ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
Public Member Functions | Static Public Member Functions | Data Fields | Protected Member Functions | Protected Attributes | Static Protected Attributes | Private Member Functions | Static Private Attributes
ilRbacSystem Class Reference
Services/AccessControl

class ilRbacSystem system function like checkAccess, addActiveRole ... More...

+ Collaboration diagram for ilRbacSystem:

Public Member Functions

 checkAccess ($a_operations, $a_ref_id, $a_type="")
 checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this method you check the permissions a use may have due to its roles on an specific object. More...
 
 checkAccessOfUser ($a_user_id, $a_operations, $a_ref_id, $a_type="")
 
 preloadRbacPaCache ($a_ref_ids, $a_user_id)
 Preload rbac_pa cache. More...
 
 checkPermission ($a_ref_id, $a_rol_id, $a_operation)
 check if a specific role has the permission '$a_operation' of an object public More...
 
 __filterOwnerPermissions ($a_user_id, $a_operations, $a_ref_id)
 
 initMemberView ()
 Init member view. More...
 
 addTemporaryRole ($a_usr_id, $a_role_id)
 
 resetPACache ($a_usr_id, $a_ref_id)
 

Static Public Member Functions

static getInstance ()
 
static resetCaches ()
 Reset internal caches. More...
 

Data Fields

 $ilias
 

Protected Member Functions

 __construct ()
 Constructor public. More...
 

Protected Attributes

 $mem_view
 

Static Protected Attributes

static $instance = null
 
static $user_role_cache = array()
 

Private Member Functions

 fetchAssignedRoles ($a_usr_id, $a_ref_id)
 Fetch assigned roles This method caches the assigned roles per user. More...
 

Static Private Attributes

static $_paCache = null
 
static $_checkAccessOfUserCache = null
 

Detailed Description

class ilRbacSystem system function like checkAccess, addActiveRole ...

Supporting system functions are required for session management and in making access control decisions. This class depends on the session since we offer the possiblility to add or delete active roles during one session.

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
$Id$

Definition at line 16 of file class.ilRbacSystem.php.

Constructor & Destructor Documentation

◆ __construct()

ilRbacSystem::__construct ( )
protected

Constructor public.

Definition at line 35 of file class.ilRbacSystem.php.

References $ilDB, $ilErr, $ilias, array, and PEAR_ERROR_CALLBACK.

36  {
37  global $ilDB,$ilErr,$ilias;
38 
39  $this->ilias =&$ilias;
40 
41  // set db & error handler
42  (isset($ilDB)) ? $this->ilDB =&$ilDB : $this->ilDB =&$ilias->db;
43 
44  if (!isset($ilErr)) {
45  $ilErr = new ilErrorHandling();
46  $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK, array($ilErr,'errorHandler'));
47  } else {
48  $this->ilErr =&$ilErr;
49  }
50  }
$ilErr
global $ilErr
Definition: raiseError.php:16
PEAR_ERROR_CALLBACK
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
ilias
redirection script todo: (a better solution should control the processing via a xml file) ...
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
ilDB
Database Wrapper.
Definition: class.ilDB.php:29
$ilDB
global $ilDB
Definition: storeScorm2004.php:16
if
PHPExcel root directory.
Definition: Database.php:30

Member Function Documentation

◆ __filterOwnerPermissions()

ilRbacSystem::__filterOwnerPermissions (   $a_user_id,
  $a_operations,
  $a_ref_id 
)

Definition at line 302 of file class.ilRbacSystem.php.

References $ilUser.

Referenced by checkAccessOfUser().

303  {
304  global $ilObjDataCache,$ilUser;
305 
306  // member view constraints
307  if ($this->mem_view['active'] and $a_user_id == $ilUser->getId()) {
308  if (in_array($a_ref_id, $this->mem_view['items'])) {
309  return $a_operations;
310  }
311  }
312 
313  if ($a_user_id != $ilObjDataCache->lookupOwner($ilObjDataCache->lookupObjId($a_ref_id))) {
314  return $a_operations;
315  }
316  // Is owner
317  $new_ops = false;
318  foreach (explode(",", $a_operations) as $operation) {
319  if ($operation != 'cat_administrate_users' and $operation != 'edit_permission' and $operation != 'edit_learning_progress' and $operation != 'read_learning_progress' and !preg_match('/^create/', $operation)) {
320  continue;
321  }
322  if (!strlen($new_ops)) {
323  $new_ops = $operation;
324  } else {
325  $new_ops .= (',' . $operation);
326  }
327  }
328  return $new_ops;
329  }
$ilUser
$ilUser
Definition: imgupload.php:18
+ Here is the caller graph for this function:

◆ addTemporaryRole()

ilRbacSystem::addTemporaryRole (   $a_usr_id,
  $a_role_id 
)

Definition at line 406 of file class.ilRbacSystem.php.

407  {
408  if (!in_array($a_role_id, self::$user_role_cache[$a_usr_id])) {
409  self::$user_role_cache[$a_usr_id][] = $a_role_id;
410  }
411  }

◆ checkAccess()

ilRbacSystem::checkAccess (   $a_operations,
  $a_ref_id,
  $a_type = "" 
)

checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this method you check the permissions a use may have due to its roles on an specific object.

The first parameter are the operation(s) the user must have The second & third parameter specifies the object where the operation(s) may apply to The last parameter is only required, if you ask for the 'create' operation. Here you specify the object type which you want to create.

example: $rbacSystem->checkAccess("visible,read",23); Here you ask if the user is allowed to see ('visible') and access the object by reading it ('read'). The reference_id is 23 in the tree structure.

public

Parameters
stringone or more operations, separated by commas (i.e.: visible,read,join)
integerthe child_id in tree (usually a reference_id, no object_id !!)
stringthe type definition abbreviation (i.e.: frm,grp,crs)
Returns
boolean returns true if ALL passed operations are given, otherwise false

Definition at line 89 of file class.ilRbacSystem.php.

References $a_type, $ilBench, $ilUser, $result, and checkAccessOfUser().

Referenced by initMemberView().

90  {
91  global $ilUser,$ilBench;
92 
93  $ilBench->start("RBAC", "system_checkAccess");
94 
95  $result = $this->checkAccessOfUser($ilUser->getId(), $a_operations, $a_ref_id, $a_type);
96 
97  $ilBench->stop("RBAC", "system_checkAccess");
98 
99  return $result;
100  }
$result
$result
Definition: CleanUpTest.php:463
$a_type
$a_type
Definition: workflow.php:92
$ilUser
$ilUser
Definition: imgupload.php:18
ilRbacSystem\checkAccessOfUser
checkAccessOfUser($a_user_id, $a_operations, $a_ref_id, $a_type="")
Definition: class.ilRbacSystem.php:102
$ilBench
global $ilBench
Definition: ilias.php:18
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ checkAccessOfUser()

ilRbacSystem::checkAccessOfUser (   $a_user_id,
  $a_operations,
  $a_ref_id,
  $a_type = "" 
)

Definition at line 102 of file class.ilRbacSystem.php.

References $a_type, $GLOBALS, $ilDB, $ilLog, $ilUser, $r, $row, __filterOwnerPermissions(), ilRbacReview\_getOperationIdByName(), array, fetchAssignedRoles(), ilDBConstants\FETCHMODE_OBJECT, and ilDB\query().

Referenced by checkAccess().

103  {
104  global $ilUser, $rbacreview,$ilObjDataCache,$ilDB,$ilLog;
105 
106  // Create the user cache key
107  $cacheKey = $a_user_id . ':' . $a_operations . ':' . $a_ref_id . ':' . $a_type;
108 
109  // Create the cache if it does not yet exist
110  if (!is_array(self::$_checkAccessOfUserCache)) {
111  self::$_checkAccessOfUserCache = array();
112  }
113 
114  // Try to return result from cache
115  if (array_key_exists($cacheKey, self::$_checkAccessOfUserCache)) {
116  return self::$_checkAccessOfUserCache[$cacheKey];
117  }
118 
119 
120  // DISABLED
121  // Check For owner
122  // Owners do always have full access to their objects
123  // Excluded are the permissions create and perm
124  // This method call return all operations that are NOT granted by the owner status
125  if (!$a_operations = $this->__filterOwnerPermissions($a_user_id, $a_operations, $a_ref_id)) {
126  // Store positive outcome in cache.
127  // Note: we only cache up to 1000 results to avoid memory overflows
128  if (count(self::$_checkAccessOfUserCache) < 1000) {
129  self::$_checkAccessOfUserCache[$cacheKey] = true;
130  }
131  return true;
132  }
133 
134 
135  // get roles using role cache
136  $roles = $this->fetchAssignedRoles($a_user_id, $a_ref_id);
137 
138  // exclude system role from rbac
139  if (in_array(SYSTEM_ROLE_ID, $roles)) {
140  // Store positive outcome in cache.
141  // Note: we only cache up to 1000 results to avoid memory overflows
142  if (count(self::$_checkAccessOfUserCache) < 1000) {
143  self::$_checkAccessOfUserCache[$cacheKey] = true;
144  }
145  return true;
146  }
147 
148  if (!isset($a_operations) or !isset($a_ref_id)) {
149  $GLOBALS['ilLog']->logStack();
150  $this->ilErr->raiseError(get_class($this) . "::checkAccess(): Missing parameter! " .
151  "ref_id: " . $a_ref_id . " operations: " . $a_operations, $this->ilErr->WARNING);
152  }
153 
154  if (!is_string($a_operations)) {
155  $GLOBALS['ilLog']->logStack();
156  $this->ilErr->raiseError(get_class($this) . "::checkAccess(): Wrong datatype for operations!", $this->ilErr->WARNING);
157  }
158 
159  // Create the PA cache if it does not exist yet
160  $paCacheKey = $a_user_id . ':' . $a_ref_id;
161  if (!is_array(self::$_paCache)) {
162  self::$_paCache = array();
163  }
164 
165  if (array_key_exists($paCacheKey, self::$_paCache)) {
166  // Return result from PA cache
167  $ops = self::$_paCache[$paCacheKey];
168  } else {
169  // Data is not in PA cache, perform database query
170  $q = "SELECT * FROM rbac_pa " .
171  "WHERE ref_id = " . $ilDB->quote($a_ref_id, 'integer');
172 
173  $r = $this->ilDB->query($q);
174 
175  $ops = array();
176 
177  while ($row = $r->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
178  if (in_array($row->rol_id, $roles)) {
179  $ops = array_merge($ops, unserialize(stripslashes($row->ops_id)));
180  }
181  }
182  // Cache up to 1000 entries in the PA cache
183  if (count(self::$_paCache) < 1000) {
184  self::$_paCache[$paCacheKey] = $ops;
185  }
186  }
187 
188  $operations = explode(",", $a_operations);
189  foreach ($operations as $operation) {
190  if ($operation == "create") {
191  if (empty($a_type)) {
192  $this->ilErr->raiseError(
193  get_class($this) . "::CheckAccess(): Expect a type definition for checking a 'create' permission",
194  $this->ilErr->WARNING
195  );
196  }
197 
198  $ops_id = ilRbacReview::_getOperationIdByName($operation . "_" . $a_type);
199  } else {
200  $ops_id = ilRbacReview::_getOperationIdByName($operation);
201  }
202  if (!in_array($ops_id, (array) $ops)) {
203  //$ilLog->write('PERMISSION: '.$a_ref_id.' -> '.$a_ops_id.' failed');
204  // Store negative outcome in cache.
205  // Note: we only cache up to 1000 results to avoid memory overflows
206  if (count(self::$_checkAccessOfUserCache) < 1000) {
207  self::$_checkAccessOfUserCache[$cacheKey] = false;
208  }
209  return false;
210  }
211  }
212 
213  // Store positive outcome in cache.
214  // Note: we only cache up to 1000 results to avoid memory overflows
215  if (count(self::$_checkAccessOfUserCache) < 1000) {
216  //$ilLog->write('PERMISSION: '.$a_ref_id.' -> '.$ops_id.' granted');
217  self::$_checkAccessOfUserCache[$cacheKey] = true;
218  }
219  return true;
220  }
ilDB\query
query($sql, $a_handle_error=true)
Query.
Definition: class.ilDB.php:1339
$GLOBALS
$GLOBALS['loaded']
Global hash that tracks already loaded includes.
Definition: generate-standalone.php:18
ilRbacSystem\fetchAssignedRoles
fetchAssignedRoles($a_usr_id, $a_ref_id)
Fetch assigned roles This method caches the assigned roles per user.
Definition: class.ilRbacSystem.php:339
$a_type
$a_type
Definition: workflow.php:92
$r
$r
Definition: example_031.php:79
$ilUser
$ilUser
Definition: imgupload.php:18
$ilLog
$ilLog
Definition: inc.setup_header.php:129
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
ilRbacReview\_getOperationIdByName
static _getOperationIdByName($a_operation)
get operation id by name of operation public static
Definition: class.ilRbacReview.php:1233
ilDB
Database Wrapper.
Definition: class.ilDB.php:29
$ilDB
global $ilDB
Definition: storeScorm2004.php:16
ilRbacSystem\__filterOwnerPermissions
__filterOwnerPermissions($a_user_id, $a_operations, $a_ref_id)
Definition: class.ilRbacSystem.php:302
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ checkPermission()

ilRbacSystem::checkPermission (   $a_ref_id,
  $a_rol_id,
  $a_operation 
)

check if a specific role has the permission '$a_operation' of an object public

Parameters
integerreference id of object
integerrole id
stringthe permission to check
Returns
boolean

Definition at line 278 of file class.ilRbacSystem.php.

References $ilDB, $query, $res, $row, and array.

279  {
280  global $ilDB;
281 
282  $ops = array();
283 
284  $query = 'SELECT ops_id FROM rbac_operations ' .
285  'WHERE operation = ' . $ilDB->quote($a_operation, 'text');
286  $res = $ilDB->query($query);
287  while ($row = $ilDB->fetchObject($res)) {
288  $ops_id = $row->ops_id;
289  }
290 
291  $query = "SELECT * FROM rbac_pa " .
292  "WHERE rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " " .
293  "AND ref_id = " . $ilDB->quote($a_ref_id, 'integer') . " ";
294  $res = $ilDB->query($query);
295 
296  while ($row = $ilDB->fetchObject($res)) {
297  $ops = array_merge($ops, unserialize($row->ops_id));
298  }
299  return in_array($ops_id, $ops);
300  }
$res
foreach($_POST as $key=> $value) $res
Definition: save_question_post_data.php:15
$query
$query
Definition: proxy_ylocal.php:13
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
$ilDB
global $ilDB
Definition: storeScorm2004.php:16

◆ fetchAssignedRoles()

ilRbacSystem::fetchAssignedRoles (   $a_usr_id,
  $a_ref_id 
)
private

Fetch assigned roles This method caches the assigned roles per user.

private

Parameters
intuser id

Definition at line 339 of file class.ilRbacSystem.php.

References $ilUser, and array.

Referenced by checkAccessOfUser(), and preloadRbacPaCache().

340  {
341  global $ilUser,$rbacreview;
342 
343  // Member view constraints
344  if ($this->mem_view['active'] and $a_usr_id == $ilUser->getId()) {
345  // check if current ref_id is subitem of active container
346  if (in_array($a_ref_id, $this->mem_view['items']) and $this->mem_view['role']) {
347  // Return default member role
348  return array($this->mem_view['role']);
349  }
350  }
351 
352  if (isset(self::$user_role_cache[$a_usr_id]) and is_array(self::$user_role_cache)) {
353  return self::$user_role_cache[$a_usr_id];
354  }
355 
356 
357 
358  return self::$user_role_cache[$a_usr_id] = $rbacreview->assignedRoles($a_usr_id);
359  }
$ilUser
$ilUser
Definition: imgupload.php:18
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
+ Here is the caller graph for this function:

◆ getInstance()

static ilRbacSystem::getInstance ( )
static

Definition at line 52 of file class.ilRbacSystem.php.

Referenced by ilInitialisation\initAccessHandling().

53  {
54  if (self::$instance) {
55  return self::$instance;
56  }
57  return self::$instance = new ilRbacSystem();
58  }
ilRbacSystem
class ilRbacSystem system function like checkAccess, addActiveRole ...
Definition: class.ilRbacSystem.php:16
+ Here is the caller graph for this function:

◆ initMemberView()

ilRbacSystem::initMemberView ( )

Init member view.

Returns

Definition at line 365 of file class.ilRbacSystem.php.

References $_GET, array, checkAccess(), ilParticipants\getDefaultMemberRole(), and ilMemberViewSettings\getInstance().

366  {
367  include_once './Services/Container/classes/class.ilMemberViewSettings.php';
368  $settings = ilMemberViewSettings::getInstance();
369 
370  // disable member view
371  if (
372  isset($_GET['mv']) &&
373  $_GET['mv'] == 0
374  ) {
375  // force deactivation
376  $settings->toggleActivation((int) $_GET['ref_id'], false);
377  }
378  if (
379  isset($_GET['mv']) &&
380  $_GET['mv'] == 1
381  ) {
382  if ($this->checkAccess('write', (int) $_GET['ref_id'])) {
383  $settings->toggleActivation((int) $_GET['ref_id'], true);
384  // reset caches
385  self::resetCaches();
386  }
387  }
388 
389  if (!$settings->isActive()) {
390  $this->mem_view['active'] = false;
391  $this->mem_view['items'] = array();
392  $this->mem_view['role'] = 0;
393  } else {
394  global $tree;
395 
396  $this->mem_view['active'] = true;
397  $this->mem_view['items'] = $tree->getSubTreeIds($settings->getContainer());
398  $this->mem_view['items'] = array_merge($this->mem_view['items'], array($settings->getContainer()));
399 
400  include_once './Services/Membership/classes/class.ilParticipants.php';
401  $this->mem_view['role'] = ilParticipants::getDefaultMemberRole($settings->getContainer());
402  }
403  return true;
404  }
$_GET
$_GET["client_id"]
Definition: cfg.phpunit.template.php:12
ilParticipants\getDefaultMemberRole
static getDefaultMemberRole($a_ref_id)
Definition: class.ilParticipants.php:409
ilRbacSystem\checkAccess
checkAccess($a_operations, $a_ref_id, $a_type="")
checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this ...
Definition: class.ilRbacSystem.php:89
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
ilMemberViewSettings\getInstance
static getInstance()
Get instance.
Definition: class.ilMemberViewSettings.php:67
+ Here is the call graph for this function:

◆ preloadRbacPaCache()

ilRbacSystem::preloadRbacPaCache (   $a_ref_ids,
  $a_user_id 
)

Preload rbac_pa cache.

Parameters

Definition at line 228 of file class.ilRbacSystem.php.

References $ilDB, $r, $row, array, fetchAssignedRoles(), ilDBConstants\FETCHMODE_OBJECT, and ilDB\query().

229  {
230  global $ilDB;
231 
232  if (!is_array($a_ref_ids)) {
233  return;
234  }
235 
236  $ref_ids = array();
237  foreach ($a_ref_ids as $ref_id) {
238  if (!isset(self::$_paCache[$a_user_id . ":" . $ref_id])) {
239  $roles[$ref_id] = $this->fetchAssignedRoles($a_user_id, $ref_id);
240  $ops[$ref_id] = array();
241  $ref_ids[] = $ref_id;
242  }
243  }
244 
245  if (count($ref_ids) > 0) {
246 
247  // Data is not in PA cache, perform database query
248  $q = "SELECT * FROM rbac_pa " .
249  "WHERE " . $ilDB->in("ref_id", $ref_ids, false, "integer");
250 
251  $r = $this->ilDB->query($q);
252 
253  while ($row = $r->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
254  if (in_array($row->rol_id, $roles[$row->ref_id])) {
255  $ops[$row->ref_id] = array_merge(
256  $ops[$row->ref_id],
257  unserialize(stripslashes($row->ops_id))
258  );
259  }
260  }
261  foreach ($a_ref_ids as $ref_id) {
262  // #11313
263  if (!isset(self::$_paCache[$a_user_id . ":" . $ref_id])) {
264  self::$_paCache[$a_user_id . ":" . $ref_id] = $ops[$ref_id];
265  }
266  }
267  }
268  }
ilDB\query
query($sql, $a_handle_error=true)
Query.
Definition: class.ilDB.php:1339
ilRbacSystem\fetchAssignedRoles
fetchAssignedRoles($a_usr_id, $a_ref_id)
Fetch assigned roles This method caches the assigned roles per user.
Definition: class.ilRbacSystem.php:339
$r
$r
Definition: example_031.php:79
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
ilDB
Database Wrapper.
Definition: class.ilDB.php:29
$ilDB
global $ilDB
Definition: storeScorm2004.php:16
+ Here is the call graph for this function:

◆ resetCaches()

static ilRbacSystem::resetCaches ( )
static

Reset internal caches.

Definition at line 63 of file class.ilRbacSystem.php.

References array.

Referenced by ilObjSessionGUI\unregisterObject().

64  {
65  self::$user_role_cache = array();
66  self::$_paCache = null;
67  self::$_checkAccessOfUserCache = null;
68  }
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
+ Here is the caller graph for this function:

◆ resetPACache()

ilRbacSystem::resetPACache (   $a_usr_id,
  $a_ref_id 
)

Definition at line 413 of file class.ilRbacSystem.php.

414  {
415  $paCacheKey = $a_usr_id . ':' . $a_ref_id;
416  unset(self::$_paCache[$paCacheKey]);
417  }

Field Documentation

◆ $_checkAccessOfUserCache

ilRbacSystem::$_checkAccessOfUserCache = null
staticprivate

Definition at line 29 of file class.ilRbacSystem.php.

◆ $_paCache

ilRbacSystem::$_paCache = null
staticprivate

Definition at line 26 of file class.ilRbacSystem.php.

◆ $ilias

ilRbacSystem::$ilias

Definition at line 23 of file class.ilRbacSystem.php.

Referenced by __construct().

◆ $instance

ilRbacSystem::$instance = null
staticprotected

Definition at line 18 of file class.ilRbacSystem.php.

◆ $mem_view

ilRbacSystem::$mem_view
protected

Definition at line 20 of file class.ilRbacSystem.php.

◆ $user_role_cache

ilRbacSystem::$user_role_cache = array()
staticprotected

Definition at line 22 of file class.ilRbacSystem.php.

The documentation for this class was generated from the following file: