ILIAS  release_5-2 Revision v5.2.25-18-g3f80b828510
class.ilRbacAdmin.php
Go to the documentation of this file.
1<?php
2/* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
3
4
19{
24 public function __construct()
25 {
26 global $ilDB,$ilErr,$ilias;
27
28 // set db & error handler
29 (isset($ilDB)) ? $this->ilDB =& $ilDB : $this->ilDB =& $ilias->db;
30
31 if (!isset($ilErr))
32 {
33 $ilErr = new ilErrorHandling();
34 $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK,array($ilErr,'errorHandler'));
35 }
36 else
37 {
38 $this->ilErr =& $ilErr;
39 }
40 }
41
48 public function setBlockedStatus($a_role_id, $a_ref_id, $a_blocked_status)
49 {
50 global $ilDB;
51
52 ilLoggerFactory::getLogger('crs')->logStack();
53 $query = 'UPDATE rbac_fa set blocked = '. $ilDB->quote($a_blocked_status,'integer').' '.
54 'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer').' '.
55 'AND parent = '.$ilDB->quote($a_ref_id,'integer');
56 $ilDB->manipulate($query);
57 }
58
66 public function removeUser($a_usr_id)
67 {
68 global $ilDB;
69
70 if (!isset($a_usr_id))
71 {
72 $message = get_class($this)."::removeUser(): No usr_id given!";
73 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
74 }
75
76 $query = "DELETE FROM rbac_ua WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer');
77 $res = $ilDB->manipulate($query);
78
79 return true;
80 }
81
89 public function deleteRole($a_rol_id,$a_ref_id)
90 {
91 global $lng,$ilDB;
92
93 if (!isset($a_rol_id) or !isset($a_ref_id))
94 {
95 $message = get_class($this)."::deleteRole(): Missing parameter! role_id: ".$a_rol_id." ref_id of role folder: ".$a_ref_id;
96 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
97 }
98
99 // exclude system role from rbac
100 if ($a_rol_id == SYSTEM_ROLE_ID)
101 {
102 $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"),$this->ilErr->MESSAGE);
103 }
104
105 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
107 $mapping->deleteRole($a_rol_id);
108
109
110 // TODO: check assigned users before deletion
111 // This is done in ilObjRole. Should be better moved to this place?
112
113 // delete user assignements
114 $query = "DELETE FROM rbac_ua ".
115 "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer');
116 $res = $ilDB->manipulate($query);
117
118 // delete permission assignments
119 $query = "DELETE FROM rbac_pa ".
120 "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
121 $res = $ilDB->manipulate($query);
122
123 //delete rbac_templates and rbac_fa
124 $this->deleteLocalRole($a_rol_id);
125
126 return true;
127 }
128
135 public function deleteTemplate($a_obj_id)
136 {
137 global $ilDB;
138
139 if (!isset($a_obj_id))
140 {
141 $message = get_class($this)."::deleteTemplate(): No obj_id given!";
142 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
143 }
144
145 $query = 'DELETE FROM rbac_templates '.
146 'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
147 $res = $ilDB->manipulate($query);
148
149 $query = 'DELETE FROM rbac_fa '.
150 'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
151 $res = $ilDB->manipulate($query);
152
153 return true;
154 }
155
163 public function deleteLocalRole($a_rol_id,$a_ref_id = 0)
164 {
165 global $ilDB;
166
167 if (!isset($a_rol_id))
168 {
169 $message = get_class($this)."::deleteLocalRole(): Missing parameter! role_id: '".$a_rol_id."'";
170 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
171 }
172
173 // exclude system role from rbac
174 if ($a_rol_id == SYSTEM_ROLE_ID)
175 {
176 return true;
177 }
178
179 if ($a_ref_id != 0)
180 {
181 $clause = 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' ';
182 }
183
184 $query = 'DELETE FROM rbac_fa '.
185 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
186 $clause;
187 $res = $ilDB->manipulate($query);
188
189 $query = 'DELETE FROM rbac_templates '.
190 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
191 $clause;
192 $res = $ilDB->manipulate($query);
193 return true;
194 }
195
202 public function assignUserLimited($a_role_id, $a_usr_id, $a_limit, $a_limited_roles = array())
203 {
204 global $ilDB;
205
206 $ilAtomQuery = $ilDB->buildAtomQuery();
207 $ilAtomQuery->addTableLock('rbac_ua');
208
209 $ilAtomQuery->addQueryCallable(
210 function(ilDBInterface $ilDB) use(&$ret, $a_role_id, $a_usr_id,$a_limit, $a_limited_roles)
211 {
212 $ret = true;
213 $limit_query = 'SELECT COUNT(*) num FROM rbac_ua '.
214 'WHERE '.$ilDB->in('rol_id',(array) $a_limited_roles,FALSE,'integer');
215 $res = $ilDB->query($limit_query);
217 if($row->num >= $a_limit)
218 {
219 $ret = false;
220 return;
221 }
222
223 $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
224 "VALUES (".
225 $ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_role_id,'integer').
226 ")";
227 $res = $ilDB->manipulate($query);
228 });
229
230 $ilAtomQuery->run();
231
232 if(!$ret)
233 {
234 return false;
235 }
236
237 $GLOBALS['rbacreview']->setAssignedCacheEntry($a_role_id,$a_usr_id,TRUE);
238
239 $this->addDesktopItem($a_role_id,$a_usr_id);
240
241 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
243 $mapping->assign($a_role_id,$a_usr_id);
244 return TRUE;
245 }
246
252 protected function addDesktopItem($a_rol_id, $a_usr_id)
253 {
254 include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
255 $role_desk_item_obj = new ilRoleDesktopItem($a_rol_id);
256 foreach($role_desk_item_obj->getAll() as $item_data)
257 {
258 include_once './Services/User/classes/class.ilObjUser.php';
259 ilObjUser::_addDesktopItem($a_usr_id, $item_data['item_id'], $item_data['item_type']);
260 }
261 }
262
263
273 public function assignUser($a_rol_id,$a_usr_id)
274 {
275 global $ilDB,$rbacreview;
276
277 if (!isset($a_rol_id) or !isset($a_usr_id))
278 {
279 $message = get_class($this)."::assignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
280 #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
281 }
282
283 // check if already assigned user id and role_id
284 $alreadyAssigned = $rbacreview->isAssigned($a_usr_id,$a_rol_id);
285
286 // enhanced: only if we haven't had this role for this user
287 if (!$alreadyAssigned)
288 {
289 $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
290 "VALUES (".$ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_rol_id,'integer').")";
291 $res = $ilDB->manipulate($query);
292
293 $this->addDesktopItem($a_rol_id, $a_usr_id);
294
295 $rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,true);
296 }
297
298 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
300 $mapping->assign($a_rol_id,$a_usr_id);
301
302
303 $ref_id = $GLOBALS['rbacreview']->getObjectReferenceOfRole($a_rol_id);
305 $type = ilObject::_lookupType($obj_id);
306
307 if(!$alreadyAssigned)
308 {
309 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event assign user');
310 $GLOBALS['ilAppEventHandler']->raise(
311 'Services/AccessControl',
312 'assignUser',
313 array(
314 'obj_id' => $obj_id,
315 'usr_id' => $a_usr_id,
316 'role_id' => $a_rol_id,
317 'type' => $type
318 )
319 );
320 }
321 return TRUE;
322 }
323
331 public function deassignUser($a_rol_id,$a_usr_id)
332 {
333 global $ilDB, $rbacreview;
334
335 if (!isset($a_rol_id) or !isset($a_usr_id))
336 {
337 $message = get_class($this)."::deassignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
338 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
339 }
340
341 $query = "DELETE FROM rbac_ua ".
342 "WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer')." ".
343 "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
344 $res = $ilDB->manipulate($query);
345
346 $rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,false);
347
348 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
350 $mapping->deassign($a_rol_id,$a_usr_id);
351
352 $ref_id = $GLOBALS['rbacreview']->getObjectReferenceOfRole($a_rol_id);
354 $type = ilObject::_lookupType($obj_id);
355
356 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event deassign user');
357 $GLOBALS['ilAppEventHandler']->raise(
358 'Services/AccessControl',
359 'deassignUser',
360 array(
361 'obj_id' => $obj_id,
362 'usr_id' => $a_usr_id,
363 'role_id' => $a_rol_id,
364 'type' => $type
365 )
366 );
367 return TRUE;
368 }
369
378 public function grantPermission($a_rol_id,$a_ops,$a_ref_id)
379 {
380 global $ilDB;
381
382 if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id))
383 {
384 $this->ilErr->raiseError(get_class($this)."::grantPermission(): Missing parameter! ".
385 "role_id: ".$a_rol_id." ref_id: ".$a_ref_id." operations: ",$this->ilErr->WARNING);
386 }
387
388 if (!is_array($a_ops))
389 {
390 $this->ilErr->raiseError(get_class($this)."::grantPermission(): Wrong datatype for operations!",
391 $this->ilErr->WARNING);
392 }
393
394 /*
395 if (count($a_ops) == 0)
396 {
397 return false;
398 }
399 */
400 // exclude system role from rbac
401 if ($a_rol_id == SYSTEM_ROLE_ID)
402 {
403 return true;
404 }
405
406 // convert all values to integer
407 foreach ($a_ops as $key => $operation)
408 {
409 $a_ops[$key] = (int) $operation;
410 }
411
412 // Serialization des ops_id Arrays
413 $ops_ids = serialize($a_ops);
414
415 $query = 'DELETE FROM rbac_pa '.
416 'WHERE rol_id = %s '.
417 'AND ref_id = %s';
418 $res = $ilDB->queryF($query,array('integer','integer'),
419 array($a_rol_id,$a_ref_id));
420
421 if(!count($a_ops))
422 {
423 return false;
424 }
425
426 $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) ".
427 "VALUES ".
428 "(".$ilDB->quote($a_rol_id,'integer').",".$ilDB->quote($ops_ids,'text').",".$ilDB->quote($a_ref_id,'integer').")";
429 $res = $ilDB->manipulate($query);
430
431 return true;
432 }
433
443 public function revokePermission($a_ref_id,$a_rol_id = 0,$a_keep_protected = true)
444 {
445 global $rbacreview,$log,$ilDB,$ilLog;
446
447 if (!isset($a_ref_id))
448 {
449 $ilLog->logStack();
450 $message = get_class($this)."::revokePermission(): Missing parameter! ref_id: ".$a_ref_id;
451 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
452 }
453#$log->write("ilRBACadmin::revokePermission(), 0");
454
455 // bypass protected status of roles
456 if ($a_keep_protected != true)
457 {
458 // exclude system role from rbac
459 if ($a_rol_id == SYSTEM_ROLE_ID)
460 {
461 return true;
462 }
463
464 if ($a_rol_id)
465 {
466 $and1 = " AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
467 }
468 else
469 {
470 $and1 = "";
471 }
472
473 $query = "DELETE FROM rbac_pa ".
474 "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer').
475 $and1;
476
477 $res = $ilDB->manipulate($query);
478
479 return true;
480 }
481
482 // consider protected status of roles
483
484 // in any case, get all roles in scope first
485 $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
486
487 if (!$a_rol_id)
488 {
489#$log->write("ilRBACadmin::revokePermission(), 1");
490
491 $role_ids = array();
492
493 foreach ($roles_in_scope as $role)
494 {
495 if ($role['protected'] == true)
496 {
497 continue;
498 }
499
500 $role_ids[] = $role['obj_id'];
501 }
502
503 // return if no role in array
504 if (!$role_ids)
505 {
506 return true;
507 }
508
509 $query = 'DELETE FROM rbac_pa '.
510 'WHERE '.$ilDB->in('rol_id',$role_ids,false,'integer').' '.
511 'AND ref_id = '.$ilDB->quote($a_ref_id,'integer');
512 $res = $ilDB->manipulate($query);
513 }
514 else
515 {
516#$log->write("ilRBACadmin::revokePermission(), 2");
517 // exclude system role from rbac
518 if ($a_rol_id == SYSTEM_ROLE_ID)
519 {
520 return true;
521 }
522
523 // exclude protected permission settings from revoking
524 if ($roles_in_scope[$a_rol_id]['protected'] == true)
525 {
526 return true;
527 }
528
529 $query = "DELETE FROM rbac_pa ".
530 "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer')." ".
531 "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
532 $res = $ilDB->manipulate($query);
533 }
534
535 return true;
536 }
537
544 public function revokeSubtreePermissions($a_ref_id,$a_role_id)
545 {
546 global $ilDB;
547
548 $query = 'DELETE FROM rbac_pa '.
549 'WHERE ref_id IN '.
550 '( '.$GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
551 'AND rol_id = '.$ilDB->quote($a_role_id,'integer');
552
553 $ilDB->manipulate($query);
554 return true;
555 }
556
563 public function deleteSubtreeTemplates($a_ref_id,$a_rol_id)
564 {
565 global $ilDB;
566
567 $query = 'DELETE FROM rbac_templates '.
568 'WHERE parent IN ( '.
569 $GLOBALS['tree']->getSubTreeQuery($a_ref_id, array('child')).' ) '.
570 'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
571
572 $ilDB->manipulate($query);
573
574 $query = 'DELETE FROM rbac_fa '.
575 'WHERE parent IN ( '.
576 $GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
577 'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
578
579 $ilDB->manipulate($query);
580
581 return true;
582 }
583
591 public function revokePermissionList($a_ref_ids,$a_rol_id)
592 {
593 global $ilDB;
594
595 if (!isset($a_ref_ids) or !is_array($a_ref_ids))
596 {
597 $message = get_class($this)."::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: ".var_dump($a_ref_ids);
598 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
599 }
600
601 if (!isset($a_rol_id))
602 {
603 $message = get_class($this)."::revokePermissionList(): Missing parameter! rol_id: ".$a_rol_id;
604 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
605 }
606
607 // exclude system role from rbac
608 if ($a_rol_id == SYSTEM_ROLE_ID)
609 {
610 return true;
611 }
612
613 $query = "DELETE FROM rbac_pa ".
614 "WHERE ".$ilDB->in('ref_id',$a_ref_ids,false,'integer').' '.
615 "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
616 $res = $ilDB->manipulate($query);
617
618 return true;
619 }
620
631 public function copyRolePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected = true)
632 {
633 global $tree,$rbacreview;
634
635 // Copy template permissions
636 $this->copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected);
637
638 $ops = $rbacreview->getRoleOperationsOnObject($a_source_id,$a_source_parent);
639
640 $this->revokePermission($a_dest_parent,$a_dest_id);
641 $this->grantPermission($a_dest_id,$ops,$a_dest_parent);
642 return true;
643 }
644
655 public function copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected = true)
656 {
657 global $rbacreview,$ilDB;
658
659 if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent))
660 {
661 $message = __METHOD__.": Missing parameter! source_id: ".$a_source_id.
662 " source_parent_id: ".$a_source_parent.
663 " dest_id : ".$a_dest_id.
664 " dest_parent_id: ".$a_dest_parent;
665 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
666 }
667
668 // exclude system role from rbac
669 if ($a_dest_id == SYSTEM_ROLE_ID)
670 {
671 return true;
672 }
673
674 // Read operations
675 $query = 'SELECT * FROM rbac_templates '.
676 'WHERE rol_id = '.$ilDB->quote($a_source_id,'integer').' '.
677 'AND parent = '.$ilDB->quote($a_source_parent,'integer');
678 $res = $ilDB->query($query);
679 $operations = array();
680 $rownum = 0;
681 while ($row = $ilDB->fetchObject($res))
682 {
683 $operations[$rownum]['type'] = $row->type;
684 $operations[$rownum]['ops_id'] = $row->ops_id;
685 $rownum++;
686 }
687
688 // Delete target permissions
689 $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
690 'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
691 $res = $ilDB->manipulate($query);
692
693 foreach($operations as $row => $op)
694 {
695 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
696 'VALUES ('.
697 $ilDB->quote($a_dest_id,'integer').",".
698 $ilDB->quote($op['type'],'text').",".
699 $ilDB->quote($op['ops_id'],'integer').",".
700 $ilDB->quote($a_dest_parent,'integer').")";
701 $ilDB->manipulate($query);
702 }
703
704 // copy also protection status if applicable
705 if ($a_consider_protected == true)
706 {
707 if ($rbacreview->isProtected($a_source_parent,$a_source_id))
708 {
709 $this->setProtected($a_dest_parent,$a_dest_id,'y');
710 }
711 }
712
713 return true;
714 }
728 public function copyRolePermissionIntersection($a_source1_id,$a_source1_parent,$a_source2_id,$a_source2_parent,$a_dest_parent,$a_dest_id)
729 {
730 global $rbacreview,$ilDB;
731
732 if (!isset($a_source1_id) or !isset($a_source1_parent)
733 or !isset($a_source2_id) or !isset($a_source2_parent)
734 or !isset($a_dest_id) or !isset($a_dest_parent))
735 {
736 $message = get_class($this)."::copyRolePermissionIntersection(): Missing parameter! source1_id: ".$a_source1_id.
737 " source1_parent: ".$a_source1_parent.
738 " source2_id: ".$a_source2_id.
739 " source2_parent: ".$a_source2_parent.
740 " dest_id: ".$a_dest_id.
741 " dest_parent_id: ".$a_dest_parent;
742 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
743 }
744
745 // exclude system role from rbac
746 if ($a_dest_id == SYSTEM_ROLE_ID)
747 {
748 ilLoggerFactory::getLogger('ac')->debug('Ignoring system role.');
749 return true;
750 }
751
752 if ($rbacreview->isProtected($a_source2_parent,$a_source2_id))
753 {
754 $GLOBALS['ilLog']->write(__METHOD__.': Role is protected');
755 return true;
756 }
757
758 $query = "SELECT s1.type, s1.ops_id ".
759 "FROM rbac_templates s1, rbac_templates s2 ".
760 "WHERE s1.rol_id = ".$ilDB->quote($a_source1_id,'integer')." ".
761 "AND s1.parent = ".$ilDB->quote($a_source1_parent,'integer')." ".
762 "AND s2.rol_id = ".$ilDB->quote($a_source2_id,'integer')." ".
763 "AND s2.parent = ".$ilDB->quote($a_source2_parent,'integer')." ".
764 "AND s1.type = s2.type ".
765 "AND s1.ops_id = s2.ops_id";
766
768
769 $res = $ilDB->query($query);
770 $operations = array();
771 $rowNum = 0;
772 while($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT))
773 {
774 $operations[$rowNum]['type'] = $row->type;
775 $operations[$rowNum]['ops_id'] = $row->ops_id;
776
777 $rowNum++;
778 }
779
780 // Delete template permissions of target
781 $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
782 'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
783 $res = $ilDB->manipulate($query);
784
785 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
786 'VALUES (?,?,?,?)';
787 $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
788 foreach($operations as $key => $set)
789 {
790 $ilDB->execute($sta,array(
791 $a_dest_id,
792 $set['type'],
793 $set['ops_id'],
794 $a_dest_parent));
795 }
796 return true;
797 }
798
810 public function copyRolePermissionUnion(
811 $a_source1_id,
812 $a_source1_parent,
813 $a_source2_id,
814 $a_source2_parent,
815 $a_dest_id,
816 $a_dest_parent)
817 {
818 global $ilDB, $rbacreview;
819
820
821 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id,$a_source1_parent);
822 $s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id,$a_source2_parent);
823
824 $this->deleteRolePermission($a_dest_id, $a_dest_parent);
825
826 $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s1_ops,TRUE));
827 $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s2_ops,TRUE));
828
829 foreach($s1_ops as $type => $ops)
830 {
831 foreach($ops as $op)
832 {
833 // insert all permission of source 1
834 // #15469
835 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
836 'VALUES( '.
837 $ilDB->quote($a_dest_id,'integer').', '.
838 $ilDB->quote($type,'text').', '.
839 $ilDB->quote($op,'integer').', '.
840 $ilDB->quote($a_dest_parent,'integer').' '.
841 ')';
842 $ilDB->manipulate($query);
843 }
844 }
845
846 // and the other direction...
847 foreach($s2_ops as $type => $ops)
848 {
849 foreach($ops as $op)
850 {
851 if(!isset($s1_ops[$type]) or !in_array($op, $s1_ops[$type]))
852 {
853 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
854 'VALUES( '.
855 $ilDB->quote($a_dest_id,'integer').', '.
856 $ilDB->quote($type,'text').', '.
857 $ilDB->quote($op,'integer').', '.
858 $ilDB->quote($a_dest_parent,'integer').' '.
859 ')';
860 $ilDB->manipulate($query);
861 }
862 }
863 }
864
865 return true;
866 }
867
875 public function copyRolePermissionSubtract($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
876 {
877 global $rbacreview, $ilDB;
878
879 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source_id,$a_source_parent);
880 $d_ops = $rbacreview->getAllOperationsOfRole($a_dest_id,$a_dest_parent);
881
882 foreach($s1_ops as $type => $ops)
883 {
884 foreach($ops as $op)
885 {
886 if(isset($d_ops[$type]) and in_array($op, $d_ops[$type]))
887 {
888 $query = 'DELETE FROM rbac_templates '.
889 'WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
890 'AND type = '.$ilDB->quote($type,'text').' '.
891 'AND ops_id = '.$ilDB->quote($op,'integer').' '.
892 'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
893 $ilDB->manipulate($query);
894 }
895 }
896 }
897 return true;
898 }
899
900
911 public function deleteRolePermission($a_rol_id,$a_ref_id,$a_type = false)
912 {
913 global $ilDB;
914
915 if (!isset($a_rol_id) or !isset($a_ref_id))
916 {
917 $message = get_class($this)."::deleteRolePermission(): Missing parameter! role_id: ".$a_rol_id." ref_id: ".$a_ref_id;
918 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
919 }
920
921 // exclude system role from rbac
922 if ($a_rol_id == SYSTEM_ROLE_ID)
923 {
924 return true;
925 }
926
927 if ($a_type !== false)
928 {
929 $and_type = " AND type=".$ilDB->quote($a_type,'text')." ";
930 }
931
932 $query = 'DELETE FROM rbac_templates '.
933 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
934 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' '.
935 $and_type;
936
937 $res = $ilDB->manipulate($query);
938
939 return true;
940 }
941
952 public function setRolePermission($a_rol_id,$a_type,$a_ops,$a_ref_id)
953 {
954 global $ilDB;
955
956 if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id))
957 {
958 $message = get_class($this)."::setRolePermission(): Missing parameter!".
959 " role_id: ".$a_rol_id.
960 " type: ".$a_type.
961 " operations: ".$a_ops.
962 " ref_id: ".$a_ref_id;
963 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
964 }
965
966 if (!is_string($a_type) or empty($a_type))
967 {
968 $message = get_class($this)."::setRolePermission(): a_type is no string or empty!";
969 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
970 }
971
972 if (!is_array($a_ops) or empty($a_ops))
973 {
974 $message = get_class($this)."::setRolePermission(): a_ops is no array or empty!";
975 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
976 }
977
978 // exclude system role from rbac
979 if ($a_rol_id == SYSTEM_ROLE_ID)
980 {
981 return true;
982 }
983
984 foreach($a_ops as $op)
985 {
986 $ilDB->replace(
987 'rbac_templates',
988 [
989 'rol_id' => ['integer', $a_rol_id],
990 'type' => ['text', $a_type],
991 'ops_id' => ['integer', $op],
992 'parent' => ['integer', $a_ref_id]
993 ],
994 []
995 );
996 }
997 return true;
998 }
999
1013 public function assignRoleToFolder($a_rol_id,$a_parent,$a_assign = "y")
1014 {
1015 global $ilDB,$rbacreview;
1016
1017 if (!isset($a_rol_id) or !isset($a_parent))
1018 {
1019 $message = get_class($this)."::assignRoleToFolder(): Missing Parameter!".
1020 " role_id: ".$a_rol_id.
1021 " parent_id: ".$a_parent.
1022 " assign: ".$a_assign;
1023 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1024 }
1025
1026 // exclude system role from rbac
1027 if ($a_rol_id == SYSTEM_ROLE_ID)
1028 {
1029 return true;
1030 }
1031
1032 // if a wrong value is passed, always set assign to "n"
1033 if ($a_assign != "y")
1034 {
1035 $a_assign = "n";
1036 }
1037
1038 // check if already assigned
1039 $query = 'SELECT rol_id FROM rbac_fa '.
1040 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer'). ' '.
1041 'AND parent = '. $ilDB->quote($a_parent,'integer');
1042 $res = $ilDB->query($query);
1043 if($res->numRows())
1044 {
1045 ilLoggerFactory::getLogger('ac')->info('Role already assigned to object');
1046 return false;
1047 }
1048
1049 $query = sprintf('INSERT INTO rbac_fa (rol_id, parent, assign, protected) '.
1050 'VALUES (%s,%s,%s,%s)',
1051 $ilDB->quote($a_rol_id,'integer'),
1052 $ilDB->quote($a_parent,'integer'),
1053 $ilDB->quote($a_assign,'text'),
1054 $ilDB->quote('n','text'));
1055 $res = $ilDB->manipulate($query);
1056
1057 return true;
1058 }
1059
1068 public function assignOperationToObject($a_type_id,$a_ops_id)
1069 {
1070 global $ilDB;
1071
1072 if (!isset($a_type_id) or !isset($a_ops_id))
1073 {
1074 $message = get_class($this)."::assignOperationToObject(): Missing parameter!".
1075 "type_id: ".$a_type_id.
1076 "ops_id: ".$a_ops_id;
1077 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1078 }
1079
1080 $query = "INSERT INTO rbac_ta (typ_id, ops_id) ".
1081 "VALUES(".$ilDB->quote($a_type_id,'integer').",".$ilDB->quote($a_ops_id,'integer').")";
1082 $res = $ilDB->manipulate($query);
1083 return true;
1084 }
1085
1094 function deassignOperationFromObject($a_type_id,$a_ops_id)
1095 {
1096 global $ilDB;
1097
1098 if (!isset($a_type_id) or !isset($a_ops_id))
1099 {
1100 $message = get_class($this)."::deassignPermissionFromObject(): Missing parameter!".
1101 "type_id: ".$a_type_id.
1102 "ops_id: ".$a_ops_id;
1103 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1104 }
1105
1106 $query = "DELETE FROM rbac_ta ".
1107 "WHERE typ_id = ".$ilDB->quote($a_type_id,'integer')." ".
1108 "AND ops_id = ".$ilDB->quote($a_ops_id,'integer');
1109 $res = $ilDB->manipulate($query);
1110
1111 return true;
1112 }
1113
1122 public function setProtected($a_ref_id,$a_role_id,$a_value)
1123 {
1124 global $ilDB;
1125
1126 // ref_id not used yet. protected permission acts 'global' for each role,
1127 // regardless of any broken inheritance before
1128 $query = 'UPDATE rbac_fa '.
1129 'SET protected = '.$ilDB->quote($a_value,'text').' '.
1130 'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer');
1131 $res = $ilDB->manipulate($query);
1132 return true;
1133 }
1134
1145 public function copyLocalRoles($a_source_id,$a_target_id)
1146 {
1147 global $rbacreview,$ilLog,$ilObjDataCache;
1148
1149 $real_local = array();
1150 foreach($rbacreview->getRolesOfRoleFolder($a_source_id,false) as $role_data)
1151 {
1152 $title = $ilObjDataCache->lookupTitle($role_data);
1153 if(substr($title,0,3) == 'il_')
1154 {
1155 continue;
1156 }
1157 $real_local[] = $role_data;
1158 }
1159 if(!count($real_local))
1160 {
1161 return true;
1162 }
1163 // Create role folder
1164 foreach($real_local as $role)
1165 {
1166 include_once ("./Services/AccessControl/classes/class.ilObjRole.php");
1167 $orig = new ilObjRole($role);
1168 $orig->read();
1169
1170 $ilLog->write(__METHOD__.': Start copying of role '.$orig->getTitle());
1171 $roleObj = new ilObjRole();
1172 $roleObj->setTitle($orig->getTitle());
1173 $roleObj->setDescription($orig->getDescription());
1174 $roleObj->setImportId($orig->getImportId());
1175 $roleObj->create();
1176
1177 $this->assignRoleToFolder($roleObj->getId(),$a_target_id,"y");
1178 $this->copyRolePermissions($role,$a_source_id,$a_target_id,$roleObj->getId(),true);
1179 $ilLog->write(__METHOD__.': Added new local role, id '.$roleObj->getId());
1180 }
1181
1182 }
1183
1194 public function initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
1195 {
1196 global $rbacreview;
1197
1198 if($rbacreview->isProtected($a_role_parent, $a_role_id))
1199 {
1200 // Assign object permissions
1201 $new_ops = $rbacreview->getOperationsOfRole(
1202 $a_role_id,
1203 ilObject::_lookupType($a_ref_id, true),
1204 $a_role_parent
1205 );
1206
1207 // set new permissions for object
1208 $this->grantPermission(
1209 $a_role_id,
1210 (array) $new_ops,
1211 $a_ref_id
1212 );
1213 return;
1214 }
1215 if(!$a_template_id)
1216 {
1217 ilLoggerFactory::getLogger('ac')->info('No template id given. Aborting.');
1218 return;
1219 }
1220 // create template permission intersection
1222 $a_template_id,
1223 $a_template_parent,
1224 $a_role_id,
1225 $a_role_parent,
1226 $a_ref_id,
1227 $a_role_id
1228 );
1229
1230 // assign role to folder
1231 $this->assignRoleToFolder(
1232 $a_role_id,
1233 $a_ref_id,
1234 'n'
1235 );
1236
1237 // Assign object permissions
1238 $new_ops = $rbacreview->getOperationsOfRole(
1239 $a_role_id,
1240 ilObject::_lookupType($a_ref_id, true),
1241 $a_ref_id
1242 );
1243
1244 // revoke existing permissions
1245 $this->revokePermission($a_ref_id, $a_role_id);
1246
1247 // set new permissions for object
1248 $this->grantPermission(
1249 $a_role_id,
1250 (array) $new_ops,
1251 $a_ref_id
1252 );
1253
1254 return;
1255 }
1256
1264 protected function applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent)
1265 {
1266 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateObjSettings.php';
1268 if(!$tpl_id) {
1269 return;
1270 }
1271 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateActionFactory.php';
1272 foreach(ilDidacticTemplateActionFactory::getActionsByTemplateId($tpl_id) as $action) {
1273 if($action instanceof ilDidacticTemplateLocalRoleAction) {
1274 continue;
1275 }
1276 $action->setRefId($a_ref_id);
1277 $action->apply();
1278 }
1279 return;
1280 }
1281
1282
1294 public function adjustMovedObjectPermissions($a_ref_id,$a_old_parent)
1295 {
1296 global $rbacreview,$tree,$ilLog;
1297
1298 $new_parent = $tree->getParentId($a_ref_id);
1299 $old_context_roles = $rbacreview->getParentRoleIds($a_old_parent,false);
1300 $new_context_roles = $rbacreview->getParentRoleIds($new_parent,false);
1301
1302 $for_addition = $for_deletion = array();
1303 foreach($new_context_roles as $new_role_id => $new_role)
1304 {
1305 if(!isset($old_context_roles[$new_role_id]))
1306 {
1307 $for_addition[$new_role_id] = $new_role;
1308 }
1309 elseif($new_role['parent'] != $old_context_roles[$new_role_id]['parent'])
1310 {
1311 // handle stopped inheritance
1312 $for_deletion[$new_role_id] = $new_role;
1313 $for_addition[$new_role_id] = $new_role;
1314 }
1315 }
1316 foreach($old_context_roles as $old_role_id => $old_role)
1317 {
1318 if(!isset($new_context_roles[$old_role_id]))
1319 {
1320 $for_deletion[$old_role_id] = $old_role;
1321 }
1322 }
1323
1324 if(!count($for_deletion) and !count($for_addition))
1325 {
1326 $this->applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent);
1327 return true;
1328 }
1329
1330 include_once "Services/AccessControl/classes/class.ilRbacLog.php";
1331 $rbac_log_active = ilRbacLog::isActive();
1332 if($rbac_log_active)
1333 {
1334 $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
1335 }
1336
1337 foreach($nodes = $tree->getSubTree($tree->getNodeData($a_ref_id),true) as $node_data)
1338 {
1339 $node_id = $node_data['child'];
1340
1341 if($rbac_log_active)
1342 {
1343 $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
1344 }
1345
1346 // If $node_data['type'] is not set, this means there is a tree entry without
1347 // object_reference and/or object_data entry
1348 // Continue in this case
1349 if(!$node_data['type'])
1350 {
1351 $ilLog->write(__METHOD__.': No type give. Choosing next tree entry.');
1352 continue;
1353 }
1354
1355 if(!$node_id)
1356 {
1357 $ilLog->write(__METHOD__.': Missing subtree node_id');
1358 continue;
1359 }
1360
1361 foreach($for_deletion as $role_id => $role_data)
1362 {
1363 $this->deleteLocalRole($role_id,$node_id);
1364 $this->revokePermission($node_id,$role_id,false);
1365//var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
1366 }
1367 foreach($for_addition as $role_id => $role_data)
1368 {
1369 switch($node_data['type'])
1370 {
1371 case 'grp':
1372 include_once './Modules/Group/classes/class.ilObjGroup.php';
1373 $tpl_id = ilObjGroup::lookupGroupStatusTemplateId($node_data['obj_id']);
1375 $node_data['child'],
1376 $role_id,
1377 $role_data['parent'],
1378 $tpl_id,
1379 ROLE_FOLDER_ID
1380 );
1381 break;
1382
1383 case 'crs':
1384 include_once './Modules/Course/classes/class.ilObjCourse.php';
1387 $node_data['child'],
1388 $role_id,
1389 $role_data['parent'],
1390 $tpl_id,
1391 ROLE_FOLDER_ID
1392 );
1393 break;
1394
1395
1396 default:
1397 $this->grantPermission(
1398 $role_id,
1399 $ops = $rbacreview->getOperationsOfRole($role_id,$node_data['type'],$role_data['parent']),
1400 $node_id);
1401 break;
1402
1403
1404 }
1405
1406
1407//var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
1408 }
1409
1410 if($rbac_log_active)
1411 {
1412 $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
1413 $log = ilRbacLog::diffFaPa($log_old, $log_new);
1415 }
1416 }
1417
1418 $this->applyMovedObjectDidacticTemplates($a_ref_id,$a_old_parent);
1419
1420 }
1421
1422
1429 public function copyEffectiveRolePermissions($a_source_ref_id, $target_ref_id, $a_subtree_id)
1430 {
1431 global $rbacreview;
1432
1433 $parent_roles = $rbacreview->getParentRoleIds($a_source_ref_id, FALSE);
1434 $GLOBALS['ilLog']->write(__METHOD__.': '. print_r($parent_roles,TRUE));
1435
1436
1437
1438 }
1439
1440
1441
1442
1443} // END class.ilRbacAdmin
1444?>
sprintf('%.4f', $callTime)
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
PHPExcel root directory.
Definition: PHPExcel.php:30
An exception for terminatinating execution or to throw for unit testing.
Database Wrapper.
Definition: class.ilDB.php:30
static getActionsByTemplateId($a_tpl_id)
Get actions of one template.
represents a creation of local roles action
static lookupTemplateId($a_ref_id)
Lookup template id @global ilDB $ilDB.
static _getInstance()
Get singleton instance of this class.
static getLogger($a_component_id)
Get component logger.
static lookupCourseNonMemberTemplatesId()
Lookup course non member id.
static lookupGroupStatusTemplateId($a_obj_id)
@global $ilDB $ilDB
Class ilObjRole.
static _addDesktopItem($a_usr_id, $a_item_id, $a_type, $a_par="")
add an item to user's personal desktop
static _lookupObjId($a_id)
static _lookupType($a_id, $a_reference=false)
lookup object type
Class ilRbacAdmin Core functions for role based access control.
setProtected($a_ref_id, $a_role_id, $a_value)
Set protected @global $ilDB.
revokePermission($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
Revokes permissions of an object of one role.
deleteRole($a_rol_id, $a_ref_id)
Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua,...
deleteSubtreeTemplates($a_ref_id, $a_rol_id)
Delete all template permissions of subtree nodes.
__construct()
Constructor @access public.
copyRolePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions and permission of one role to another.
deassignOperationFromObject($a_type_id, $a_ops_id)
Deassign an existing operation from an object Update of rbac_ta @access public.
adjustMovedObjectPermissions($a_ref_id, $a_old_parent)
Adjust permissions of moved objects.
assignUser($a_rol_id, $a_usr_id)
Assigns an user to a role.
assignRoleToFolder($a_rol_id, $a_parent, $a_assign="y")
Assigns a role to an role folder A role folder is an object to store roles.
removeUser($a_usr_id)
deletes a user from rbac_ua all user <-> role relations are deleted @access public
assignUserLimited($a_role_id, $a_usr_id, $a_limit, $a_limited_roles=array())
Assign user limited.
deleteLocalRole($a_rol_id, $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates @access public.
copyLocalRoles($a_source_id, $a_target_id)
Copy local roles This method creates a copy of all local role.
revokePermissionList($a_ref_ids, $a_rol_id)
Revokes permissions of a LIST of objects of ONE role.
setRolePermission($a_rol_id, $a_type, $a_ops, $a_ref_id)
Inserts template permissions in rbac_templates for an specific object type.
initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
Init intersection permissions.
copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions of one role to another.
applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent)
Apply didactic templates after object movement.
copyRolePermissionUnion( $a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_id, $a_dest_parent)
@global <type> $ilDB
deassignUser($a_rol_id, $a_usr_id)
Deassigns a user from a role.
copyEffectiveRolePermissions($a_source_ref_id, $target_ref_id, $a_subtree_id)
Copies all permission from source to target for all roles.
setBlockedStatus($a_role_id, $a_ref_id, $a_blocked_status)
Set blocked status.
revokeSubtreePermissions($a_ref_id, $a_role_id)
Revoke subtree permissions.
copyRolePermissionIntersection($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
Copies the intersection of the template permissions of two roles to a third role.
assignOperationToObject($a_type_id, $a_ops_id)
Assign an existing operation to an object Update of rbac_ta.
deleteTemplate($a_obj_id)
Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public...
grantPermission($a_rol_id, $a_ops, $a_ref_id)
Grants a permission to an object and a specific role.
deleteRolePermission($a_rol_id, $a_ref_id, $a_type=false)
Deletes all entries of a template.
addDesktopItem($a_rol_id, $a_usr_id)
Add desktop item.
copyRolePermissionSubtract($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
Subtract role permissions.
const MOVE_OBJECT
static diffFaPa(array $a_old, array $a_new)
static add($a_action, $a_ref_id, array $a_diff, $a_source_ref_id=false)
static gatherFaPa($a_ref_id, array $a_role_ids, $a_add_action=false)
static isActive()
$GLOBALS['loaded']
Global hash that tracks already loaded includes.
Interface ilDBInterface.
$ret
Definition: parser.php:6
global $lng
Definition: privfeed.php:17
global $ilErr
Definition: raiseError.php:16
$ref_id
Definition: sahs_server.php:39
global $ilDB
$a_type
Definition: workflow.php:93