2_id) or !isset($a_source2_parent)
726 or !isset($a_dest_id) or !isset($a_dest_parent))
727 {
728 $message = get_class($this)."::copyRolePermissionIntersection(): Missing parameter! source1_id: ".$a_source1_id.
729 " source1_parent: ".$a_source1_parent.
730 " source2_id: ".$a_source2_id.
731 " source2_parent: ".$a_source2_parent.
732 " dest_id: ".$a_dest_id.
733 " dest_parent_id: ".$a_dest_parent;
734 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
735 }
736
737 // exclude system role from rbac
738 if ($a_dest_id == SYSTEM_ROLE_ID)
739 {
740 return true;
741 }
742
743 if ($rbacreview->isProtected($a_source2_parent,$a_source2_id))
744 {
745 $GLOBALS['ilLog']->write(__METHOD__.': Role is protected');
746 return true;
747 }
748
749 $query = "SELECT s1.type, s1.ops_id ".
750 "FROM rbac_templates s1, rbac_templates s2 ".
751 "WHERE s1.rol_id = ".$ilDB->quote($a_source1_id,'integer')." ".
752 "AND s1.parent = ".$ilDB->quote($a_source1_parent,'integer')." ".
753 "AND s2.rol_id = ".$ilDB->quote($a_source2_id,'integer')." ".
754 "AND s2.parent = ".$ilDB->quote($a_source2_parent,'integer')." ".
755 "AND s1.type = s2.type ".
756 "AND s1.ops_id = s2.ops_id";
757 $res = $ilDB->query($query);
758 $operations = array();
759 $rowNum = 0;
760 while($row = $res->fetchRow(DB_FETCHMODE_OBJECT))
761 {
762 $operations[$rowNum]['type'] = $row->type;
763 $operations[$rowNum]['ops_id'] = $row->ops_id;
764
765 $rowNum++;
766 }
767
768 // Delete template permissions of target
769 $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
770 'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
771 $res = $ilDB->manipulate($query);
772
773 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
774 'VALUES (?,?,?,?)';
775 $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
776 foreach($operations as $key => $set)
777 {
778 $ilDB->execute($sta,array(
779 $a_dest_id,
780 $set['type'],
781 $set['ops_id'],
782 $a_dest_parent));
783 }
784 return true;
785 }

References $GLOBALS, $ilDB, $query, $res, $row, and DB_FETCHMODE_OBJECT.

Referenced by initIntersectionPermissions().

+ Here is the caller graph for this function:

◆ copyRolePermissions()

ilRbacAdmin::copyRolePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions and permission of one role to another.

@access public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 623 of file class.ilRbacAdmin.php.

624 {
625 global $tree,$rbacreview;
626
627 // Copy template permissions
628 $this->copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected);
629
630 $ops = $rbacreview->getRoleOperationsOnObject($a_source_id,$a_source_parent);
631
632 $this->revokePermission($a_dest_parent,$a_dest_id);
633 $this->grantPermission($a_dest_id,$ops,$a_dest_parent);
634 return true;
635 }
ilRbacAdmin\copyRoleTemplatePermissions
copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions of one role to another.
Definition: class.ilRbacAdmin.php:647

References copyRoleTemplatePermissions(), grantPermission(), and revokePermission().

Referenced by copyLocalRoles().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ copyRolePermissionSubtract()

ilRbacAdmin::copyRolePermissionSubtract (   $a_source_id,
  $a_source_parent,
  $a_dest_id,
  $a_dest_parent 
)

Subtract role permissions.

Parameters
type$a_source_id
type$a_source_parent
type$a_dest_id
type$a_dest_parent

Definition at line 863 of file class.ilRbacAdmin.php.

864 {
865 global $rbacreview, $ilDB;
866
867 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source_id,$a_source_parent);
868 $d_ops = $rbacreview->getAllOperationsOfRole($a_dest_id,$a_dest_parent);
869
870 foreach($s1_ops as $type => $ops)
871 {
872 foreach($ops as $op)
873 {
874 if(isset($d_ops[$type]) and in_array($op, $d_ops[$type]))
875 {
876 $query = 'DELETE FROM rbac_templates '.
877 'WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
878 'AND type = '.$ilDB->quote($type,'text').' '.
879 'AND ops_id = '.$ilDB->quote($op,'integer').' '.
880 'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
881 $ilDB->manipulate($query);
882 }
883 }
884 }
885 return true;
886 }

References $ilDB, and $query.

◆ copyRolePermissionUnion()

ilRbacAdmin::copyRolePermissionUnion (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_id,
  $a_dest_parent 
)

@global <type> $ilDB

Parameters
<type>$a_source1_id
<type>$a_source1_parent
<type>$a_source2_id
<type>$a_source2_parent
<type>$a_dest_id
<type>$a_dest_parent
Returns
<type>

Definition at line 798 of file class.ilRbacAdmin.php.

805 {
806 global $ilDB, $rbacreview;
807
808
809 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id,$a_source1_parent);
810 $s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id,$a_source2_parent);
811
812 $this->deleteRolePermission($a_dest_id, $a_dest_parent);
813
814 $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s1_ops,TRUE));
815 $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s2_ops,TRUE));
816
817 foreach($s1_ops as $type => $ops)
818 {
819 foreach($ops as $op)
820 {
821 // insert all permission of source 1
822 // #15469
823 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
824 'VALUES( '.
825 $ilDB->quote($a_dest_id,'integer').', '.
826 $ilDB->quote($type,'text').', '.
827 $ilDB->quote($op,'integer').', '.
828 $ilDB->quote($a_dest_parent,'integer').' '.
829 ')';
830 $ilDB->manipulate($query);
831 }
832 }
833
834 // and the other direction...
835 foreach($s2_ops as $type => $ops)
836 {
837 foreach($ops as $op)
838 {
839 if(!isset($s1_ops[$type]) or !in_array($op, $s1_ops[$type]))
840 {
841 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
842 'VALUES( '.
843 $ilDB->quote($a_dest_id,'integer').', '.
844 $ilDB->quote($type,'text').', '.
845 $ilDB->quote($op,'integer').', '.
846 $ilDB->quote($a_dest_parent,'integer').' '.
847 ')';
848 $ilDB->manipulate($query);
849 }
850 }
851 }
852
853 return true;
854 }
ilRbacAdmin\deleteRolePermission
deleteRolePermission($a_rol_id, $a_ref_id, $a_type=false)
Deletes all entries of a template.
Definition: class.ilRbacAdmin.php:899

References $GLOBALS, $ilDB, $query, and deleteRolePermission().

+ Here is the call graph for this function:

◆ copyRoleTemplatePermissions()

ilRbacAdmin::copyRoleTemplatePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions of one role to another.

It's also possible to copy template permissions from/to RoleTemplateObject @access public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 647 of file class.ilRbacAdmin.php.

648 {
649 global $rbacreview,$ilDB;
650
651 if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent))
652 {
653 $message = __METHOD__.": Missing parameter! source_id: ".$a_source_id.
654 " source_parent_id: ".$a_source_parent.
655 " dest_id : ".$a_dest_id.
656 " dest_parent_id: ".$a_dest_parent;
657 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
658 }
659
660 // exclude system role from rbac
661 if ($a_dest_id == SYSTEM_ROLE_ID)
662 {
663 return true;
664 }
665
666 // Read operations
667 $query = 'SELECT * FROM rbac_templates '.
668 'WHERE rol_id = '.$ilDB->quote($a_source_id,'integer').' '.
669 'AND parent = '.$ilDB->quote($a_source_parent,'integer');
670 $res = $ilDB->query($query);
671 $operations = array();
672 $rownum = 0;
673 while ($row = $ilDB->fetchObject($res))
674 {
675 $operations[$rownum]['type'] = $row->type;
676 $operations[$rownum]['ops_id'] = $row->ops_id;
677 $rownum++;
678 }
679
680 // Delete target permissions
681 $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
682 'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
683 $res = $ilDB->manipulate($query);
684
685 foreach($operations as $row => $op)
686 {
687 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
688 'VALUES ('.
689 $ilDB->quote($a_dest_id,'integer').",".
690 $ilDB->quote($op['type'],'text').",".
691 $ilDB->quote($op['ops_id'],'integer').",".
692 $ilDB->quote($a_dest_parent,'integer').")";
693 $ilDB->manipulate($query);
694 }
695
696 // copy also protection status if applicable
697 if ($a_consider_protected == true)
698 {
699 if ($rbacreview->isProtected($a_source_parent,$a_source_id))
700 {
701 $this->setProtected($a_dest_parent,$a_dest_id,'y');
702 }
703 }
704
705 return true;
706 }
ilRbacAdmin\setProtected
setProtected($a_ref_id, $a_role_id, $a_value)
Set protected @global $ilDB.
Definition: class.ilRbacAdmin.php:1101

References $ilDB, $query, $res, $row, and setProtected().

Referenced by copyRolePermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deassignOperationFromObject()

ilRbacAdmin::deassignOperationFromObject (   $a_type_id,
  $a_ops_id 
)

Deassign an existing operation from an object Update of rbac_ta @access public.

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 1073 of file class.ilRbacAdmin.php.

1074 {
1075 global $ilDB;
1076
1077 if (!isset($a_type_id) or !isset($a_ops_id))
1078 {
1079 $message = get_class($this)."::deassignPermissionFromObject(): Missing parameter!".
1080 "type_id: ".$a_type_id.
1081 "ops_id: ".$a_ops_id;
1082 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1083 }
1084
1085 $query = "DELETE FROM rbac_ta ".
1086 "WHERE typ_id = ".$ilDB->quote($a_type_id,'integer')." ".
1087 "AND ops_id = ".$ilDB->quote($a_ops_id,'integer');
1088 $res = $ilDB->manipulate($query);
1089
1090 return true;
1091 }

References $ilDB, $query, and $res.

◆ deassignUser()

ilRbacAdmin::deassignUser (   $a_rol_id,
  $a_usr_id 
)

Deassigns a user from a role.

Update of table rbac_ua @access public

Parameters
integerobject id of role
integerobject id of user
Returns
boolean true on success

Definition at line 323 of file class.ilRbacAdmin.php.

324 {
325 global $ilDB, $rbacreview;
326
327 if (!isset($a_rol_id) or !isset($a_usr_id))
328 {
329 $message = get_class($this)."::deassignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
330 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
331 }
332
333 $query = "DELETE FROM rbac_ua ".
334 "WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer')." ".
335 "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
336 $res = $ilDB->manipulate($query);
337
338 $rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,false);
339
340 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
341 $mapping = ilLDAPRoleGroupMapping::_getInstance();
342 $mapping->deassign($a_rol_id,$a_usr_id);
343
344 $ref_id = $GLOBALS['rbacreview']->getObjectReferenceOfRole($a_rol_id);
345 $obj_id = ilObject::_lookupObjId($ref_id);
346 $type = ilObject::_lookupType($obj_id);
347
348 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event deassign user');
349 $GLOBALS['ilAppEventHandler']->raise(
350 'Services/AccessControl',
351 'deassignUser',
352 array(
353 'obj_id' => $obj_id,
354 'usr_id' => $a_usr_id,
355 'role_id' => $a_rol_id,
356 'type' => $type
357 )
358 );
359 return TRUE;
360 }

References $GLOBALS, $ilDB, $query, $ref_id, $res, ilLDAPRoleGroupMapping\_getInstance(), ilObject\_lookupObjId(), ilObject\_lookupType(), and ilLoggerFactory\getInstance().

+ Here is the call graph for this function:

◆ deleteLocalRole()

ilRbacAdmin::deleteLocalRole (   $a_rol_id,
  $a_ref_id = 0 
)

Deletes a local role and entries in rbac_fa and rbac_templates @access public.

Parameters
integerobject_id of role
integerref_id of role folder (optional)
Returns
boolean true on success

Definition at line 163 of file class.ilRbacAdmin.php.

164 {
165 global $ilDB;
166
167 if (!isset($a_rol_id))
168 {
169 $message = get_class($this)."::deleteLocalRole(): Missing parameter! role_id: '".$a_rol_id."'";
170 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
171 }
172
173 // exclude system role from rbac
174 if ($a_rol_id == SYSTEM_ROLE_ID)
175 {
176 return true;
177 }
178
179 if ($a_ref_id != 0)
180 {
181 $clause = 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' ';
182 }
183
184 $query = 'DELETE FROM rbac_fa '.
185 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
186 $clause;
187 $res = $ilDB->manipulate($query);
188
189 $query = 'DELETE FROM rbac_templates '.
190 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
191 $clause;
192 $res = $ilDB->manipulate($query);
193 return true;
194 }

References $ilDB, $query, and $res.

Referenced by adjustMovedObjectPermissions(), and deleteRole().

+ Here is the caller graph for this function:

◆ deleteRole()

ilRbacAdmin::deleteRole (   $a_rol_id,
  $a_ref_id 
)

Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa @access public.

Parameters
integerobj_id of role (role_id)
integerref_id of role folder (ref_id)
Returns
boolean true on success

Definition at line 89 of file class.ilRbacAdmin.php.

90 {
91 global $lng,$ilDB;
92
93 if (!isset($a_rol_id) or !isset($a_ref_id))
94 {
95 $message = get_class($this)."::deleteRole(): Missing parameter! role_id: ".$a_rol_id." ref_id of role folder: ".$a_ref_id;
96 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
97 }
98
99 // exclude system role from rbac
100 if ($a_rol_id == SYSTEM_ROLE_ID)
101 {
102 $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"),$this->ilErr->MESSAGE);
103 }
104
105 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
106 $mapping = ilLDAPRoleGroupMapping::_getInstance();
107 $mapping->deleteRole($a_rol_id);
108
109
110 // TODO: check assigned users before deletion
111 // This is done in ilObjRole. Should be better moved to this place?
112
113 // delete user assignements
114 $query = "DELETE FROM rbac_ua ".
115 "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer');
116 $res = $ilDB->manipulate($query);
117
118 // delete permission assignments
119 $query = "DELETE FROM rbac_pa ".
120 "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
121 $res = $ilDB->manipulate($query);
122
123 //delete rbac_templates and rbac_fa
124 $this->deleteLocalRole($a_rol_id);
125
126 return true;
127 }
$lng
global $lng
Definition: privfeed.php:40

References $ilDB, $lng, $query, $res, ilLDAPRoleGroupMapping\_getInstance(), and deleteLocalRole().

+ Here is the call graph for this function:

◆ deleteRolePermission()

ilRbacAdmin::deleteRolePermission (   $a_rol_id,
  $a_ref_id,
  $a_type = false 
)

Deletes all entries of a template.

If an object type is given for third parameter only the entries for that object type are deleted Update of table rbac_templates. @access public

Parameters
integerobject id of role
integerref_id of role folder
stringobject type (optional)
Returns
boolean

Definition at line 899 of file class.ilRbacAdmin.php.

900 {
901 global $ilDB;
902
903 if (!isset($a_rol_id) or !isset($a_ref_id))
904 {
905 $message = get_class($this)."::deleteRolePermission(): Missing parameter! role_id: ".$a_rol_id." ref_id: ".$a_ref_id;
906 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
907 }
908
909 // exclude system role from rbac
910 if ($a_rol_id == SYSTEM_ROLE_ID)
911 {
912 return true;
913 }
914
915 if ($a_type !== false)
916 {
917 $and_type = " AND type=".$ilDB->quote($a_type,'text')." ";
918 }
919
920 $query = 'DELETE FROM rbac_templates '.
921 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
922 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' '.
923 $and_type;
924
925 $res = $ilDB->manipulate($query);
926
927 return true;
928 }

References $ilDB, $query, and $res.

Referenced by copyRolePermissionUnion().

+ Here is the caller graph for this function:

◆ deleteSubtreeTemplates()

ilRbacAdmin::deleteSubtreeTemplates (   $a_ref_id,
  $a_rol_id 
)

Delete all template permissions of subtree nodes.

Parameters
object$a_ref_id
object$a_rol_id
Returns

Definition at line 555 of file class.ilRbacAdmin.php.

556 {
557 global $ilDB;
558
559 $query = 'DELETE FROM rbac_templates '.
560 'WHERE parent IN ( '.
561 $GLOBALS['tree']->getSubTreeQuery($a_ref_id, array('child')).' ) '.
562 'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
563
564 $ilDB->manipulate($query);
565
566 $query = 'DELETE FROM rbac_fa '.
567 'WHERE parent IN ( '.
568 $GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
569 'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
570
571 $ilDB->manipulate($query);
572
573 return true;
574 }

References $GLOBALS, $ilDB, and $query.

◆ deleteTemplate()

ilRbacAdmin::deleteTemplate (   $a_obj_id)

Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public.

Parameters
integerobject_id of role template
Returns
boolean

Definition at line 135 of file class.ilRbacAdmin.php.

136 {
137 global $ilDB;
138
139 if (!isset($a_obj_id))
140 {
141 $message = get_class($this)."::deleteTemplate(): No obj_id given!";
142 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
143 }
144
145 $query = 'DELETE FROM rbac_templates '.
146 'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
147 $res = $ilDB->manipulate($query);
148
149 $query = 'DELETE FROM rbac_fa '.
150 'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
151 $res = $ilDB->manipulate($query);
152
153 return true;
154 }

References $ilDB, $query, and $res.

◆ grantPermission()

ilRbacAdmin::grantPermission (   $a_rol_id,
  $a_ops,
  $a_ref_id 
)

Grants a permission to an object and a specific role.

Update of table rbac_pa @access public

Parameters
integerobject id of role
arrayarray of operation ids
integerreference id of that object which is granted the permissions
Returns
boolean

Definition at line 370 of file class.ilRbacAdmin.php.

371 {
372 global $ilDB;
373
374 if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id))
375 {
376 $this->ilErr->raiseError(get_class($this)."::grantPermission(): Missing parameter! ".
377 "role_id: ".$a_rol_id." ref_id: ".$a_ref_id." operations: ",$this->ilErr->WARNING);
378 }
379
380 if (!is_array($a_ops))
381 {
382 $this->ilErr->raiseError(get_class($this)."::grantPermission(): Wrong datatype for operations!",
383 $this->ilErr->WARNING);
384 }
385
386 /*
387 if (count($a_ops) == 0)
388 {
389 return false;
390 }
391 */
392 // exclude system role from rbac
393 if ($a_rol_id == SYSTEM_ROLE_ID)
394 {
395 return true;
396 }
397
398 // convert all values to integer
399 foreach ($a_ops as $key => $operation)
400 {
401 $a_ops[$key] = (int) $operation;
402 }
403
404 // Serialization des ops_id Arrays
405 $ops_ids = serialize($a_ops);
406
407 $query = 'DELETE FROM rbac_pa '.
408 'WHERE rol_id = %s '.
409 'AND ref_id = %s';
410 $res = $ilDB->queryF($query,array('integer','integer'),
411 array($a_rol_id,$a_ref_id));
412
413 if(!count($a_ops))
414 {
415 return false;
416 }
417
418 $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) ".
419 "VALUES ".
420 "(".$ilDB->quote($a_rol_id,'integer').",".$ilDB->quote($ops_ids,'text').",".$ilDB->quote($a_ref_id,'integer').")";
421 $res = $ilDB->manipulate($query);
422
423 return true;
424 }

References $ilDB, $query, and $res.

Referenced by adjustMovedObjectPermissions(), copyRolePermissions(), and initIntersectionPermissions().

+ Here is the caller graph for this function:

◆ initIntersectionPermissions()

ilRbacAdmin::initIntersectionPermissions (   $a_ref_id,
  $a_role_id,
  $a_role_parent,
  $a_template_id,
  $a_template_parent 
)

Init intersection permissions.

@global type $rbacreview

Parameters
type$a_ref_id
type$a_role_id
type$a_role_parent
type$a_template_id
type$a_template_parent
Returns
type

Definition at line 1173 of file class.ilRbacAdmin.php.

1174 {
1175 global $rbacreview;
1176
1177 if($rbacreview->isProtected($a_role_parent, $a_role_id))
1178 {
1179 // Assign object permissions
1180 $new_ops = $rbacreview->getOperationsOfRole(
1181 $a_role_id,
1182 ilObject::_lookupType($a_ref_id, true),
1183 $a_role_parent
1184 );
1185
1186 // set new permissions for object
1187 $this->grantPermission(
1188 $a_role_id,
1189 (array) $new_ops,
1190 $a_ref_id
1191 );
1192 return;
1193 }
1194 if(!$a_template_id)
1195 {
1196 return;
1197 }
1198 // create template permission intersection
1199 $this->copyRolePermissionIntersection(
1200 $a_template_id,
1201 $a_template_parent,
1202 $a_role_id,
1203 $a_role_parent,
1204 $a_ref_id,
1205 $a_role_id
1206 );
1207
1208 // assign role to folder
1209 $this->assignRoleToFolder(
1210 $a_role_id,
1211 $a_ref_id,
1212 'n'
1213 );
1214
1215 // Assign object permissions
1216 $new_ops = $rbacreview->getOperationsOfRole(
1217 $a_role_id,
1218 ilObject::_lookupType($a_ref_id, true),
1219 $a_ref_id
1220 );
1221
1222 // set new permissions for object
1223 $this->grantPermission(
1224 $a_role_id,
1225 (array) $new_ops,
1226 $a_ref_id
1227 );
1228
1229 return;
1230 }
ilRbacAdmin\copyRolePermissionIntersection
copyRolePermissionIntersection($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
Copies the intersection of the template permissions of two roles to a third role.
Definition: class.ilRbacAdmin.php:720

References ilObject\_lookupType(), assignRoleToFolder(), copyRolePermissionIntersection(), and grantPermission().

Referenced by adjustMovedObjectPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ removeUser()

ilRbacAdmin::removeUser (   $a_usr_id)

deletes a user from rbac_ua all user <-> role relations are deleted @access public

Parameters
integeruser_id
Returns
boolean true on success

Definition at line 66 of file class.ilRbacAdmin.php.

67 {
68 global $ilDB;
69
70 if (!isset($a_usr_id))
71 {
72 $message = get_class($this)."::removeUser(): No usr_id given!";
73 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
74 }
75
76 $query = "DELETE FROM rbac_ua WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer');
77 $res = $ilDB->manipulate($query);
78
79 return true;
80 }

References $ilDB, $query, and $res.

◆ revokePermission()

ilRbacAdmin::revokePermission (   $a_ref_id,
  $a_rol_id = 0,
  $a_keep_protected = true 
)

Revokes permissions of an object of one role.

Update of table rbac_pa. Revokes all permission for all roles for that object (with this reference). When a role_id is given this applies only to that role @access public

Parameters
integerreference id of object where permissions should be revoked
integerrole_id (optional: if you want to revoke permissions of object only for a specific role)
Returns
boolean

Definition at line 435 of file class.ilRbacAdmin.php.

436 {
437 global $rbacreview,$log,$ilDB,$ilLog;
438
439 if (!isset($a_ref_id))
440 {
441 $ilLog->logStack();
442 $message = get_class($this)."::revokePermission(): Missing parameter! ref_id: ".$a_ref_id;
443 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
444 }
445#$log->write("ilRBACadmin::revokePermission(), 0");
446
447 // bypass protected status of roles
448 if ($a_keep_protected != true)
449 {
450 // exclude system role from rbac
451 if ($a_rol_id == SYSTEM_ROLE_ID)
452 {
453 return true;
454 }
455
456 if ($a_rol_id)
457 {
458 $and1 = " AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
459 }
460 else
461 {
462 $and1 = "";
463 }
464
465 $query = "DELETE FROM rbac_pa ".
466 "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer').
467 $and1;
468
469 $res = $ilDB->manipulate($query);
470
471 return true;
472 }
473
474 // consider protected status of roles
475
476 // in any case, get all roles in scope first
477 $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
478
479 if (!$a_rol_id)
480 {
481#$log->write("ilRBACadmin::revokePermission(), 1");
482
483 $role_ids = array();
484
485 foreach ($roles_in_scope as $role)
486 {
487 if ($role['protected'] == true)
488 {
489 continue;
490 }
491
492 $role_ids[] = $role['obj_id'];
493 }
494
495 // return if no role in array
496 if (!$role_ids)
497 {
498 return true;
499 }
500
501 $query = 'DELETE FROM rbac_pa '.
502 'WHERE '.$ilDB->in('rol_id',$role_ids,false,'integer').' '.
503 'AND ref_id = '.$ilDB->quote($a_ref_id,'integer');
504 $res = $ilDB->manipulate($query);
505 }
506 else
507 {
508#$log->write("ilRBACadmin::revokePermission(), 2");
509 // exclude system role from rbac
510 if ($a_rol_id == SYSTEM_ROLE_ID)
511 {
512 return true;
513 }
514
515 // exclude protected permission settings from revoking
516 if ($roles_in_scope[$a_rol_id]['protected'] == true)
517 {
518 return true;
519 }
520
521 $query = "DELETE FROM rbac_pa ".
522 "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer')." ".
523 "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
524 $res = $ilDB->manipulate($query);
525 }
526
527 return true;
528 }

References $ilDB, $ilLog, $log, $query, and $res.

Referenced by adjustMovedObjectPermissions(), and copyRolePermissions().

+ Here is the caller graph for this function:

◆ revokePermissionList()

ilRbacAdmin::revokePermissionList (   $a_ref_ids,
  $a_rol_id 
)

Revokes permissions of a LIST of objects of ONE role.

Update of table rbac_pa. @access public

Parameters
arraylist of reference_ids to revoke permissions
integerrole_id
Returns
boolean

Definition at line 583 of file class.ilRbacAdmin.php.

584 {
585 global $ilDB;
586
587 if (!isset($a_ref_ids) or !is_array($a_ref_ids))
588 {
589 $message = get_class($this)."::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: ".var_dump($a_ref_ids);
590 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
591 }
592
593 if (!isset($a_rol_id))
594 {
595 $message = get_class($this)."::revokePermissionList(): Missing parameter! rol_id: ".$a_rol_id;
596 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
597 }
598
599 // exclude system role from rbac
600 if ($a_rol_id == SYSTEM_ROLE_ID)
601 {
602 return true;
603 }
604
605 $query = "DELETE FROM rbac_pa ".
606 "WHERE ".$ilDB->in('ref_id',$a_ref_ids,false,'integer').' '.
607 "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
608 $res = $ilDB->manipulate($query);
609
610 return true;
611 }

References $ilDB, $query, and $res.

◆ revokeSubtreePermissions()

ilRbacAdmin::revokeSubtreePermissions (   $a_ref_id,
  $a_role_id 
)

Revoke subtree permissions.

Parameters
object$a_ref_id
object$a_role_id
Returns

Definition at line 536 of file class.ilRbacAdmin.php.

537 {
538 global $ilDB;
539
540 $query = 'DELETE FROM rbac_pa '.
541 'WHERE ref_id IN '.
542 '( '.$GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
543 'AND rol_id = '.$ilDB->quote($a_role_id,'integer');
544
545 $ilDB->manipulate($query);
546 return true;
547 }

References $ilDB, and $query.

◆ setBlockedStatus()

ilRbacAdmin::setBlockedStatus (   $a_role_id,
  $a_ref_id,
  $a_blocked_status 
)

Set blocked status.

Parameters
type$a_role_id
type$a_ref_id
type$a_blocked_status

Definition at line 48 of file class.ilRbacAdmin.php.

49 {
50 global $ilDB;
51
52 ilLoggerFactory::getLogger('crs')->logStack();
53 $query = 'UPDATE rbac_fa set blocked = '. $ilDB->quote($a_blocked_status,'integer').' '.
54 'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer').' '.
55 'AND parent = '.$ilDB->quote($a_ref_id,'integer');
56 $ilDB->manipulate($query);
57 }

References $ilDB, $query, and ilLoggerFactory\getLogger().

+ Here is the call graph for this function:

◆ setProtected()

ilRbacAdmin::setProtected (   $a_ref_id,
  $a_role_id,
  $a_value 
)

Set protected @global $ilDB.

Parameters
type$a_ref_id
type$a_role_id
type$a_valuey or n
Returns
boolean

Definition at line 1101 of file class.ilRbacAdmin.php.

1102 {
1103 global $ilDB;
1104
1105 // ref_id not used yet. protected permission acts 'global' for each role,
1106 // regardless of any broken inheritance before
1107 $query = 'UPDATE rbac_fa '.
1108 'SET protected = '.$ilDB->quote($a_value,'text').' '.
1109 'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer');
1110 $res = $ilDB->manipulate($query);
1111 return true;
1112 }

References $ilDB, $query, and $res.

Referenced by copyRoleTemplatePermissions().

+ Here is the caller graph for this function:

◆ setRolePermission()

ilRbacAdmin::setRolePermission (   $a_rol_id,
  $a_type,
  $a_ops,
  $a_ref_id 
)

Inserts template permissions in rbac_templates for an specific object type.

Update of table rbac_templates @access public

Parameters
integerrole_id
stringobject type
arrayoperation_ids
integerref_id of role folder object
Returns
boolean

Definition at line 940 of file class.ilRbacAdmin.php.

941 {
942 global $ilDB;
943
944 if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id))
945 {
946 $message = get_class($this)."::setRolePermission(): Missing parameter!".
947 " role_id: ".$a_rol_id.
948 " type: ".$a_type.
949 " operations: ".$a_ops.
950 " ref_id: ".$a_ref_id;
951 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
952 }
953
954 if (!is_string($a_type) or empty($a_type))
955 {
956 $message = get_class($this)."::setRolePermission(): a_type is no string or empty!";
957 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
958 }
959
960 if (!is_array($a_ops) or empty($a_ops))
961 {
962 $message = get_class($this)."::setRolePermission(): a_ops is no array or empty!";
963 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
964 }
965
966 // exclude system role from rbac
967 if ($a_rol_id == SYSTEM_ROLE_ID)
968 {
969 return true;
970 }
971
972 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
973 'VALUES (?,?,?,?)';
974 $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
975 foreach ($a_ops as $op)
976 {
977 $res = $ilDB->execute($sta,array(
978 $a_rol_id,
979 $a_type,
980 $op,
981 $a_ref_id
982 ));
983 }
984
985 return true;
986 }

References $ilDB, $query, and $res.

The documentation for this class was generated from the following file: