ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
Public Member Functions | Static Public Member Functions | Data Fields | Protected Member Functions | Protected Attributes | Static Protected Attributes | Private Member Functions | Static Private Attributes
ilRbacSystem Class Reference
Services/AccessControl

class ilRbacSystem system function like checkAccess, addActiveRole ... Supporting system functions are required for session management and in making access control decisions. More...

+ Collaboration diagram for ilRbacSystem:

Public Member Functions

 checkAccess ($a_operations, $a_ref_id, $a_type="")
 checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this method you check the permissions a use may have due to its roles on an specific object. More...
 
 checkAccessOfUser ($a_user_id, $a_operations, $a_ref_id, $a_type="")
 
 preloadRbacPaCache ($a_ref_ids, $a_user_id)
 Preload rbac_pa cache. More...
 
 checkPermission ($a_ref_id, $a_rol_id, $a_operation)
 check if a specific role has the permission '$a_operation' of an object @access public More...
 
 __filterOwnerPermissions ($a_user_id, $a_operations, $a_ref_id)
 
 initMemberView ()
 Init member view. More...
 
 addTemporaryRole ($a_usr_id, $a_role_id)
 
 resetPACache ($a_usr_id, $a_ref_id)
 

Static Public Member Functions

static getInstance ()
 
static resetCaches ()
 Reset internal caches. More...
 

Data Fields

 $ilias
 

Protected Member Functions

 __construct ()
 Constructor @access public. More...
 

Protected Attributes

 $mem_view
 

Static Protected Attributes

static $instance = null
 
static $user_role_cache = array()
 

Private Member Functions

 fetchAssignedRoles ($a_usr_id, $a_ref_id)
 Fetch assigned roles This method caches the assigned roles per user. More...
 

Static Private Attributes

static $_paCache = null
 
static $_checkAccessOfUserCache = null
 

Detailed Description

class ilRbacSystem system function like checkAccess, addActiveRole ... Supporting system functions are required for session management and in making access control decisions.

This class depends on the session since we offer the possiblility to add or delete active roles during one session.

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
$Id$

Definition at line 16 of file class.ilRbacSystem.php.

Constructor & Destructor Documentation

◆ __construct()

ilRbacSystem::__construct ( )
protected

Constructor @access public.

Definition at line 35 of file class.ilRbacSystem.php.

36 {
37 global $ilDB,$ilErr,$ilias;
38
39 $this->ilias =&$ilias;
40
41 // set db & error handler
42 (isset($ilDB)) ? $this->ilDB =&$ilDB : $this->ilDB =&$ilias->db;
43
44 if (!isset($ilErr)) {
45 $ilErr = new ilErrorHandling();
46 $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK, array($ilErr,'errorHandler'));
47 } else {
48 $this->ilErr =&$ilErr;
49 }
50 }
PEAR_ERROR_CALLBACK
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
if
PHPExcel root directory.
Definition: PHPExcel.php:30
ilDB
Database Wrapper.
Definition: class.ilDB.php:30
ilias
redirection script todo: (a better solution should control the processing via a xml file)
$ilErr
global $ilErr
Definition: raiseError.php:16
$ilDB
global $ilDB
Definition: storeScorm2004.php:19

References $ilDB, $ilErr, $ilias, and PEAR_ERROR_CALLBACK.

Member Function Documentation

◆ __filterOwnerPermissions()

ilRbacSystem::__filterOwnerPermissions (   $a_user_id,
  $a_operations,
  $a_ref_id 
)

Definition at line 302 of file class.ilRbacSystem.php.

303 {
304 global $ilObjDataCache,$ilUser;
305
306 // member view constraints
307 if ($this->mem_view['active'] and $a_user_id == $ilUser->getId()) {
308 if (in_array($a_ref_id, $this->mem_view['items'])) {
309 return $a_operations;
310 }
311 }
312
313 if ($a_user_id != $ilObjDataCache->lookupOwner($ilObjDataCache->lookupObjId($a_ref_id))) {
314 return $a_operations;
315 }
316 // Is owner
317 $new_ops = false;
318 foreach (explode(",", $a_operations) as $operation) {
319 if ($operation != 'cat_administrate_users' and $operation != 'edit_permission' and $operation != 'edit_learning_progress' and $operation != 'read_learning_progress' and !preg_match('/^create/', $operation)) {
320 continue;
321 }
322 if (!strlen($new_ops)) {
323 $new_ops = $operation;
324 } else {
325 $new_ops .= (',' . $operation);
326 }
327 }
328 return $new_ops;
329 }
$ilUser
$ilUser
Definition: imgupload.php:18

References $ilUser.

Referenced by checkAccessOfUser().

+ Here is the caller graph for this function:

◆ addTemporaryRole()

ilRbacSystem::addTemporaryRole (   $a_usr_id,
  $a_role_id 
)

Definition at line 406 of file class.ilRbacSystem.php.

407 {
408 if (!in_array($a_role_id, self::$user_role_cache[$a_usr_id])) {
409 self::$user_role_cache[$a_usr_id][] = $a_role_id;
410 }
411 }

◆ checkAccess()

ilRbacSystem::checkAccess (   $a_operations,
  $a_ref_id,
  $a_type = "" 
)

checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this method you check the permissions a use may have due to its roles on an specific object.

The first parameter are the operation(s) the user must have The second & third parameter specifies the object where the operation(s) may apply to The last parameter is only required, if you ask for the 'create' operation. Here you specify the object type which you want to create.

example: $rbacSystem->checkAccess("visible,read",23); Here you ask if the user is allowed to see ('visible') and access the object by reading it ('read'). The reference_id is 23 in the tree structure.

@access public

Parameters
stringone or more operations, separated by commas (i.e.: visible,read,join)
integerthe child_id in tree (usually a reference_id, no object_id !!)
stringthe type definition abbreviation (i.e.: frm,grp,crs)
Returns
boolean returns true if ALL passed operations are given, otherwise false

Definition at line 89 of file class.ilRbacSystem.php.

90 {
91 global $ilUser,$ilBench;
92
93 $ilBench->start("RBAC", "system_checkAccess");
94
95 $result = $this->checkAccessOfUser($ilUser->getId(), $a_operations, $a_ref_id, $a_type);
96
97 $ilBench->stop("RBAC", "system_checkAccess");
98
99 return $result;
100 }
$result
$result
Definition: CleanUpTest.php:463
ilRbacSystem\checkAccessOfUser
checkAccessOfUser($a_user_id, $a_operations, $a_ref_id, $a_type="")
Definition: class.ilRbacSystem.php:102
$ilBench
global $ilBench
Definition: ilias.php:18
$a_type
$a_type
Definition: workflow.php:92

References $a_type, $ilBench, $ilUser, $result, and checkAccessOfUser().

Referenced by initMemberView().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ checkAccessOfUser()

ilRbacSystem::checkAccessOfUser (   $a_user_id,
  $a_operations,
  $a_ref_id,
  $a_type = "" 
)

Definition at line 102 of file class.ilRbacSystem.php.

103 {
104 global $ilUser, $rbacreview,$ilObjDataCache,$ilDB,$ilLog;
105
106 // Create the user cache key
107 $cacheKey = $a_user_id . ':' . $a_operations . ':' . $a_ref_id . ':' . $a_type;
108
109 // Create the cache if it does not yet exist
110 if (!is_array(self::$_checkAccessOfUserCache)) {
111 self::$_checkAccessOfUserCache = array();
112 }
113
114 // Try to return result from cache
115 if (array_key_exists($cacheKey, self::$_checkAccessOfUserCache)) {
116 return self::$_checkAccessOfUserCache[$cacheKey];
117 }
118
119
120 // DISABLED
121 // Check For owner
122 // Owners do always have full access to their objects
123 // Excluded are the permissions create and perm
124 // This method call return all operations that are NOT granted by the owner status
125 if (!$a_operations = $this->__filterOwnerPermissions($a_user_id, $a_operations, $a_ref_id)) {
126 // Store positive outcome in cache.
127 // Note: we only cache up to 1000 results to avoid memory overflows
128 if (count(self::$_checkAccessOfUserCache) < 1000) {
129 self::$_checkAccessOfUserCache[$cacheKey] = true;
130 }
131 return true;
132 }
133
134
135 // get roles using role cache
136 $roles = $this->fetchAssignedRoles($a_user_id, $a_ref_id);
137
138 // exclude system role from rbac
139 if (in_array(SYSTEM_ROLE_ID, $roles)) {
140 // Store positive outcome in cache.
141 // Note: we only cache up to 1000 results to avoid memory overflows
142 if (count(self::$_checkAccessOfUserCache) < 1000) {
143 self::$_checkAccessOfUserCache[$cacheKey] = true;
144 }
145 return true;
146 }
147
148 if (!isset($a_operations) or !isset($a_ref_id)) {
149 $GLOBALS['ilLog']->logStack();
150 $this->ilErr->raiseError(get_class($this) . "::checkAccess(): Missing parameter! " .
151 "ref_id: " . $a_ref_id . " operations: " . $a_operations, $this->ilErr->WARNING);
152 }
153
154 if (!is_string($a_operations)) {
155 $GLOBALS['ilLog']->logStack();
156 $this->ilErr->raiseError(get_class($this) . "::checkAccess(): Wrong datatype for operations!", $this->ilErr->WARNING);
157 }
158
159 // Create the PA cache if it does not exist yet
160 $paCacheKey = $a_user_id . ':' . $a_ref_id;
161 if (!is_array(self::$_paCache)) {
162 self::$_paCache = array();
163 }
164
165 if (array_key_exists($paCacheKey, self::$_paCache)) {
166 // Return result from PA cache
167 $ops = self::$_paCache[$paCacheKey];
168 } else {
169 // Data is not in PA cache, perform database query
170 $q = "SELECT * FROM rbac_pa " .
171 "WHERE ref_id = " . $ilDB->quote($a_ref_id, 'integer');
172
173 $r = $this->ilDB->query($q);
174
175 $ops = array();
176
177 while ($row = $r->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
178 if (in_array($row->rol_id, $roles)) {
179 $ops = array_merge($ops, unserialize(stripslashes($row->ops_id)));
180 }
181 }
182 // Cache up to 1000 entries in the PA cache
183 if (count(self::$_paCache) < 1000) {
184 self::$_paCache[$paCacheKey] = $ops;
185 }
186 }
187
188 $operations = explode(",", $a_operations);
189 foreach ($operations as $operation) {
190 if ($operation == "create") {
191 if (empty($a_type)) {
192 $this->ilErr->raiseError(
193 get_class($this) . "::CheckAccess(): Expect a type definition for checking a 'create' permission",
194 $this->ilErr->WARNING
195 );
196 }
197
198 $ops_id = ilRbacReview::_getOperationIdByName($operation . "_" . $a_type);
199 } else {
200 $ops_id = ilRbacReview::_getOperationIdByName($operation);
201 }
202 if (!in_array($ops_id, (array) $ops)) {
203 //$ilLog->write('PERMISSION: '.$a_ref_id.' -> '.$a_ops_id.' failed');
204 // Store negative outcome in cache.
205 // Note: we only cache up to 1000 results to avoid memory overflows
206 if (count(self::$_checkAccessOfUserCache) < 1000) {
207 self::$_checkAccessOfUserCache[$cacheKey] = false;
208 }
209 return false;
210 }
211 }
212
213 // Store positive outcome in cache.
214 // Note: we only cache up to 1000 results to avoid memory overflows
215 if (count(self::$_checkAccessOfUserCache) < 1000) {
216 //$ilLog->write('PERMISSION: '.$a_ref_id.' -> '.$ops_id.' granted');
217 self::$_checkAccessOfUserCache[$cacheKey] = true;
218 }
219 return true;
220 }
ilDB\query
query($sql, $a_handle_error=true)
Query.
Definition: class.ilDB.php:1339
ilRbacReview\_getOperationIdByName
static _getOperationIdByName($a_operation)
get operation id by name of operation @access public @access static
Definition: class.ilRbacReview.php:1233
ilRbacSystem\fetchAssignedRoles
fetchAssignedRoles($a_usr_id, $a_ref_id)
Fetch assigned roles This method caches the assigned roles per user.
Definition: class.ilRbacSystem.php:339
ilRbacSystem\__filterOwnerPermissions
__filterOwnerPermissions($a_user_id, $a_operations, $a_ref_id)
Definition: class.ilRbacSystem.php:302
$r
$r
Definition: example_031.php:79
$GLOBALS
$GLOBALS['loaded']
Global hash that tracks already loaded includes.
Definition: generate-standalone.php:18
$ilLog
$ilLog
Definition: inc.setup_header.php:129

References $a_type, $GLOBALS, $ilDB, $ilLog, $ilUser, $r, $row, __filterOwnerPermissions(), ilRbacReview\_getOperationIdByName(), fetchAssignedRoles(), ilDBConstants\FETCHMODE_OBJECT, and ilDB\query().

Referenced by checkAccess().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ checkPermission()

ilRbacSystem::checkPermission (   $a_ref_id,
  $a_rol_id,
  $a_operation 
)

check if a specific role has the permission '$a_operation' of an object @access public

Parameters
integerreference id of object
integerrole id
stringthe permission to check
Returns
boolean

Definition at line 278 of file class.ilRbacSystem.php.

279 {
280 global $ilDB;
281
282 $ops = array();
283
284 $query = 'SELECT ops_id FROM rbac_operations ' .
285 'WHERE operation = ' . $ilDB->quote($a_operation, 'text');
286 $res = $ilDB->query($query);
287 while ($row = $ilDB->fetchObject($res)) {
288 $ops_id = $row->ops_id;
289 }
290
291 $query = "SELECT * FROM rbac_pa " .
292 "WHERE rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " " .
293 "AND ref_id = " . $ilDB->quote($a_ref_id, 'integer') . " ";
294 $res = $ilDB->query($query);
295
296 while ($row = $ilDB->fetchObject($res)) {
297 $ops = array_merge($ops, unserialize($row->ops_id));
298 }
299 return in_array($ops_id, $ops);
300 }
$query
$query
Definition: proxy_ylocal.php:13
$res
foreach($_POST as $key=> $value) $res
Definition: save_question_post_data.php:15

References $ilDB, $query, $res, and $row.

◆ fetchAssignedRoles()

ilRbacSystem::fetchAssignedRoles (   $a_usr_id,
  $a_ref_id 
)
private

Fetch assigned roles This method caches the assigned roles per user.

@access private

Parameters
intuser id

Definition at line 339 of file class.ilRbacSystem.php.

340 {
341 global $ilUser,$rbacreview;
342
343 // Member view constraints
344 if ($this->mem_view['active'] and $a_usr_id == $ilUser->getId()) {
345 // check if current ref_id is subitem of active container
346 if (in_array($a_ref_id, $this->mem_view['items']) and $this->mem_view['role']) {
347 // Return default member role
348 return array($this->mem_view['role']);
349 }
350 }
351
352 if (isset(self::$user_role_cache[$a_usr_id]) and is_array(self::$user_role_cache)) {
353 return self::$user_role_cache[$a_usr_id];
354 }
355
356
357
358 return self::$user_role_cache[$a_usr_id] = $rbacreview->assignedRoles($a_usr_id);
359 }

References $ilUser.

Referenced by checkAccessOfUser(), and preloadRbacPaCache().

+ Here is the caller graph for this function:

◆ getInstance()

static ilRbacSystem::getInstance ( )
static

Definition at line 52 of file class.ilRbacSystem.php.

53 {
54 if (self::$instance) {
55 return self::$instance;
56 }
57 return self::$instance = new ilRbacSystem();
58 }
ilRbacSystem
class ilRbacSystem system function like checkAccess, addActiveRole ... Supporting system functions ar...
Definition: class.ilRbacSystem.php:17

References $instance.

Referenced by ilInitialisation\initAccessHandling().

+ Here is the caller graph for this function:

◆ initMemberView()

ilRbacSystem::initMemberView ( )

Init member view.

Returns

Definition at line 365 of file class.ilRbacSystem.php.

366 {
367 include_once './Services/Container/classes/class.ilMemberViewSettings.php';
368 $settings = ilMemberViewSettings::getInstance();
369
370 // disable member view
371 if (
372 isset($_GET['mv']) &&
373 $_GET['mv'] == 0
374 ) {
375 // force deactivation
376 $settings->toggleActivation((int) $_GET['ref_id'], false);
377 }
378 if (
379 isset($_GET['mv']) &&
380 $_GET['mv'] == 1
381 ) {
382 if ($this->checkAccess('write', (int) $_GET['ref_id'])) {
383 $settings->toggleActivation((int) $_GET['ref_id'], true);
384 // reset caches
385 self::resetCaches();
386 }
387 }
388
389 if (!$settings->isActive()) {
390 $this->mem_view['active'] = false;
391 $this->mem_view['items'] = array();
392 $this->mem_view['role'] = 0;
393 } else {
394 global $tree;
395
396 $this->mem_view['active'] = true;
397 $this->mem_view['items'] = $tree->getSubTreeIds($settings->getContainer());
398 $this->mem_view['items'] = array_merge($this->mem_view['items'], array($settings->getContainer()));
399
400 include_once './Services/Membership/classes/class.ilParticipants.php';
401 $this->mem_view['role'] = ilParticipants::getDefaultMemberRole($settings->getContainer());
402 }
403 return true;
404 }
$_GET
$_GET["client_id"]
Definition: cfg.phpunit.template.php:12
ilMemberViewSettings\getInstance
static getInstance()
Get instance.
Definition: class.ilMemberViewSettings.php:67
ilParticipants\getDefaultMemberRole
static getDefaultMemberRole($a_ref_id)
Definition: class.ilParticipants.php:409
ilRbacSystem\resetCaches
static resetCaches()
Reset internal caches.
Definition: class.ilRbacSystem.php:63
ilRbacSystem\checkAccess
checkAccess($a_operations, $a_ref_id, $a_type="")
checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this ...
Definition: class.ilRbacSystem.php:89

References $_GET, checkAccess(), ilParticipants\getDefaultMemberRole(), ilMemberViewSettings\getInstance(), and resetCaches().

+ Here is the call graph for this function:

◆ preloadRbacPaCache()

ilRbacSystem::preloadRbacPaCache (   $a_ref_ids,
  $a_user_id 
)

Preload rbac_pa cache.

Parameters

return

Definition at line 228 of file class.ilRbacSystem.php.

229 {
230 global $ilDB;
231
232 if (!is_array($a_ref_ids)) {
233 return;
234 }
235
236 $ref_ids = array();
237 foreach ($a_ref_ids as $ref_id) {
238 if (!isset(self::$_paCache[$a_user_id . ":" . $ref_id])) {
239 $roles[$ref_id] = $this->fetchAssignedRoles($a_user_id, $ref_id);
240 $ops[$ref_id] = array();
241 $ref_ids[] = $ref_id;
242 }
243 }
244
245 if (count($ref_ids) > 0) {
246
247 // Data is not in PA cache, perform database query
248 $q = "SELECT * FROM rbac_pa " .
249 "WHERE " . $ilDB->in("ref_id", $ref_ids, false, "integer");
250
251 $r = $this->ilDB->query($q);
252
253 while ($row = $r->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
254 if (in_array($row->rol_id, $roles[$row->ref_id])) {
255 $ops[$row->ref_id] = array_merge(
256 $ops[$row->ref_id],
257 unserialize(stripslashes($row->ops_id))
258 );
259 }
260 }
261 foreach ($a_ref_ids as $ref_id) {
262 // #11313
263 if (!isset(self::$_paCache[$a_user_id . ":" . $ref_id])) {
264 self::$_paCache[$a_user_id . ":" . $ref_id] = $ops[$ref_id];
265 }
266 }
267 }
268 }

References $ilDB, $r, $row, fetchAssignedRoles(), ilDBConstants\FETCHMODE_OBJECT, and ilDB\query().

+ Here is the call graph for this function:

◆ resetCaches()

static ilRbacSystem::resetCaches ( )
static

Reset internal caches.

Definition at line 63 of file class.ilRbacSystem.php.

64 {
65 self::$user_role_cache = array();
66 self::$_paCache = null;
67 self::$_checkAccessOfUserCache = null;
68 }

Referenced by initMemberView(), and ilObjSessionGUI\unregisterObject().

+ Here is the caller graph for this function:

◆ resetPACache()

ilRbacSystem::resetPACache (   $a_usr_id,
  $a_ref_id 
)

Definition at line 413 of file class.ilRbacSystem.php.

414 {
415 $paCacheKey = $a_usr_id . ':' . $a_ref_id;
416 unset(self::$_paCache[$paCacheKey]);
417 }

Field Documentation

◆ $_checkAccessOfUserCache

ilRbacSystem::$_checkAccessOfUserCache = null
staticprivate

Definition at line 29 of file class.ilRbacSystem.php.

◆ $_paCache

ilRbacSystem::$_paCache = null
staticprivate

Definition at line 26 of file class.ilRbacSystem.php.

◆ $ilias

ilRbacSystem::$ilias

Definition at line 23 of file class.ilRbacSystem.php.

Referenced by __construct().

◆ $instance

ilRbacSystem::$instance = null
staticprotected

Definition at line 18 of file class.ilRbacSystem.php.

Referenced by getInstance().

◆ $mem_view

ilRbacSystem::$mem_view
protected

Definition at line 20 of file class.ilRbacSystem.php.

◆ $user_role_cache

ilRbacSystem::$user_role_cache = array()
staticprotected

Definition at line 22 of file class.ilRbacSystem.php.

The documentation for this class was generated from the following file: