ILIAS  release_5-2 Revision v5.2.25-18-g3f80b828510
Public Member Functions | Protected Member Functions
ilRbacAdmin Class Reference
Services/AccessControl

Class ilRbacAdmin Core functions for role based access control. More...

+ Collaboration diagram for ilRbacAdmin:

Public Member Functions

 __construct ()
 Constructor @access public. More...
 
 setBlockedStatus ($a_role_id, $a_ref_id, $a_blocked_status)
 Set blocked status. More...
 
 removeUser ($a_usr_id)
 deletes a user from rbac_ua all user <-> role relations are deleted @access public More...
 
 deleteRole ($a_rol_id, $a_ref_id)
 Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa @access public. More...
 
 deleteTemplate ($a_obj_id)
 Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public. More...
 
 deleteLocalRole ($a_rol_id, $a_ref_id=0)
 Deletes a local role and entries in rbac_fa and rbac_templates @access public. More...
 
 assignUserLimited ($a_role_id, $a_usr_id, $a_limit, $a_limited_roles=array())
 Assign user limited. More...
 
 assignUser ($a_rol_id, $a_usr_id)
 Assigns an user to a role. More...
 
 deassignUser ($a_rol_id, $a_usr_id)
 Deassigns a user from a role. More...
 
 grantPermission ($a_rol_id, $a_ops, $a_ref_id)
 Grants a permission to an object and a specific role. More...
 
 revokePermission ($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
 Revokes permissions of an object of one role. More...
 
 revokeSubtreePermissions ($a_ref_id, $a_role_id)
 Revoke subtree permissions. More...
 
 deleteSubtreeTemplates ($a_ref_id, $a_rol_id)
 Delete all template permissions of subtree nodes. More...
 
 revokePermissionList ($a_ref_ids, $a_rol_id)
 Revokes permissions of a LIST of objects of ONE role. More...
 
 copyRolePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions and permission of one role to another. More...
 
 copyRoleTemplatePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions of one role to another. More...
 
 copyRolePermissionIntersection ($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
 Copies the intersection of the template permissions of two roles to a third role. More...
 
 copyRolePermissionUnion ( $a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_id, $a_dest_parent)
 @global <type> $ilDB More...
 
 copyRolePermissionSubtract ($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
 Subtract role permissions. More...
 
 deleteRolePermission ($a_rol_id, $a_ref_id, $a_type=false)
 Deletes all entries of a template. More...
 
 setRolePermission ($a_rol_id, $a_type, $a_ops, $a_ref_id)
 Inserts template permissions in rbac_templates for an specific object type. More...
 
 assignRoleToFolder ($a_rol_id, $a_parent, $a_assign="y")
 Assigns a role to an role folder A role folder is an object to store roles. More...
 
 assignOperationToObject ($a_type_id, $a_ops_id)
 Assign an existing operation to an object Update of rbac_ta. More...
 
 deassignOperationFromObject ($a_type_id, $a_ops_id)
 Deassign an existing operation from an object Update of rbac_ta @access public. More...
 
 setProtected ($a_ref_id, $a_role_id, $a_value)
 Set protected @global $ilDB. More...
 
 copyLocalRoles ($a_source_id, $a_target_id)
 Copy local roles This method creates a copy of all local role. More...
 
 initIntersectionPermissions ($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
 Init intersection permissions. More...
 
 adjustMovedObjectPermissions ($a_ref_id, $a_old_parent)
 Adjust permissions of moved objects. More...
 
 copyEffectiveRolePermissions ($a_source_ref_id, $target_ref_id, $a_subtree_id)
 Copies all permission from source to target for all roles. More...
 

Protected Member Functions

 addDesktopItem ($a_rol_id, $a_usr_id)
 Add desktop item. More...
 
 applyMovedObjectDidacticTemplates ($a_ref_id, $a_old_parent)
 Apply didactic templates after object movement. More...
 

Detailed Description

Class ilRbacAdmin Core functions for role based access control.

Creation and maintenance of Relations. The main relations of Rbac are user <-> role (UR) assignment relation and the permission <-> role (PR) assignment relation. This class contains methods to 'create' and 'delete' instances of the (UR) relation e.g.: assignUser(), deassignUser() Required methods for the PR relation are grantPermission(), revokePermission()

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
$Id$

Definition at line 18 of file class.ilRbacAdmin.php.

Constructor & Destructor Documentation

◆ __construct()

ilRbacAdmin::__construct ( )

Constructor @access public.

Definition at line 24 of file class.ilRbacAdmin.php.

25 {
26 global $ilDB,$ilErr,$ilias;
27
28 // set db & error handler
29 (isset($ilDB)) ? $this->ilDB =& $ilDB : $this->ilDB =& $ilias->db;
30
31 if (!isset($ilErr))
32 {
33 $ilErr = new ilErrorHandling();
34 $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK,array($ilErr,'errorHandler'));
35 }
36 else
37 {
38 $this->ilErr =& $ilErr;
39 }
40 }
PEAR_ERROR_CALLBACK
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
if
PHPExcel root directory.
Definition: PHPExcel.php:30
ilDB
Database Wrapper.
Definition: class.ilDB.php:30
$ilErr
global $ilErr
Definition: raiseError.php:16
$ilDB
global $ilDB
Definition: storeScorm2004.php:19

References $ilDB, $ilErr, and PEAR_ERROR_CALLBACK.

Member Function Documentation

◆ addDesktopItem()

ilRbacAdmin::addDesktopItem (   $a_rol_id,
  $a_usr_id 
)
protected

Add desktop item.

Parameters
type$a_rol_id
type$a_usr_id

Definition at line 252 of file class.ilRbacAdmin.php.

253 {
254 include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
255 $role_desk_item_obj = new ilRoleDesktopItem($a_rol_id);
256 foreach($role_desk_item_obj->getAll() as $item_data)
257 {
258 include_once './Services/User/classes/class.ilObjUser.php';
259 ilObjUser::_addDesktopItem($a_usr_id, $item_data['item_id'], $item_data['item_type']);
260 }
261 }
ilObjUser\_addDesktopItem
static _addDesktopItem($a_usr_id, $a_item_id, $a_type, $a_par="")
add an item to user's personal desktop
Definition: class.ilObjUser.php:2991

References ilObjUser\_addDesktopItem().

Referenced by assignUser(), and assignUserLimited().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ adjustMovedObjectPermissions()

ilRbacAdmin::adjustMovedObjectPermissions (   $a_ref_id,
  $a_old_parent 
)

Adjust permissions of moved objects.

  • Delete permissions of parent roles that do not exist in new context
  • Delete role templates of parent roles that do not exist in new context
  • Add permissions for parent roles that did not exist in old context

@access public

Parameters
intref id of moved object
intref_id of old parent

Definition at line 1294 of file class.ilRbacAdmin.php.

1295 {
1296 global $rbacreview,$tree,$ilLog;
1297
1298 $new_parent = $tree->getParentId($a_ref_id);
1299 $old_context_roles = $rbacreview->getParentRoleIds($a_old_parent,false);
1300 $new_context_roles = $rbacreview->getParentRoleIds($new_parent,false);
1301
1302 $for_addition = $for_deletion = array();
1303 foreach($new_context_roles as $new_role_id => $new_role)
1304 {
1305 if(!isset($old_context_roles[$new_role_id]))
1306 {
1307 $for_addition[$new_role_id] = $new_role;
1308 }
1309 elseif($new_role['parent'] != $old_context_roles[$new_role_id]['parent'])
1310 {
1311 // handle stopped inheritance
1312 $for_deletion[$new_role_id] = $new_role;
1313 $for_addition[$new_role_id] = $new_role;
1314 }
1315 }
1316 foreach($old_context_roles as $old_role_id => $old_role)
1317 {
1318 if(!isset($new_context_roles[$old_role_id]))
1319 {
1320 $for_deletion[$old_role_id] = $old_role;
1321 }
1322 }
1323
1324 if(!count($for_deletion) and !count($for_addition))
1325 {
1326 $this->applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent);
1327 return true;
1328 }
1329
1330 include_once "Services/AccessControl/classes/class.ilRbacLog.php";
1331 $rbac_log_active = ilRbacLog::isActive();
1332 if($rbac_log_active)
1333 {
1334 $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
1335 }
1336
1337 foreach($nodes = $tree->getSubTree($tree->getNodeData($a_ref_id),true) as $node_data)
1338 {
1339 $node_id = $node_data['child'];
1340
1341 if($rbac_log_active)
1342 {
1343 $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
1344 }
1345
1346 // If $node_data['type'] is not set, this means there is a tree entry without
1347 // object_reference and/or object_data entry
1348 // Continue in this case
1349 if(!$node_data['type'])
1350 {
1351 $ilLog->write(__METHOD__.': No type give. Choosing next tree entry.');
1352 continue;
1353 }
1354
1355 if(!$node_id)
1356 {
1357 $ilLog->write(__METHOD__.': Missing subtree node_id');
1358 continue;
1359 }
1360
1361 foreach($for_deletion as $role_id => $role_data)
1362 {
1363 $this->deleteLocalRole($role_id,$node_id);
1364 $this->revokePermission($node_id,$role_id,false);
1365//var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
1366 }
1367 foreach($for_addition as $role_id => $role_data)
1368 {
1369 switch($node_data['type'])
1370 {
1371 case 'grp':
1372 include_once './Modules/Group/classes/class.ilObjGroup.php';
1373 $tpl_id = ilObjGroup::lookupGroupStatusTemplateId($node_data['obj_id']);
1374 $this->initIntersectionPermissions(
1375 $node_data['child'],
1376 $role_id,
1377 $role_data['parent'],
1378 $tpl_id,
1379 ROLE_FOLDER_ID
1380 );
1381 break;
1382
1383 case 'crs':
1384 include_once './Modules/Course/classes/class.ilObjCourse.php';
1385 $tpl_id = ilObjCourse::lookupCourseNonMemberTemplatesId();
1386 $this->initIntersectionPermissions(
1387 $node_data['child'],
1388 $role_id,
1389 $role_data['parent'],
1390 $tpl_id,
1391 ROLE_FOLDER_ID
1392 );
1393 break;
1394
1395
1396 default:
1397 $this->grantPermission(
1398 $role_id,
1399 $ops = $rbacreview->getOperationsOfRole($role_id,$node_data['type'],$role_data['parent']),
1400 $node_id);
1401 break;
1402
1403
1404 }
1405
1406
1407//var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
1408 }
1409
1410 if($rbac_log_active)
1411 {
1412 $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
1413 $log = ilRbacLog::diffFaPa($log_old, $log_new);
1414 ilRbacLog::add(ilRbacLog::MOVE_OBJECT, $node_id, $log);
1415 }
1416 }
1417
1418 $this->applyMovedObjectDidacticTemplates($a_ref_id,$a_old_parent);
1419
1420 }
ilObjCourse\lookupCourseNonMemberTemplatesId
static lookupCourseNonMemberTemplatesId()
Lookup course non member id.
Definition: class.ilObjCourse.php:1644
ilObjGroup\lookupGroupStatusTemplateId
static lookupGroupStatusTemplateId($a_obj_id)
@global $ilDB $ilDB
Definition: class.ilObjGroup.php:1275
ilRbacAdmin\revokePermission
revokePermission($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
Revokes permissions of an object of one role.
Definition: class.ilRbacAdmin.php:443
ilRbacAdmin\deleteLocalRole
deleteLocalRole($a_rol_id, $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates @access public.
Definition: class.ilRbacAdmin.php:163
ilRbacAdmin\initIntersectionPermissions
initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
Init intersection permissions.
Definition: class.ilRbacAdmin.php:1194
ilRbacAdmin\applyMovedObjectDidacticTemplates
applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent)
Apply didactic templates after object movement.
Definition: class.ilRbacAdmin.php:1264
ilRbacAdmin\grantPermission
grantPermission($a_rol_id, $a_ops, $a_ref_id)
Grants a permission to an object and a specific role.
Definition: class.ilRbacAdmin.php:378
ilRbacLog\MOVE_OBJECT
const MOVE_OBJECT
Definition: class.ilRbacLog.php:17
ilRbacLog\diffFaPa
static diffFaPa(array $a_old, array $a_new)
Definition: class.ilRbacLog.php:77
ilRbacLog\add
static add($a_action, $a_ref_id, array $a_diff, $a_source_ref_id=false)
Definition: class.ilRbacLog.php:162
ilRbacLog\gatherFaPa
static gatherFaPa($a_ref_id, array $a_role_ids, $a_add_action=false)
Definition: class.ilRbacLog.php:36
ilRbacLog\isActive
static isActive()
Definition: class.ilRbacLog.php:25
$ilLog
$ilLog
Definition: inc.setup_header.php:130
$log
$log
Definition: inc.setup_header.php:129

References $ilLog, $log, ilRbacLog\add(), applyMovedObjectDidacticTemplates(), deleteLocalRole(), ilRbacLog\diffFaPa(), ilRbacLog\gatherFaPa(), grantPermission(), initIntersectionPermissions(), ilRbacLog\isActive(), ilObjCourse\lookupCourseNonMemberTemplatesId(), ilObjGroup\lookupGroupStatusTemplateId(), ilRbacLog\MOVE_OBJECT, and revokePermission().

+ Here is the call graph for this function:

◆ applyMovedObjectDidacticTemplates()

ilRbacAdmin::applyMovedObjectDidacticTemplates (   $a_ref_id,
  $a_old_parent 
)
protected

Apply didactic templates after object movement.

Parameters
int$a_ref_id
int$a_old_parent
Deprecated:
since version 5.1.0 will be removed with 5.4 and implemented using event handler

Definition at line 1264 of file class.ilRbacAdmin.php.

1265 {
1266 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateObjSettings.php';
1267 $tpl_id = ilDidacticTemplateObjSettings::lookupTemplateId($a_ref_id);
1268 if(!$tpl_id) {
1269 return;
1270 }
1271 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateActionFactory.php';
1272 foreach(ilDidacticTemplateActionFactory::getActionsByTemplateId($tpl_id) as $action) {
1273 if($action instanceof ilDidacticTemplateLocalRoleAction) {
1274 continue;
1275 }
1276 $action->setRefId($a_ref_id);
1277 $action->apply();
1278 }
1279 return;
1280 }
ilDidacticTemplateActionFactory\getActionsByTemplateId
static getActionsByTemplateId($a_tpl_id)
Get actions of one template.
Definition: class.ilDidacticTemplateActionFactory.php:68
ilDidacticTemplateLocalRoleAction
represents a creation of local roles action
Definition: class.ilDidacticTemplateLocalRoleAction.php:13
ilDidacticTemplateObjSettings\lookupTemplateId
static lookupTemplateId($a_ref_id)
Lookup template id @global ilDB $ilDB.
Definition: class.ilDidacticTemplateObjSettings.php:19

References ilDidacticTemplateActionFactory\getActionsByTemplateId(), and ilDidacticTemplateObjSettings\lookupTemplateId().

Referenced by adjustMovedObjectPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ assignOperationToObject()

ilRbacAdmin::assignOperationToObject (   $a_type_id,
  $a_ops_id 
)

Assign an existing operation to an object Update of rbac_ta.

@access public

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 1068 of file class.ilRbacAdmin.php.

1069 {
1070 global $ilDB;
1071
1072 if (!isset($a_type_id) or !isset($a_ops_id))
1073 {
1074 $message = get_class($this)."::assignOperationToObject(): Missing parameter!".
1075 "type_id: ".$a_type_id.
1076 "ops_id: ".$a_ops_id;
1077 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1078 }
1079
1080 $query = "INSERT INTO rbac_ta (typ_id, ops_id) ".
1081 "VALUES(".$ilDB->quote($a_type_id,'integer').",".$ilDB->quote($a_ops_id,'integer').")";
1082 $res = $ilDB->manipulate($query);
1083 return true;
1084 }

References $ilDB, $query, and $res.

◆ assignRoleToFolder()

ilRbacAdmin::assignRoleToFolder (   $a_rol_id,
  $a_parent,
  $a_assign = "y" 
)

Assigns a role to an role folder A role folder is an object to store roles.

Every role is assigned to minimum one role folder If the inheritance of a role is stopped, a new role template will created, and the role is assigned to minimum two role folders. All roles with stopped inheritance need the flag '$a_assign = false'

@access public

Parameters
integerobject id of role
integerref_id of role folder
stringassignable('y','n'); default: 'y'
Returns
boolean

Definition at line 1013 of file class.ilRbacAdmin.php.

1014 {
1015 global $ilDB,$rbacreview;
1016
1017 if (!isset($a_rol_id) or !isset($a_parent))
1018 {
1019 $message = get_class($this)."::assignRoleToFolder(): Missing Parameter!".
1020 " role_id: ".$a_rol_id.
1021 " parent_id: ".$a_parent.
1022 " assign: ".$a_assign;
1023 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1024 }
1025
1026 // exclude system role from rbac
1027 if ($a_rol_id == SYSTEM_ROLE_ID)
1028 {
1029 return true;
1030 }
1031
1032 // if a wrong value is passed, always set assign to "n"
1033 if ($a_assign != "y")
1034 {
1035 $a_assign = "n";
1036 }
1037
1038 // check if already assigned
1039 $query = 'SELECT rol_id FROM rbac_fa '.
1040 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer'). ' '.
1041 'AND parent = '. $ilDB->quote($a_parent,'integer');
1042 $res = $ilDB->query($query);
1043 if($res->numRows())
1044 {
1045 ilLoggerFactory::getLogger('ac')->info('Role already assigned to object');
1046 return false;
1047 }
1048
1049 $query = sprintf('INSERT INTO rbac_fa (rol_id, parent, assign, protected) '.
1050 'VALUES (%s,%s,%s,%s)',
1051 $ilDB->quote($a_rol_id,'integer'),
1052 $ilDB->quote($a_parent,'integer'),
1053 $ilDB->quote($a_assign,'text'),
1054 $ilDB->quote('n','text'));
1055 $res = $ilDB->manipulate($query);
1056
1057 return true;
1058 }
sprintf
sprintf('%.4f', $callTime)
Definition: 01pharSimple.php:87
ilLoggerFactory\getLogger
static getLogger($a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:82

References $ilDB, $query, $res, ilLoggerFactory\getLogger(), and sprintf.

Referenced by copyLocalRoles(), and initIntersectionPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ assignUser()

ilRbacAdmin::assignUser (   $a_rol_id,
  $a_usr_id 
)

Assigns an user to a role.

Update of table rbac_ua TODO: remove deprecated 3rd parameter sometime @access public

Parameters
integerobject_id of role
integerobject_id of user
booleantrue means default role (optional
Returns
boolean

Definition at line 273 of file class.ilRbacAdmin.php.

274 {
275 global $ilDB,$rbacreview;
276
277 if (!isset($a_rol_id) or !isset($a_usr_id))
278 {
279 $message = get_class($this)."::assignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
280 #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
281 }
282
283 // check if already assigned user id and role_id
284 $alreadyAssigned = $rbacreview->isAssigned($a_usr_id,$a_rol_id);
285
286 // enhanced: only if we haven't had this role for this user
287 if (!$alreadyAssigned)
288 {
289 $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
290 "VALUES (".$ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_rol_id,'integer').")";
291 $res = $ilDB->manipulate($query);
292
293 $this->addDesktopItem($a_rol_id, $a_usr_id);
294
295 $rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,true);
296 }
297
298 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
299 $mapping = ilLDAPRoleGroupMapping::_getInstance();
300 $mapping->assign($a_rol_id,$a_usr_id);
301
302
303 $ref_id = $GLOBALS['rbacreview']->getObjectReferenceOfRole($a_rol_id);
304 $obj_id = ilObject::_lookupObjId($ref_id);
305 $type = ilObject::_lookupType($obj_id);
306
307 if(!$alreadyAssigned)
308 {
309 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event assign user');
310 $GLOBALS['ilAppEventHandler']->raise(
311 'Services/AccessControl',
312 'assignUser',
313 array(
314 'obj_id' => $obj_id,
315 'usr_id' => $a_usr_id,
316 'role_id' => $a_rol_id,
317 'type' => $type
318 )
319 );
320 }
321 return TRUE;
322 }
ilLDAPRoleGroupMapping\_getInstance
static _getInstance()
Get singleton instance of this class.
Definition: class.ilLDAPRoleGroupMapping.php:64
ilObject\_lookupObjId
static _lookupObjId($a_id)
Definition: class.ilObject.php:1021
ilObject\_lookupType
static _lookupType($a_id, $a_reference=false)
lookup object type
Definition: class.ilObject.php:1176
ilRbacAdmin\addDesktopItem
addDesktopItem($a_rol_id, $a_usr_id)
Add desktop item.
Definition: class.ilRbacAdmin.php:252
$GLOBALS
$GLOBALS['loaded']
Global hash that tracks already loaded includes.
Definition: generate-standalone.php:18
$ref_id
$ref_id
Definition: sahs_server.php:39

References $GLOBALS, $ilDB, $query, $ref_id, $res, ilLDAPRoleGroupMapping\_getInstance(), ilObject\_lookupObjId(), ilObject\_lookupType(), addDesktopItem(), and ilLoggerFactory\getInstance().

+ Here is the call graph for this function:

◆ assignUserLimited()

ilRbacAdmin::assignUserLimited (   $a_role_id,
  $a_usr_id,
  $a_limit,
  $a_limited_roles = array() 
)

Assign user limited.

Parameters
type$a_role_id
type$a_usr_id
type$a_limit

Definition at line 202 of file class.ilRbacAdmin.php.

203 {
204 global $ilDB;
205
206 $ilAtomQuery = $ilDB->buildAtomQuery();
207 $ilAtomQuery->addTableLock('rbac_ua');
208
209 $ilAtomQuery->addQueryCallable(
210 function(ilDBInterface $ilDB) use(&$ret, $a_role_id, $a_usr_id,$a_limit, $a_limited_roles)
211 {
212 $ret = true;
213 $limit_query = 'SELECT COUNT(*) num FROM rbac_ua '.
214 'WHERE '.$ilDB->in('rol_id',(array) $a_limited_roles,FALSE,'integer');
215 $res = $ilDB->query($limit_query);
216 $row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT);
217 if($row->num >= $a_limit)
218 {
219 $ret = false;
220 return;
221 }
222
223 $query = "INSERT INTO rbac_ua (usr_id, rol_id) ".
224 "VALUES (".
225 $ilDB->quote($a_usr_id,'integer').",".$ilDB->quote($a_role_id,'integer').
226 ")";
227 $res = $ilDB->manipulate($query);
228 });
229
230 $ilAtomQuery->run();
231
232 if(!$ret)
233 {
234 return false;
235 }
236
237 $GLOBALS['rbacreview']->setAssignedCacheEntry($a_role_id,$a_usr_id,TRUE);
238
239 $this->addDesktopItem($a_role_id,$a_usr_id);
240
241 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
242 $mapping = ilLDAPRoleGroupMapping::_getInstance();
243 $mapping->assign($a_role_id,$a_usr_id);
244 return TRUE;
245 }
ilDBInterface
Interface ilDBInterface.
Definition: interface.ilDBInterface.php:9
$ret
$ret
Definition: parser.php:6

References $GLOBALS, $ilDB, $query, $res, $ret, $row, ilLDAPRoleGroupMapping\_getInstance(), addDesktopItem(), and ilDBConstants\FETCHMODE_OBJECT.

+ Here is the call graph for this function:

◆ copyEffectiveRolePermissions()

ilRbacAdmin::copyEffectiveRolePermissions (   $a_source_ref_id,
  $target_ref_id,
  $a_subtree_id 
)

Copies all permission from source to target for all roles.

Parameters
type$a_source_ref_id
type$target_ref_id
type$a_subtree_id

Definition at line 1429 of file class.ilRbacAdmin.php.

1430 {
1431 global $rbacreview;
1432
1433 $parent_roles = $rbacreview->getParentRoleIds($a_source_ref_id, FALSE);
1434 $GLOBALS['ilLog']->write(__METHOD__.': '. print_r($parent_roles,TRUE));
1435
1436
1437
1438 }

References $GLOBALS.

◆ copyLocalRoles()

ilRbacAdmin::copyLocalRoles (   $a_source_id,
  $a_target_id 
)

Copy local roles This method creates a copy of all local role.

Note: auto generated roles are excluded

@access public

Parameters
intsource id of object (not role folder)
inttarget id of object

Definition at line 1145 of file class.ilRbacAdmin.php.

1146 {
1147 global $rbacreview,$ilLog,$ilObjDataCache;
1148
1149 $real_local = array();
1150 foreach($rbacreview->getRolesOfRoleFolder($a_source_id,false) as $role_data)
1151 {
1152 $title = $ilObjDataCache->lookupTitle($role_data);
1153 if(substr($title,0,3) == 'il_')
1154 {
1155 continue;
1156 }
1157 $real_local[] = $role_data;
1158 }
1159 if(!count($real_local))
1160 {
1161 return true;
1162 }
1163 // Create role folder
1164 foreach($real_local as $role)
1165 {
1166 include_once ("./Services/AccessControl/classes/class.ilObjRole.php");
1167 $orig = new ilObjRole($role);
1168 $orig->read();
1169
1170 $ilLog->write(__METHOD__.': Start copying of role '.$orig->getTitle());
1171 $roleObj = new ilObjRole();
1172 $roleObj->setTitle($orig->getTitle());
1173 $roleObj->setDescription($orig->getDescription());
1174 $roleObj->setImportId($orig->getImportId());
1175 $roleObj->create();
1176
1177 $this->assignRoleToFolder($roleObj->getId(),$a_target_id,"y");
1178 $this->copyRolePermissions($role,$a_source_id,$a_target_id,$roleObj->getId(),true);
1179 $ilLog->write(__METHOD__.': Added new local role, id '.$roleObj->getId());
1180 }
1181
1182 }
ilObjRole
Class ilObjRole.
Definition: class.ilObjRole.php:17
ilRbacAdmin\copyRolePermissions
copyRolePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions and permission of one role to another.
Definition: class.ilRbacAdmin.php:631
ilRbacAdmin\assignRoleToFolder
assignRoleToFolder($a_rol_id, $a_parent, $a_assign="y")
Assigns a role to an role folder A role folder is an object to store roles.
Definition: class.ilRbacAdmin.php:1013

References $ilLog, $orig, $title, assignRoleToFolder(), and copyRolePermissions().

+ Here is the call graph for this function:

◆ copyRolePermissionIntersection()

ilRbacAdmin::copyRolePermissionIntersection (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_parent,
  $a_dest_id 
)

Copies the intersection of the template permissions of two roles to a third role.

@access public

Parameters
integer$a_source1_idrole_id source
integer$a_source1_parentparent_id source
integer$a_source2_idrole_id source
integer$a_source2_parentparent_id source
integer$a_dest_idrole_id destination
integer$a_dest_parentparent_id destination
Returns
boolean

Definition at line 728 of file class.ilRbacAdmin.php.

729 {
730 global $rbacreview,$ilDB;
731
732 if (!isset($a_source1_id) or !isset($a_source1_parent)
733 or !isset($a_source2_id) or !isset($a_source2_parent)
734 or !isset($a_dest_id) or !isset($a_dest_parent))
735 {
736 $message = get_class($this)."::copyRolePermissionIntersection(): Missing parameter! source1_id: ".$a_source1_id.
737 " source1_parent: ".$a_source1_parent.
738 " source2_id: ".$a_source2_id.
739 " source2_parent: ".$a_source2_parent.
740 " dest_id: ".$a_dest_id.
741 " dest_parent_id: ".$a_dest_parent;
742 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
743 }
744
745 // exclude system role from rbac
746 if ($a_dest_id == SYSTEM_ROLE_ID)
747 {
748 ilLoggerFactory::getLogger('ac')->debug('Ignoring system role.');
749 return true;
750 }
751
752 if ($rbacreview->isProtected($a_source2_parent,$a_source2_id))
753 {
754 $GLOBALS['ilLog']->write(__METHOD__.': Role is protected');
755 return true;
756 }
757
758 $query = "SELECT s1.type, s1.ops_id ".
759 "FROM rbac_templates s1, rbac_templates s2 ".
760 "WHERE s1.rol_id = ".$ilDB->quote($a_source1_id,'integer')." ".
761 "AND s1.parent = ".$ilDB->quote($a_source1_parent,'integer')." ".
762 "AND s2.rol_id = ".$ilDB->quote($a_source2_id,'integer')." ".
763 "AND s2.parent = ".$ilDB->quote($a_source2_parent,'integer')." ".
764 "AND s1.type = s2.type ".
765 "AND s1.ops_id = s2.ops_id";
766
767 ilLoggerFactory::getLogger('ac')->dump($query);
768
769 $res = $ilDB->query($query);
770 $operations = array();
771 $rowNum = 0;
772 while($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT))
773 {
774 $operations[$rowNum]['type'] = $row->type;
775 $operations[$rowNum]['ops_id'] = $row->ops_id;
776
777 $rowNum++;
778 }
779
780 // Delete template permissions of target
781 $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
782 'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
783 $res = $ilDB->manipulate($query);
784
785 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
786 'VALUES (?,?,?,?)';
787 $sta = $ilDB->prepareManip($query,array('integer','text','integer','integer'));
788 foreach($operations as $key => $set)
789 {
790 $ilDB->execute($sta,array(
791 $a_dest_id,
792 $set['type'],
793 $set['ops_id'],
794 $a_dest_parent));
795 }
796 return true;
797 }

References $GLOBALS, $ilDB, $query, $res, $row, ilDBConstants\FETCHMODE_OBJECT, and ilLoggerFactory\getLogger().

Referenced by initIntersectionPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ copyRolePermissions()

ilRbacAdmin::copyRolePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions and permission of one role to another.

@access public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 631 of file class.ilRbacAdmin.php.

632 {
633 global $tree,$rbacreview;
634
635 // Copy template permissions
636 $this->copyRoleTemplatePermissions($a_source_id,$a_source_parent,$a_dest_parent,$a_dest_id,$a_consider_protected);
637
638 $ops = $rbacreview->getRoleOperationsOnObject($a_source_id,$a_source_parent);
639
640 $this->revokePermission($a_dest_parent,$a_dest_id);
641 $this->grantPermission($a_dest_id,$ops,$a_dest_parent);
642 return true;
643 }
ilRbacAdmin\copyRoleTemplatePermissions
copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions of one role to another.
Definition: class.ilRbacAdmin.php:655

References copyRoleTemplatePermissions(), grantPermission(), and revokePermission().

Referenced by copyLocalRoles().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ copyRolePermissionSubtract()

ilRbacAdmin::copyRolePermissionSubtract (   $a_source_id,
  $a_source_parent,
  $a_dest_id,
  $a_dest_parent 
)

Subtract role permissions.

Parameters
type$a_source_id
type$a_source_parent
type$a_dest_id
type$a_dest_parent

Definition at line 875 of file class.ilRbacAdmin.php.

876 {
877 global $rbacreview, $ilDB;
878
879 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source_id,$a_source_parent);
880 $d_ops = $rbacreview->getAllOperationsOfRole($a_dest_id,$a_dest_parent);
881
882 foreach($s1_ops as $type => $ops)
883 {
884 foreach($ops as $op)
885 {
886 if(isset($d_ops[$type]) and in_array($op, $d_ops[$type]))
887 {
888 $query = 'DELETE FROM rbac_templates '.
889 'WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
890 'AND type = '.$ilDB->quote($type,'text').' '.
891 'AND ops_id = '.$ilDB->quote($op,'integer').' '.
892 'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
893 $ilDB->manipulate($query);
894 }
895 }
896 }
897 return true;
898 }

References $ilDB, and $query.

◆ copyRolePermissionUnion()

ilRbacAdmin::copyRolePermissionUnion (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_id,
  $a_dest_parent 
)

@global <type> $ilDB

Parameters
<type>$a_source1_id
<type>$a_source1_parent
<type>$a_source2_id
<type>$a_source2_parent
<type>$a_dest_id
<type>$a_dest_parent
Returns
<type>

Definition at line 810 of file class.ilRbacAdmin.php.

817 {
818 global $ilDB, $rbacreview;
819
820
821 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id,$a_source1_parent);
822 $s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id,$a_source2_parent);
823
824 $this->deleteRolePermission($a_dest_id, $a_dest_parent);
825
826 $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s1_ops,TRUE));
827 $GLOBALS['ilLog']->write(__METHOD__.': '.print_r($s2_ops,TRUE));
828
829 foreach($s1_ops as $type => $ops)
830 {
831 foreach($ops as $op)
832 {
833 // insert all permission of source 1
834 // #15469
835 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
836 'VALUES( '.
837 $ilDB->quote($a_dest_id,'integer').', '.
838 $ilDB->quote($type,'text').', '.
839 $ilDB->quote($op,'integer').', '.
840 $ilDB->quote($a_dest_parent,'integer').' '.
841 ')';
842 $ilDB->manipulate($query);
843 }
844 }
845
846 // and the other direction...
847 foreach($s2_ops as $type => $ops)
848 {
849 foreach($ops as $op)
850 {
851 if(!isset($s1_ops[$type]) or !in_array($op, $s1_ops[$type]))
852 {
853 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
854 'VALUES( '.
855 $ilDB->quote($a_dest_id,'integer').', '.
856 $ilDB->quote($type,'text').', '.
857 $ilDB->quote($op,'integer').', '.
858 $ilDB->quote($a_dest_parent,'integer').' '.
859 ')';
860 $ilDB->manipulate($query);
861 }
862 }
863 }
864
865 return true;
866 }
ilRbacAdmin\deleteRolePermission
deleteRolePermission($a_rol_id, $a_ref_id, $a_type=false)
Deletes all entries of a template.
Definition: class.ilRbacAdmin.php:911

References $GLOBALS, $ilDB, $query, and deleteRolePermission().

+ Here is the call graph for this function:

◆ copyRoleTemplatePermissions()

ilRbacAdmin::copyRoleTemplatePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions of one role to another.

It's also possible to copy template permissions from/to RoleTemplateObject @access public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 655 of file class.ilRbacAdmin.php.

656 {
657 global $rbacreview,$ilDB;
658
659 if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent))
660 {
661 $message = __METHOD__.": Missing parameter! source_id: ".$a_source_id.
662 " source_parent_id: ".$a_source_parent.
663 " dest_id : ".$a_dest_id.
664 " dest_parent_id: ".$a_dest_parent;
665 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
666 }
667
668 // exclude system role from rbac
669 if ($a_dest_id == SYSTEM_ROLE_ID)
670 {
671 return true;
672 }
673
674 // Read operations
675 $query = 'SELECT * FROM rbac_templates '.
676 'WHERE rol_id = '.$ilDB->quote($a_source_id,'integer').' '.
677 'AND parent = '.$ilDB->quote($a_source_parent,'integer');
678 $res = $ilDB->query($query);
679 $operations = array();
680 $rownum = 0;
681 while ($row = $ilDB->fetchObject($res))
682 {
683 $operations[$rownum]['type'] = $row->type;
684 $operations[$rownum]['ops_id'] = $row->ops_id;
685 $rownum++;
686 }
687
688 // Delete target permissions
689 $query = 'DELETE FROM rbac_templates WHERE rol_id = '.$ilDB->quote($a_dest_id,'integer').' '.
690 'AND parent = '.$ilDB->quote($a_dest_parent,'integer');
691 $res = $ilDB->manipulate($query);
692
693 foreach($operations as $row => $op)
694 {
695 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) '.
696 'VALUES ('.
697 $ilDB->quote($a_dest_id,'integer').",".
698 $ilDB->quote($op['type'],'text').",".
699 $ilDB->quote($op['ops_id'],'integer').",".
700 $ilDB->quote($a_dest_parent,'integer').")";
701 $ilDB->manipulate($query);
702 }
703
704 // copy also protection status if applicable
705 if ($a_consider_protected == true)
706 {
707 if ($rbacreview->isProtected($a_source_parent,$a_source_id))
708 {
709 $this->setProtected($a_dest_parent,$a_dest_id,'y');
710 }
711 }
712
713 return true;
714 }
ilRbacAdmin\setProtected
setProtected($a_ref_id, $a_role_id, $a_value)
Set protected @global $ilDB.
Definition: class.ilRbacAdmin.php:1122

References $ilDB, $query, $res, $row, and setProtected().

Referenced by copyRolePermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deassignOperationFromObject()

ilRbacAdmin::deassignOperationFromObject (   $a_type_id,
  $a_ops_id 
)

Deassign an existing operation from an object Update of rbac_ta @access public.

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 1094 of file class.ilRbacAdmin.php.

1095 {
1096 global $ilDB;
1097
1098 if (!isset($a_type_id) or !isset($a_ops_id))
1099 {
1100 $message = get_class($this)."::deassignPermissionFromObject(): Missing parameter!".
1101 "type_id: ".$a_type_id.
1102 "ops_id: ".$a_ops_id;
1103 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
1104 }
1105
1106 $query = "DELETE FROM rbac_ta ".
1107 "WHERE typ_id = ".$ilDB->quote($a_type_id,'integer')." ".
1108 "AND ops_id = ".$ilDB->quote($a_ops_id,'integer');
1109 $res = $ilDB->manipulate($query);
1110
1111 return true;
1112 }

References $ilDB, $query, and $res.

◆ deassignUser()

ilRbacAdmin::deassignUser (   $a_rol_id,
  $a_usr_id 
)

Deassigns a user from a role.

Update of table rbac_ua @access public

Parameters
integerobject id of role
integerobject id of user
Returns
boolean true on success

Definition at line 331 of file class.ilRbacAdmin.php.

332 {
333 global $ilDB, $rbacreview;
334
335 if (!isset($a_rol_id) or !isset($a_usr_id))
336 {
337 $message = get_class($this)."::deassignUser(): Missing parameter! role_id: ".$a_rol_id." usr_id: ".$a_usr_id;
338 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
339 }
340
341 $query = "DELETE FROM rbac_ua ".
342 "WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer')." ".
343 "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
344 $res = $ilDB->manipulate($query);
345
346 $rbacreview->setAssignedCacheEntry($a_rol_id,$a_usr_id,false);
347
348 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
349 $mapping = ilLDAPRoleGroupMapping::_getInstance();
350 $mapping->deassign($a_rol_id,$a_usr_id);
351
352 $ref_id = $GLOBALS['rbacreview']->getObjectReferenceOfRole($a_rol_id);
353 $obj_id = ilObject::_lookupObjId($ref_id);
354 $type = ilObject::_lookupType($obj_id);
355
356 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event deassign user');
357 $GLOBALS['ilAppEventHandler']->raise(
358 'Services/AccessControl',
359 'deassignUser',
360 array(
361 'obj_id' => $obj_id,
362 'usr_id' => $a_usr_id,
363 'role_id' => $a_rol_id,
364 'type' => $type
365 )
366 );
367 return TRUE;
368 }

References $GLOBALS, $ilDB, $query, $ref_id, $res, ilLDAPRoleGroupMapping\_getInstance(), ilObject\_lookupObjId(), ilObject\_lookupType(), and ilLoggerFactory\getInstance().

+ Here is the call graph for this function:

◆ deleteLocalRole()

ilRbacAdmin::deleteLocalRole (   $a_rol_id,
  $a_ref_id = 0 
)

Deletes a local role and entries in rbac_fa and rbac_templates @access public.

Parameters
integerobject_id of role
integerref_id of role folder (optional)
Returns
boolean true on success

Definition at line 163 of file class.ilRbacAdmin.php.

164 {
165 global $ilDB;
166
167 if (!isset($a_rol_id))
168 {
169 $message = get_class($this)."::deleteLocalRole(): Missing parameter! role_id: '".$a_rol_id."'";
170 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
171 }
172
173 // exclude system role from rbac
174 if ($a_rol_id == SYSTEM_ROLE_ID)
175 {
176 return true;
177 }
178
179 if ($a_ref_id != 0)
180 {
181 $clause = 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' ';
182 }
183
184 $query = 'DELETE FROM rbac_fa '.
185 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
186 $clause;
187 $res = $ilDB->manipulate($query);
188
189 $query = 'DELETE FROM rbac_templates '.
190 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
191 $clause;
192 $res = $ilDB->manipulate($query);
193 return true;
194 }

References $ilDB, $query, and $res.

Referenced by adjustMovedObjectPermissions(), and deleteRole().

+ Here is the caller graph for this function:

◆ deleteRole()

ilRbacAdmin::deleteRole (   $a_rol_id,
  $a_ref_id 
)

Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa @access public.

Parameters
integerobj_id of role (role_id)
integerref_id of role folder (ref_id)
Returns
boolean true on success

Definition at line 89 of file class.ilRbacAdmin.php.

90 {
91 global $lng,$ilDB;
92
93 if (!isset($a_rol_id) or !isset($a_ref_id))
94 {
95 $message = get_class($this)."::deleteRole(): Missing parameter! role_id: ".$a_rol_id." ref_id of role folder: ".$a_ref_id;
96 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
97 }
98
99 // exclude system role from rbac
100 if ($a_rol_id == SYSTEM_ROLE_ID)
101 {
102 $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"),$this->ilErr->MESSAGE);
103 }
104
105 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
106 $mapping = ilLDAPRoleGroupMapping::_getInstance();
107 $mapping->deleteRole($a_rol_id);
108
109
110 // TODO: check assigned users before deletion
111 // This is done in ilObjRole. Should be better moved to this place?
112
113 // delete user assignements
114 $query = "DELETE FROM rbac_ua ".
115 "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer');
116 $res = $ilDB->manipulate($query);
117
118 // delete permission assignments
119 $query = "DELETE FROM rbac_pa ".
120 "WHERE rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
121 $res = $ilDB->manipulate($query);
122
123 //delete rbac_templates and rbac_fa
124 $this->deleteLocalRole($a_rol_id);
125
126 return true;
127 }
$lng
global $lng
Definition: privfeed.php:17

References $ilDB, $lng, $query, $res, ilLDAPRoleGroupMapping\_getInstance(), and deleteLocalRole().

+ Here is the call graph for this function:

◆ deleteRolePermission()

ilRbacAdmin::deleteRolePermission (   $a_rol_id,
  $a_ref_id,
  $a_type = false 
)

Deletes all entries of a template.

If an object type is given for third parameter only the entries for that object type are deleted Update of table rbac_templates. @access public

Parameters
integerobject id of role
integerref_id of role folder
stringobject type (optional)
Returns
boolean

Definition at line 911 of file class.ilRbacAdmin.php.

912 {
913 global $ilDB;
914
915 if (!isset($a_rol_id) or !isset($a_ref_id))
916 {
917 $message = get_class($this)."::deleteRolePermission(): Missing parameter! role_id: ".$a_rol_id." ref_id: ".$a_ref_id;
918 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
919 }
920
921 // exclude system role from rbac
922 if ($a_rol_id == SYSTEM_ROLE_ID)
923 {
924 return true;
925 }
926
927 if ($a_type !== false)
928 {
929 $and_type = " AND type=".$ilDB->quote($a_type,'text')." ";
930 }
931
932 $query = 'DELETE FROM rbac_templates '.
933 'WHERE rol_id = '.$ilDB->quote($a_rol_id,'integer').' '.
934 'AND parent = '.$ilDB->quote($a_ref_id,'integer').' '.
935 $and_type;
936
937 $res = $ilDB->manipulate($query);
938
939 return true;
940 }
$a_type
$a_type
Definition: workflow.php:93

References $a_type, $ilDB, $query, and $res.

Referenced by copyRolePermissionUnion().

+ Here is the caller graph for this function:

◆ deleteSubtreeTemplates()

ilRbacAdmin::deleteSubtreeTemplates (   $a_ref_id,
  $a_rol_id 
)

Delete all template permissions of subtree nodes.

Parameters
object$a_ref_id
object$a_rol_id
Returns

Definition at line 563 of file class.ilRbacAdmin.php.

564 {
565 global $ilDB;
566
567 $query = 'DELETE FROM rbac_templates '.
568 'WHERE parent IN ( '.
569 $GLOBALS['tree']->getSubTreeQuery($a_ref_id, array('child')).' ) '.
570 'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
571
572 $ilDB->manipulate($query);
573
574 $query = 'DELETE FROM rbac_fa '.
575 'WHERE parent IN ( '.
576 $GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
577 'AND rol_id = '.$ilDB->quote($a_rol_id,'integer');
578
579 $ilDB->manipulate($query);
580
581 return true;
582 }

References $GLOBALS, $ilDB, and $query.

◆ deleteTemplate()

ilRbacAdmin::deleteTemplate (   $a_obj_id)

Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public.

Parameters
integerobject_id of role template
Returns
boolean

Definition at line 135 of file class.ilRbacAdmin.php.

136 {
137 global $ilDB;
138
139 if (!isset($a_obj_id))
140 {
141 $message = get_class($this)."::deleteTemplate(): No obj_id given!";
142 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
143 }
144
145 $query = 'DELETE FROM rbac_templates '.
146 'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
147 $res = $ilDB->manipulate($query);
148
149 $query = 'DELETE FROM rbac_fa '.
150 'WHERE rol_id = '.$ilDB->quote($a_obj_id,'integer');
151 $res = $ilDB->manipulate($query);
152
153 return true;
154 }

References $ilDB, $query, and $res.

◆ grantPermission()

ilRbacAdmin::grantPermission (   $a_rol_id,
  $a_ops,
  $a_ref_id 
)

Grants a permission to an object and a specific role.

Update of table rbac_pa @access public

Parameters
integerobject id of role
arrayarray of operation ids
integerreference id of that object which is granted the permissions
Returns
boolean

Definition at line 378 of file class.ilRbacAdmin.php.

379 {
380 global $ilDB;
381
382 if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id))
383 {
384 $this->ilErr->raiseError(get_class($this)."::grantPermission(): Missing parameter! ".
385 "role_id: ".$a_rol_id." ref_id: ".$a_ref_id." operations: ",$this->ilErr->WARNING);
386 }
387
388 if (!is_array($a_ops))
389 {
390 $this->ilErr->raiseError(get_class($this)."::grantPermission(): Wrong datatype for operations!",
391 $this->ilErr->WARNING);
392 }
393
394 /*
395 if (count($a_ops) == 0)
396 {
397 return false;
398 }
399 */
400 // exclude system role from rbac
401 if ($a_rol_id == SYSTEM_ROLE_ID)
402 {
403 return true;
404 }
405
406 // convert all values to integer
407 foreach ($a_ops as $key => $operation)
408 {
409 $a_ops[$key] = (int) $operation;
410 }
411
412 // Serialization des ops_id Arrays
413 $ops_ids = serialize($a_ops);
414
415 $query = 'DELETE FROM rbac_pa '.
416 'WHERE rol_id = %s '.
417 'AND ref_id = %s';
418 $res = $ilDB->queryF($query,array('integer','integer'),
419 array($a_rol_id,$a_ref_id));
420
421 if(!count($a_ops))
422 {
423 return false;
424 }
425
426 $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) ".
427 "VALUES ".
428 "(".$ilDB->quote($a_rol_id,'integer').",".$ilDB->quote($ops_ids,'text').",".$ilDB->quote($a_ref_id,'integer').")";
429 $res = $ilDB->manipulate($query);
430
431 return true;
432 }

References $ilDB, $query, and $res.

Referenced by adjustMovedObjectPermissions(), copyRolePermissions(), and initIntersectionPermissions().

+ Here is the caller graph for this function:

◆ initIntersectionPermissions()

ilRbacAdmin::initIntersectionPermissions (   $a_ref_id,
  $a_role_id,
  $a_role_parent,
  $a_template_id,
  $a_template_parent 
)

Init intersection permissions.

@global type $rbacreview

Parameters
type$a_ref_id
type$a_role_id
type$a_role_parent
type$a_template_id
type$a_template_parent
Returns
type

Definition at line 1194 of file class.ilRbacAdmin.php.

1195 {
1196 global $rbacreview;
1197
1198 if($rbacreview->isProtected($a_role_parent, $a_role_id))
1199 {
1200 // Assign object permissions
1201 $new_ops = $rbacreview->getOperationsOfRole(
1202 $a_role_id,
1203 ilObject::_lookupType($a_ref_id, true),
1204 $a_role_parent
1205 );
1206
1207 // set new permissions for object
1208 $this->grantPermission(
1209 $a_role_id,
1210 (array) $new_ops,
1211 $a_ref_id
1212 );
1213 return;
1214 }
1215 if(!$a_template_id)
1216 {
1217 ilLoggerFactory::getLogger('ac')->info('No template id given. Aborting.');
1218 return;
1219 }
1220 // create template permission intersection
1221 $this->copyRolePermissionIntersection(
1222 $a_template_id,
1223 $a_template_parent,
1224 $a_role_id,
1225 $a_role_parent,
1226 $a_ref_id,
1227 $a_role_id
1228 );
1229
1230 // assign role to folder
1231 $this->assignRoleToFolder(
1232 $a_role_id,
1233 $a_ref_id,
1234 'n'
1235 );
1236
1237 // Assign object permissions
1238 $new_ops = $rbacreview->getOperationsOfRole(
1239 $a_role_id,
1240 ilObject::_lookupType($a_ref_id, true),
1241 $a_ref_id
1242 );
1243
1244 // revoke existing permissions
1245 $this->revokePermission($a_ref_id, $a_role_id);
1246
1247 // set new permissions for object
1248 $this->grantPermission(
1249 $a_role_id,
1250 (array) $new_ops,
1251 $a_ref_id
1252 );
1253
1254 return;
1255 }
ilRbacAdmin\copyRolePermissionIntersection
copyRolePermissionIntersection($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
Copies the intersection of the template permissions of two roles to a third role.
Definition: class.ilRbacAdmin.php:728

References ilObject\_lookupType(), assignRoleToFolder(), copyRolePermissionIntersection(), ilLoggerFactory\getLogger(), grantPermission(), and revokePermission().

Referenced by adjustMovedObjectPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ removeUser()

ilRbacAdmin::removeUser (   $a_usr_id)

deletes a user from rbac_ua all user <-> role relations are deleted @access public

Parameters
integeruser_id
Returns
boolean true on success

Definition at line 66 of file class.ilRbacAdmin.php.

67 {
68 global $ilDB;
69
70 if (!isset($a_usr_id))
71 {
72 $message = get_class($this)."::removeUser(): No usr_id given!";
73 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
74 }
75
76 $query = "DELETE FROM rbac_ua WHERE usr_id = ".$ilDB->quote($a_usr_id,'integer');
77 $res = $ilDB->manipulate($query);
78
79 return true;
80 }

References $ilDB, $query, and $res.

◆ revokePermission()

ilRbacAdmin::revokePermission (   $a_ref_id,
  $a_rol_id = 0,
  $a_keep_protected = true 
)

Revokes permissions of an object of one role.

Update of table rbac_pa. Revokes all permission for all roles for that object (with this reference). When a role_id is given this applies only to that role @access public

Parameters
integerreference id of object where permissions should be revoked
integerrole_id (optional: if you want to revoke permissions of object only for a specific role)
Returns
boolean

Definition at line 443 of file class.ilRbacAdmin.php.

444 {
445 global $rbacreview,$log,$ilDB,$ilLog;
446
447 if (!isset($a_ref_id))
448 {
449 $ilLog->logStack();
450 $message = get_class($this)."::revokePermission(): Missing parameter! ref_id: ".$a_ref_id;
451 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
452 }
453#$log->write("ilRBACadmin::revokePermission(), 0");
454
455 // bypass protected status of roles
456 if ($a_keep_protected != true)
457 {
458 // exclude system role from rbac
459 if ($a_rol_id == SYSTEM_ROLE_ID)
460 {
461 return true;
462 }
463
464 if ($a_rol_id)
465 {
466 $and1 = " AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
467 }
468 else
469 {
470 $and1 = "";
471 }
472
473 $query = "DELETE FROM rbac_pa ".
474 "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer').
475 $and1;
476
477 $res = $ilDB->manipulate($query);
478
479 return true;
480 }
481
482 // consider protected status of roles
483
484 // in any case, get all roles in scope first
485 $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
486
487 if (!$a_rol_id)
488 {
489#$log->write("ilRBACadmin::revokePermission(), 1");
490
491 $role_ids = array();
492
493 foreach ($roles_in_scope as $role)
494 {
495 if ($role['protected'] == true)
496 {
497 continue;
498 }
499
500 $role_ids[] = $role['obj_id'];
501 }
502
503 // return if no role in array
504 if (!$role_ids)
505 {
506 return true;
507 }
508
509 $query = 'DELETE FROM rbac_pa '.
510 'WHERE '.$ilDB->in('rol_id',$role_ids,false,'integer').' '.
511 'AND ref_id = '.$ilDB->quote($a_ref_id,'integer');
512 $res = $ilDB->manipulate($query);
513 }
514 else
515 {
516#$log->write("ilRBACadmin::revokePermission(), 2");
517 // exclude system role from rbac
518 if ($a_rol_id == SYSTEM_ROLE_ID)
519 {
520 return true;
521 }
522
523 // exclude protected permission settings from revoking
524 if ($roles_in_scope[$a_rol_id]['protected'] == true)
525 {
526 return true;
527 }
528
529 $query = "DELETE FROM rbac_pa ".
530 "WHERE ref_id = ".$ilDB->quote($a_ref_id,'integer')." ".
531 "AND rol_id = ".$ilDB->quote($a_rol_id,'integer')." ";
532 $res = $ilDB->manipulate($query);
533 }
534
535 return true;
536 }

References $ilDB, $ilLog, $log, $query, and $res.

Referenced by adjustMovedObjectPermissions(), copyRolePermissions(), and initIntersectionPermissions().

+ Here is the caller graph for this function:

◆ revokePermissionList()

ilRbacAdmin::revokePermissionList (   $a_ref_ids,
  $a_rol_id 
)

Revokes permissions of a LIST of objects of ONE role.

Update of table rbac_pa. @access public

Parameters
arraylist of reference_ids to revoke permissions
integerrole_id
Returns
boolean

Definition at line 591 of file class.ilRbacAdmin.php.

592 {
593 global $ilDB;
594
595 if (!isset($a_ref_ids) or !is_array($a_ref_ids))
596 {
597 $message = get_class($this)."::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: ".var_dump($a_ref_ids);
598 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
599 }
600
601 if (!isset($a_rol_id))
602 {
603 $message = get_class($this)."::revokePermissionList(): Missing parameter! rol_id: ".$a_rol_id;
604 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
605 }
606
607 // exclude system role from rbac
608 if ($a_rol_id == SYSTEM_ROLE_ID)
609 {
610 return true;
611 }
612
613 $query = "DELETE FROM rbac_pa ".
614 "WHERE ".$ilDB->in('ref_id',$a_ref_ids,false,'integer').' '.
615 "AND rol_id = ".$ilDB->quote($a_rol_id,'integer');
616 $res = $ilDB->manipulate($query);
617
618 return true;
619 }

References $ilDB, $query, and $res.

◆ revokeSubtreePermissions()

ilRbacAdmin::revokeSubtreePermissions (   $a_ref_id,
  $a_role_id 
)

Revoke subtree permissions.

Parameters
object$a_ref_id
object$a_role_id
Returns

Definition at line 544 of file class.ilRbacAdmin.php.

545 {
546 global $ilDB;
547
548 $query = 'DELETE FROM rbac_pa '.
549 'WHERE ref_id IN '.
550 '( '.$GLOBALS['tree']->getSubTreeQuery($a_ref_id,array('child')).' ) '.
551 'AND rol_id = '.$ilDB->quote($a_role_id,'integer');
552
553 $ilDB->manipulate($query);
554 return true;
555 }

References $ilDB, and $query.

◆ setBlockedStatus()

ilRbacAdmin::setBlockedStatus (   $a_role_id,
  $a_ref_id,
  $a_blocked_status 
)

Set blocked status.

Parameters
type$a_role_id
type$a_ref_id
type$a_blocked_status

Definition at line 48 of file class.ilRbacAdmin.php.

49 {
50 global $ilDB;
51
52 ilLoggerFactory::getLogger('crs')->logStack();
53 $query = 'UPDATE rbac_fa set blocked = '. $ilDB->quote($a_blocked_status,'integer').' '.
54 'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer').' '.
55 'AND parent = '.$ilDB->quote($a_ref_id,'integer');
56 $ilDB->manipulate($query);
57 }

References $ilDB, $query, and ilLoggerFactory\getLogger().

+ Here is the call graph for this function:

◆ setProtected()

ilRbacAdmin::setProtected (   $a_ref_id,
  $a_role_id,
  $a_value 
)

Set protected @global $ilDB.

Parameters
type$a_ref_id
type$a_role_id
type$a_valuey or n
Returns
boolean

Definition at line 1122 of file class.ilRbacAdmin.php.

1123 {
1124 global $ilDB;
1125
1126 // ref_id not used yet. protected permission acts 'global' for each role,
1127 // regardless of any broken inheritance before
1128 $query = 'UPDATE rbac_fa '.
1129 'SET protected = '.$ilDB->quote($a_value,'text').' '.
1130 'WHERE rol_id = '.$ilDB->quote($a_role_id,'integer');
1131 $res = $ilDB->manipulate($query);
1132 return true;
1133 }

References $ilDB, $query, and $res.

Referenced by copyRoleTemplatePermissions().

+ Here is the caller graph for this function:

◆ setRolePermission()

ilRbacAdmin::setRolePermission (   $a_rol_id,
  $a_type,
  $a_ops,
  $a_ref_id 
)

Inserts template permissions in rbac_templates for an specific object type.

Update of table rbac_templates @access public

Parameters
integerrole_id
stringobject type
arrayoperation_ids
integerref_id of role folder object
Returns
boolean

Definition at line 952 of file class.ilRbacAdmin.php.

953 {
954 global $ilDB;
955
956 if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id))
957 {
958 $message = get_class($this)."::setRolePermission(): Missing parameter!".
959 " role_id: ".$a_rol_id.
960 " type: ".$a_type.
961 " operations: ".$a_ops.
962 " ref_id: ".$a_ref_id;
963 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
964 }
965
966 if (!is_string($a_type) or empty($a_type))
967 {
968 $message = get_class($this)."::setRolePermission(): a_type is no string or empty!";
969 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
970 }
971
972 if (!is_array($a_ops) or empty($a_ops))
973 {
974 $message = get_class($this)."::setRolePermission(): a_ops is no array or empty!";
975 $this->ilErr->raiseError($message,$this->ilErr->WARNING);
976 }
977
978 // exclude system role from rbac
979 if ($a_rol_id == SYSTEM_ROLE_ID)
980 {
981 return true;
982 }
983
984 foreach($a_ops as $op)
985 {
986 $ilDB->replace(
987 'rbac_templates',
988 [
989 'rol_id' => ['integer', $a_rol_id],
990 'type' => ['text', $a_type],
991 'ops_id' => ['integer', $op],
992 'parent' => ['integer', $a_ref_id]
993 ],
994 []
995 );
996 }
997 return true;
998 }

References $a_type, and $ilDB.

The documentation for this class was generated from the following file: