ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
class.ilRbacAdmin.php
Go to the documentation of this file.
1<?php
2/* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
3
4
19{
24 public function __construct()
25 {
26 global $ilDB,$ilErr,$ilias;
27
28 // set db & error handler
29 (isset($ilDB)) ? $this->ilDB =&$ilDB : $this->ilDB =&$ilias->db;
30
31 if (!isset($ilErr)) {
32 $ilErr = new ilErrorHandling();
33 $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK, array($ilErr,'errorHandler'));
34 } else {
35 $this->ilErr =&$ilErr;
36 }
37 }
38
45 public function setBlockedStatus($a_role_id, $a_ref_id, $a_blocked_status)
46 {
47 global $ilDB;
48
49 ilLoggerFactory::getLogger('crs')->logStack();
50 $query = 'UPDATE rbac_fa set blocked = ' . $ilDB->quote($a_blocked_status, 'integer') . ' ' .
51 'WHERE rol_id = ' . $ilDB->quote($a_role_id, 'integer') . ' ' .
52 'AND parent = ' . $ilDB->quote($a_ref_id, 'integer');
53 $ilDB->manipulate($query);
54 }
55
63 public function removeUser($a_usr_id)
64 {
65 global $ilDB;
66
67 if (!isset($a_usr_id)) {
68 $message = get_class($this) . "::removeUser(): No usr_id given!";
69 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
70 }
71
72 $query = "DELETE FROM rbac_ua WHERE usr_id = " . $ilDB->quote($a_usr_id, 'integer');
73 $res = $ilDB->manipulate($query);
74
75 return true;
76 }
77
85 public function deleteRole($a_rol_id, $a_ref_id)
86 {
87 global $lng,$ilDB;
88
89 if (!isset($a_rol_id) or !isset($a_ref_id)) {
90 $message = get_class($this) . "::deleteRole(): Missing parameter! role_id: " . $a_rol_id . " ref_id of role folder: " . $a_ref_id;
91 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
92 }
93
94 // exclude system role from rbac
95 if ($a_rol_id == SYSTEM_ROLE_ID) {
96 $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"), $this->ilErr->MESSAGE);
97 }
98
99 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
101 $mapping->deleteRole($a_rol_id);
102
103
104 // TODO: check assigned users before deletion
105 // This is done in ilObjRole. Should be better moved to this place?
106
107 // delete user assignements
108 $query = "DELETE FROM rbac_ua " .
109 "WHERE rol_id = " . $ilDB->quote($a_rol_id, 'integer');
110 $res = $ilDB->manipulate($query);
111
112 // delete permission assignments
113 $query = "DELETE FROM rbac_pa " .
114 "WHERE rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
115 $res = $ilDB->manipulate($query);
116
117 //delete rbac_templates and rbac_fa
118 $this->deleteLocalRole($a_rol_id);
119
120 return true;
121 }
122
129 public function deleteTemplate($a_obj_id)
130 {
131 global $ilDB;
132
133 if (!isset($a_obj_id)) {
134 $message = get_class($this) . "::deleteTemplate(): No obj_id given!";
135 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
136 }
137
138 $query = 'DELETE FROM rbac_templates ' .
139 'WHERE rol_id = ' . $ilDB->quote($a_obj_id, 'integer');
140 $res = $ilDB->manipulate($query);
141
142 $query = 'DELETE FROM rbac_fa ' .
143 'WHERE rol_id = ' . $ilDB->quote($a_obj_id, 'integer');
144 $res = $ilDB->manipulate($query);
145
146 return true;
147 }
148
156 public function deleteLocalRole($a_rol_id, $a_ref_id = 0)
157 {
158 global $ilDB;
159
160 if (!isset($a_rol_id)) {
161 $message = get_class($this) . "::deleteLocalRole(): Missing parameter! role_id: '" . $a_rol_id . "'";
162 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
163 }
164
165 // exclude system role from rbac
166 if ($a_rol_id == SYSTEM_ROLE_ID) {
167 return true;
168 }
169
170 if ($a_ref_id != 0) {
171 $clause = 'AND parent = ' . $ilDB->quote($a_ref_id, 'integer') . ' ';
172 }
173
174 $query = 'DELETE FROM rbac_fa ' .
175 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
176 $clause;
177 $res = $ilDB->manipulate($query);
178
179 $query = 'DELETE FROM rbac_templates ' .
180 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
181 $clause;
182 $res = $ilDB->manipulate($query);
183 return true;
184 }
185
192 public function assignUserLimited($a_role_id, $a_usr_id, $a_limit, $a_limited_roles = array())
193 {
194 global $ilDB;
195
196 $ilAtomQuery = $ilDB->buildAtomQuery();
197 $ilAtomQuery->addTableLock('rbac_ua');
198
199 $ilAtomQuery->addQueryCallable(
200 function (ilDBInterface $ilDB) use (&$ret, $a_role_id, $a_usr_id,$a_limit, $a_limited_roles) {
201 $ret = true;
202 $limit_query = 'SELECT COUNT(*) num FROM rbac_ua ' .
203 'WHERE ' . $ilDB->in('rol_id', (array) $a_limited_roles, false, 'integer');
204 $res = $ilDB->query($limit_query);
206 if ($row->num >= $a_limit) {
207 $ret = false;
208 return;
209 }
210
211 $query = "INSERT INTO rbac_ua (usr_id, rol_id) " .
212 "VALUES (" .
213 $ilDB->quote($a_usr_id, 'integer') . "," . $ilDB->quote($a_role_id, 'integer') .
214 ")";
215 $res = $ilDB->manipulate($query);
216 }
217 );
218
219 $ilAtomQuery->run();
220
221 if (!$ret) {
222 return false;
223 }
224
225 $GLOBALS['rbacreview']->setAssignedCacheEntry($a_role_id, $a_usr_id, true);
226
227 $this->addDesktopItem($a_role_id, $a_usr_id);
228
229 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
231 $mapping->assign($a_role_id, $a_usr_id);
232 return true;
233 }
234
240 protected function addDesktopItem($a_rol_id, $a_usr_id)
241 {
242 include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
243 $role_desk_item_obj = new ilRoleDesktopItem($a_rol_id);
244 foreach ($role_desk_item_obj->getAll() as $item_data) {
245 include_once './Services/User/classes/class.ilObjUser.php';
246 ilObjUser::_addDesktopItem($a_usr_id, $item_data['item_id'], $item_data['item_type']);
247 }
248 }
249
250
259 public function assignUser($a_rol_id, $a_usr_id)
260 {
261 global $ilDB,$rbacreview;
262
263 if (!isset($a_rol_id) or !isset($a_usr_id)) {
264 $message = get_class($this) . "::assignUser(): Missing parameter! role_id: " . $a_rol_id . " usr_id: " . $a_usr_id;
265 #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
266 }
267
268 // check if already assigned user id and role_id
269 $alreadyAssigned = $rbacreview->isAssigned($a_usr_id, $a_rol_id);
270
271 // enhanced: only if we haven't had this role for this user
272 if (!$alreadyAssigned) {
273 $query = "INSERT INTO rbac_ua (usr_id, rol_id) " .
274 "VALUES (" . $ilDB->quote($a_usr_id, 'integer') . "," . $ilDB->quote($a_rol_id, 'integer') . ")";
275 $res = $ilDB->manipulate($query);
276
277 $this->addDesktopItem($a_rol_id, $a_usr_id);
278
279 $rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, true);
280 }
281
282 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
284 $mapping->assign($a_rol_id, $a_usr_id);
285
286
287 $ref_id = $GLOBALS['rbacreview']->getObjectReferenceOfRole($a_rol_id);
288 $obj_id = ilObject::_lookupObjId($ref_id);
289 $type = ilObject::_lookupType($obj_id);
290
291 if (!$alreadyAssigned) {
292 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event assign user');
293 $GLOBALS['ilAppEventHandler']->raise(
294 'Services/AccessControl',
295 'assignUser',
296 array(
297 'obj_id' => $obj_id,
298 'usr_id' => $a_usr_id,
299 'role_id' => $a_rol_id,
300 'type' => $type
301 )
302 );
303 }
304 return true;
305 }
306
307
316 public function deassignUser($a_rol_id, $a_usr_id)
317 {
318 global $ilDB, $rbacreview;
319
320 if (!isset($a_rol_id) or !isset($a_usr_id)) {
321 $message = get_class($this) . "::deassignUser(): Missing parameter! role_id: " . $a_rol_id . " usr_id: " . $a_usr_id;
322 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
323 }
324
325 $query = "DELETE FROM rbac_ua " .
326 "WHERE usr_id = " . $ilDB->quote($a_usr_id, 'integer') . " " .
327 "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
328 $res = $ilDB->manipulate($query);
329
330 $rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, false);
331
332 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
334 $mapping->deassign($a_rol_id, $a_usr_id);
335
336 if ($res) {
337 $ref_id = $GLOBALS['rbacreview']->getObjectReferenceOfRole($a_rol_id);
338 $obj_id = ilObject::_lookupObjId($ref_id);
339 $type = ilObject::_lookupType($obj_id);
340
341 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event deassign user');
342 $GLOBALS['ilAppEventHandler']->raise('Services/AccessControl', 'deassignUser', array(
343 'obj_id' => $obj_id,
344 'usr_id' => $a_usr_id,
345 'role_id' => $a_rol_id,
346 'type' => $type,
347 ));
348 }
349
350 return true;
351 }
352
361 public function grantPermission($a_rol_id, $a_ops, $a_ref_id)
362 {
363 global $ilDB;
364
365 if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id)) {
366 $this->ilErr->raiseError(get_class($this) . "::grantPermission(): Missing parameter! " .
367 "role_id: " . $a_rol_id . " ref_id: " . $a_ref_id . " operations: ", $this->ilErr->WARNING);
368 }
369
370 if (!is_array($a_ops)) {
371 $this->ilErr->raiseError(
372 get_class($this) . "::grantPermission(): Wrong datatype for operations!",
373 $this->ilErr->WARNING
374 );
375 }
376
377 /*
378 if (count($a_ops) == 0)
379 {
380 return false;
381 }
382 */
383 // exclude system role from rbac
384 if ($a_rol_id == SYSTEM_ROLE_ID) {
385 return true;
386 }
387
388 // convert all values to integer
389 foreach ($a_ops as $key => $operation) {
390 $a_ops[$key] = (int) $operation;
391 }
392
393 // Serialization des ops_id Arrays
394 $ops_ids = serialize($a_ops);
395
396 $query = 'DELETE FROM rbac_pa ' .
397 'WHERE rol_id = %s ' .
398 'AND ref_id = %s';
399 $res = $ilDB->queryF(
400 $query,
401 array('integer','integer'),
402 array($a_rol_id,$a_ref_id)
403 );
404
405 if (!count($a_ops)) {
406 return false;
407 }
408
409 $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) " .
410 "VALUES " .
411 "(" . $ilDB->quote($a_rol_id, 'integer') . "," . $ilDB->quote($ops_ids, 'text') . "," . $ilDB->quote($a_ref_id, 'integer') . ")";
412 $res = $ilDB->manipulate($query);
413
414 return true;
415 }
416
426 public function revokePermission($a_ref_id, $a_rol_id = 0, $a_keep_protected = true)
427 {
428 global $rbacreview,$log,$ilDB,$ilLog;
429
430 if (!isset($a_ref_id)) {
431 $ilLog->logStack();
432 $message = get_class($this) . "::revokePermission(): Missing parameter! ref_id: " . $a_ref_id;
433 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
434 }
435 #$log->write("ilRBACadmin::revokePermission(), 0");
436
437 // bypass protected status of roles
438 if ($a_keep_protected != true) {
439 // exclude system role from rbac
440 if ($a_rol_id == SYSTEM_ROLE_ID) {
441 return true;
442 }
443
444 if ($a_rol_id) {
445 $and1 = " AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
446 } else {
447 $and1 = "";
448 }
449
450 $query = "DELETE FROM rbac_pa " .
451 "WHERE ref_id = " . $ilDB->quote($a_ref_id, 'integer') .
452 $and1;
453
454 $res = $ilDB->manipulate($query);
455
456 return true;
457 }
458
459 // consider protected status of roles
460
461 // in any case, get all roles in scope first
462 $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
463
464 if (!$a_rol_id) {
465 #$log->write("ilRBACadmin::revokePermission(), 1");
466
467 $role_ids = array();
468
469 foreach ($roles_in_scope as $role) {
470 if ($role['protected'] == true) {
471 continue;
472 }
473
474 $role_ids[] = $role['obj_id'];
475 }
476
477 // return if no role in array
478 if (!$role_ids) {
479 return true;
480 }
481
482 $query = 'DELETE FROM rbac_pa ' .
483 'WHERE ' . $ilDB->in('rol_id', $role_ids, false, 'integer') . ' ' .
484 'AND ref_id = ' . $ilDB->quote($a_ref_id, 'integer');
485 $res = $ilDB->manipulate($query);
486 } else {
487 #$log->write("ilRBACadmin::revokePermission(), 2");
488 // exclude system role from rbac
489 if ($a_rol_id == SYSTEM_ROLE_ID) {
490 return true;
491 }
492
493 // exclude protected permission settings from revoking
494 if ($roles_in_scope[$a_rol_id]['protected'] == true) {
495 return true;
496 }
497
498 $query = "DELETE FROM rbac_pa " .
499 "WHERE ref_id = " . $ilDB->quote($a_ref_id, 'integer') . " " .
500 "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
501 $res = $ilDB->manipulate($query);
502 }
503
504 return true;
505 }
506
513 public function revokeSubtreePermissions($a_ref_id, $a_role_id)
514 {
515 global $ilDB;
516
517 $query = 'DELETE FROM rbac_pa ' .
518 'WHERE ref_id IN ' .
519 '( ' . $GLOBALS['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
520 'AND rol_id = ' . $ilDB->quote($a_role_id, 'integer');
521
522 $ilDB->manipulate($query);
523 return true;
524 }
525
532 public function deleteSubtreeTemplates($a_ref_id, $a_rol_id)
533 {
534 global $ilDB;
535
536 $query = 'DELETE FROM rbac_templates ' .
537 'WHERE parent IN ( ' .
538 $GLOBALS['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
539 'AND rol_id = ' . $ilDB->quote($a_rol_id, 'integer');
540
541 $ilDB->manipulate($query);
542
543 $query = 'DELETE FROM rbac_fa ' .
544 'WHERE parent IN ( ' .
545 $GLOBALS['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
546 'AND rol_id = ' . $ilDB->quote($a_rol_id, 'integer');
547
548 $ilDB->manipulate($query);
549
550 return true;
551 }
552
560 public function revokePermissionList($a_ref_ids, $a_rol_id)
561 {
562 global $ilDB;
563
564 if (!isset($a_ref_ids) or !is_array($a_ref_ids)) {
565 $message = get_class($this) . "::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: " . var_dump($a_ref_ids);
566 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
567 }
568
569 if (!isset($a_rol_id)) {
570 $message = get_class($this) . "::revokePermissionList(): Missing parameter! rol_id: " . $a_rol_id;
571 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
572 }
573
574 // exclude system role from rbac
575 if ($a_rol_id == SYSTEM_ROLE_ID) {
576 return true;
577 }
578
579 $query = "DELETE FROM rbac_pa " .
580 "WHERE " . $ilDB->in('ref_id', $a_ref_ids, false, 'integer') . ' ' .
581 "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer');
582 $res = $ilDB->manipulate($query);
583
584 return true;
585 }
586
597 public function copyRolePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected = true)
598 {
599 global $tree,$rbacreview;
600
601 // Copy template permissions
602 $this->copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected);
603
604 $ops = $rbacreview->getRoleOperationsOnObject($a_source_id, $a_source_parent);
605
606 $this->revokePermission($a_dest_parent, $a_dest_id);
607 $this->grantPermission($a_dest_id, $ops, $a_dest_parent);
608 return true;
609 }
610
621 public function copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected = true)
622 {
623 global $rbacreview,$ilDB;
624
625 if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent)) {
626 $message = __METHOD__ . ": Missing parameter! source_id: " . $a_source_id .
627 " source_parent_id: " . $a_source_parent .
628 " dest_id : " . $a_dest_id .
629 " dest_parent_id: " . $a_dest_parent;
630 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
631 }
632
633 // exclude system role from rbac
634 if ($a_dest_id == SYSTEM_ROLE_ID) {
635 return true;
636 }
637
638 // Read operations
639 $query = 'SELECT * FROM rbac_templates ' .
640 'WHERE rol_id = ' . $ilDB->quote($a_source_id, 'integer') . ' ' .
641 'AND parent = ' . $ilDB->quote($a_source_parent, 'integer');
642 $res = $ilDB->query($query);
643 $operations = array();
644 $rownum = 0;
645 while ($row = $ilDB->fetchObject($res)) {
646 $operations[$rownum]['type'] = $row->type;
647 $operations[$rownum]['ops_id'] = $row->ops_id;
648 $rownum++;
649 }
650
651 // Delete target permissions
652 $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
653 'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
654 $res = $ilDB->manipulate($query);
655
656 foreach ($operations as $row => $op) {
657 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
658 'VALUES (' .
659 $ilDB->quote($a_dest_id, 'integer') . "," .
660 $ilDB->quote($op['type'], 'text') . "," .
661 $ilDB->quote($op['ops_id'], 'integer') . "," .
662 $ilDB->quote($a_dest_parent, 'integer') . ")";
663 $ilDB->manipulate($query);
664 }
665
666 // copy also protection status if applicable
667 if ($a_consider_protected == true) {
668 if ($rbacreview->isProtected($a_source_parent, $a_source_id)) {
669 $this->setProtected($a_dest_parent, $a_dest_id, 'y');
670 }
671 }
672
673 return true;
674 }
688 public function copyRolePermissionIntersection($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
689 {
690 global $rbacreview,$ilDB;
691
692 if (!isset($a_source1_id) or !isset($a_source1_parent)
693 or !isset($a_source2_id) or !isset($a_source2_parent)
694 or !isset($a_dest_id) or !isset($a_dest_parent)) {
695 $message = get_class($this) . "::copyRolePermissionIntersection(): Missing parameter! source1_id: " . $a_source1_id .
696 " source1_parent: " . $a_source1_parent .
697 " source2_id: " . $a_source2_id .
698 " source2_parent: " . $a_source2_parent .
699 " dest_id: " . $a_dest_id .
700 " dest_parent_id: " . $a_dest_parent;
701 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
702 }
703
704 // exclude system role from rbac
705 if ($a_dest_id == SYSTEM_ROLE_ID) {
706 ilLoggerFactory::getLogger('ac')->debug('Ignoring system role.');
707 return true;
708 }
709
710 if ($rbacreview->isProtected($a_source2_parent, $a_source2_id)) {
711 $GLOBALS['ilLog']->write(__METHOD__ . ': Role is protected');
712 return true;
713 }
714
715 $query = "SELECT s1.type, s1.ops_id " .
716 "FROM rbac_templates s1, rbac_templates s2 " .
717 "WHERE s1.rol_id = " . $ilDB->quote($a_source1_id, 'integer') . " " .
718 "AND s1.parent = " . $ilDB->quote($a_source1_parent, 'integer') . " " .
719 "AND s2.rol_id = " . $ilDB->quote($a_source2_id, 'integer') . " " .
720 "AND s2.parent = " . $ilDB->quote($a_source2_parent, 'integer') . " " .
721 "AND s1.type = s2.type " .
722 "AND s1.ops_id = s2.ops_id";
723
725
726 $res = $ilDB->query($query);
727 $operations = array();
728 $rowNum = 0;
729 while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
730 $operations[$rowNum]['type'] = $row->type;
731 $operations[$rowNum]['ops_id'] = $row->ops_id;
732
733 $rowNum++;
734 }
735
736 // Delete template permissions of target
737 $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
738 'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
739 $res = $ilDB->manipulate($query);
740
741 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
742 'VALUES (?,?,?,?)';
743 $sta = $ilDB->prepareManip($query, array('integer','text','integer','integer'));
744 foreach ($operations as $key => $set) {
745 $ilDB->execute($sta, array(
746 $a_dest_id,
747 $set['type'],
748 $set['ops_id'],
749 $a_dest_parent));
750 }
751 return true;
752 }
753
765 public function copyRolePermissionUnion(
766 $a_source1_id,
767 $a_source1_parent,
768 $a_source2_id,
769 $a_source2_parent,
770 $a_dest_id,
771 $a_dest_parent
772 ) {
773 global $ilDB, $rbacreview;
774
775
776 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id, $a_source1_parent);
777 $s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id, $a_source2_parent);
778
779 $this->deleteRolePermission($a_dest_id, $a_dest_parent);
780
781 $GLOBALS['ilLog']->write(__METHOD__ . ': ' . print_r($s1_ops, true));
782 $GLOBALS['ilLog']->write(__METHOD__ . ': ' . print_r($s2_ops, true));
783
784 foreach ($s1_ops as $type => $ops) {
785 foreach ($ops as $op) {
786 // insert all permission of source 1
787 // #15469
788 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
789 'VALUES( ' .
790 $ilDB->quote($a_dest_id, 'integer') . ', ' .
791 $ilDB->quote($type, 'text') . ', ' .
792 $ilDB->quote($op, 'integer') . ', ' .
793 $ilDB->quote($a_dest_parent, 'integer') . ' ' .
794 ')';
795 $ilDB->manipulate($query);
796 }
797 }
798
799 // and the other direction...
800 foreach ($s2_ops as $type => $ops) {
801 foreach ($ops as $op) {
802 if (!isset($s1_ops[$type]) or !in_array($op, $s1_ops[$type])) {
803 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
804 'VALUES( ' .
805 $ilDB->quote($a_dest_id, 'integer') . ', ' .
806 $ilDB->quote($type, 'text') . ', ' .
807 $ilDB->quote($op, 'integer') . ', ' .
808 $ilDB->quote($a_dest_parent, 'integer') . ' ' .
809 ')';
810 $ilDB->manipulate($query);
811 }
812 }
813 }
814
815 return true;
816 }
817
825 public function copyRolePermissionSubtract($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
826 {
827 global $rbacreview, $ilDB;
828
829 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source_id, $a_source_parent);
830 $d_ops = $rbacreview->getAllOperationsOfRole($a_dest_id, $a_dest_parent);
831
832 foreach ($s1_ops as $type => $ops) {
833 foreach ($ops as $op) {
834 if (isset($d_ops[$type]) and in_array($op, $d_ops[$type])) {
835 $query = 'DELETE FROM rbac_templates ' .
836 'WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
837 'AND type = ' . $ilDB->quote($type, 'text') . ' ' .
838 'AND ops_id = ' . $ilDB->quote($op, 'integer') . ' ' .
839 'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
840 $ilDB->manipulate($query);
841 }
842 }
843 }
844 return true;
845 }
846
847
858 public function deleteRolePermission($a_rol_id, $a_ref_id, $a_type = false)
859 {
860 global $ilDB;
861
862 if (!isset($a_rol_id) or !isset($a_ref_id)) {
863 $message = get_class($this) . "::deleteRolePermission(): Missing parameter! role_id: " . $a_rol_id . " ref_id: " . $a_ref_id;
864 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
865 }
866
867 // exclude system role from rbac
868 if ($a_rol_id == SYSTEM_ROLE_ID) {
869 return true;
870 }
871
872 if ($a_type !== false) {
873 $and_type = " AND type=" . $ilDB->quote($a_type, 'text') . " ";
874 }
875
876 $query = 'DELETE FROM rbac_templates ' .
877 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
878 'AND parent = ' . $ilDB->quote($a_ref_id, 'integer') . ' ' .
879 $and_type;
880
881 $res = $ilDB->manipulate($query);
882
883 return true;
884 }
885
896 public function setRolePermission($a_rol_id, $a_type, $a_ops, $a_ref_id)
897 {
898 global $ilDB;
899
900 if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id)) {
901 $message = get_class($this) . "::setRolePermission(): Missing parameter!" .
902 " role_id: " . $a_rol_id .
903 " type: " . $a_type .
904 " operations: " . $a_ops .
905 " ref_id: " . $a_ref_id;
906 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
907 }
908
909 if (!is_string($a_type) or empty($a_type)) {
910 $message = get_class($this) . "::setRolePermission(): a_type is no string or empty!";
911 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
912 }
913
914 if (!is_array($a_ops) or empty($a_ops)) {
915 $message = get_class($this) . "::setRolePermission(): a_ops is no array or empty!";
916 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
917 }
918
919 // exclude system role from rbac
920 if ($a_rol_id == SYSTEM_ROLE_ID) {
921 return true;
922 }
923
924 foreach ($a_ops as $op) {
925 $ilDB->replace(
926 'rbac_templates',
927 [
928 'rol_id' => ['integer', $a_rol_id],
929 'type' => ['text', $a_type],
930 'ops_id' => ['integer', $op],
931 'parent' => ['integer', $a_ref_id]
932 ],
933 []
934 );
935 }
936 return true;
937 }
938
952 public function assignRoleToFolder($a_rol_id, $a_parent, $a_assign = "y")
953 {
954 global $ilDB,$rbacreview;
955
956 if (!isset($a_rol_id) or !isset($a_parent)) {
957 $message = get_class($this) . "::assignRoleToFolder(): Missing Parameter!" .
958 " role_id: " . $a_rol_id .
959 " parent_id: " . $a_parent .
960 " assign: " . $a_assign;
961 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
962 }
963
964 // exclude system role from rbac
965 if ($a_rol_id == SYSTEM_ROLE_ID) {
966 return true;
967 }
968
969 // if a wrong value is passed, always set assign to "n"
970 if ($a_assign != "y") {
971 $a_assign = "n";
972 }
973
974 // check if already assigned
975 $query = 'SELECT rol_id FROM rbac_fa ' .
976 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
977 'AND parent = ' . $ilDB->quote($a_parent, 'integer');
978 $res = $ilDB->query($query);
979 if ($res->numRows()) {
980 ilLoggerFactory::getLogger('ac')->info('Role already assigned to object');
981 return false;
982 }
983
984 $query = sprintf(
985 'INSERT INTO rbac_fa (rol_id, parent, assign, protected) ' .
986 'VALUES (%s,%s,%s,%s)',
987 $ilDB->quote($a_rol_id, 'integer'),
988 $ilDB->quote($a_parent, 'integer'),
989 $ilDB->quote($a_assign, 'text'),
990 $ilDB->quote('n', 'text')
991 );
992 $res = $ilDB->manipulate($query);
993
994 return true;
995 }
996
1005 public function assignOperationToObject($a_type_id, $a_ops_id)
1006 {
1007 global $ilDB;
1008
1009 if (!isset($a_type_id) or !isset($a_ops_id)) {
1010 $message = get_class($this) . "::assignOperationToObject(): Missing parameter!" .
1011 "type_id: " . $a_type_id .
1012 "ops_id: " . $a_ops_id;
1013 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
1014 }
1015
1016 $query = "INSERT INTO rbac_ta (typ_id, ops_id) " .
1017 "VALUES(" . $ilDB->quote($a_type_id, 'integer') . "," . $ilDB->quote($a_ops_id, 'integer') . ")";
1018 $res = $ilDB->manipulate($query);
1019 return true;
1020 }
1021
1030 public function deassignOperationFromObject($a_type_id, $a_ops_id)
1031 {
1032 global $ilDB;
1033
1034 if (!isset($a_type_id) or !isset($a_ops_id)) {
1035 $message = get_class($this) . "::deassignPermissionFromObject(): Missing parameter!" .
1036 "type_id: " . $a_type_id .
1037 "ops_id: " . $a_ops_id;
1038 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
1039 }
1040
1041 $query = "DELETE FROM rbac_ta " .
1042 "WHERE typ_id = " . $ilDB->quote($a_type_id, 'integer') . " " .
1043 "AND ops_id = " . $ilDB->quote($a_ops_id, 'integer');
1044 $res = $ilDB->manipulate($query);
1045
1046 return true;
1047 }
1048
1057 public function setProtected($a_ref_id, $a_role_id, $a_value)
1058 {
1059 global $ilDB;
1060
1061 // ref_id not used yet. protected permission acts 'global' for each role,
1062 // regardless of any broken inheritance before
1063 $query = 'UPDATE rbac_fa ' .
1064 'SET protected = ' . $ilDB->quote($a_value, 'text') . ' ' .
1065 'WHERE rol_id = ' . $ilDB->quote($a_role_id, 'integer');
1066 $res = $ilDB->manipulate($query);
1067 return true;
1068 }
1069
1080 public function copyLocalRoles($a_source_id, $a_target_id)
1081 {
1082 global $rbacreview,$ilLog,$ilObjDataCache;
1083
1084 $real_local = array();
1085 foreach ($rbacreview->getRolesOfRoleFolder($a_source_id, false) as $role_data) {
1086 $title = $ilObjDataCache->lookupTitle($role_data);
1087 if (substr($title, 0, 3) == 'il_') {
1088 continue;
1089 }
1090 $real_local[] = $role_data;
1091 }
1092 if (!count($real_local)) {
1093 return true;
1094 }
1095 // Create role folder
1096 foreach ($real_local as $role) {
1097 include_once("./Services/AccessControl/classes/class.ilObjRole.php");
1098 $orig = new ilObjRole($role);
1099 $orig->read();
1100
1101 $ilLog->write(__METHOD__ . ': Start copying of role ' . $orig->getTitle());
1102 $roleObj = new ilObjRole();
1103 $roleObj->setTitle($orig->getTitle());
1104 $roleObj->setDescription($orig->getDescription());
1105 $roleObj->setImportId($orig->getImportId());
1106 $roleObj->create();
1107
1108 $this->assignRoleToFolder($roleObj->getId(), $a_target_id, "y");
1109 $this->copyRolePermissions($role, $a_source_id, $a_target_id, $roleObj->getId(), true);
1110 $ilLog->write(__METHOD__ . ': Added new local role, id ' . $roleObj->getId());
1111 }
1112 }
1113
1124 public function initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
1125 {
1126 global $rbacreview;
1127
1128 if ($rbacreview->isProtected($a_role_parent, $a_role_id)) {
1129 // Assign object permissions
1130 $new_ops = $rbacreview->getOperationsOfRole(
1131 $a_role_id,
1132 ilObject::_lookupType($a_ref_id, true),
1133 $a_role_parent
1134 );
1135
1136 // set new permissions for object
1137 $this->grantPermission(
1138 $a_role_id,
1139 (array) $new_ops,
1140 $a_ref_id
1141 );
1142 return;
1143 }
1144 if (!$a_template_id) {
1145 ilLoggerFactory::getLogger('ac')->info('No template id given. Aborting.');
1146 return;
1147 }
1148 // create template permission intersection
1150 $a_template_id,
1151 $a_template_parent,
1152 $a_role_id,
1153 $a_role_parent,
1154 $a_ref_id,
1155 $a_role_id
1156 );
1157
1158 // assign role to folder
1159 $this->assignRoleToFolder(
1160 $a_role_id,
1161 $a_ref_id,
1162 'n'
1163 );
1164
1165 // Assign object permissions
1166 $new_ops = $rbacreview->getOperationsOfRole(
1167 $a_role_id,
1168 ilObject::_lookupType($a_ref_id, true),
1169 $a_ref_id
1170 );
1171
1172 // revoke existing permissions
1173 $this->revokePermission($a_ref_id, $a_role_id);
1174
1175 // set new permissions for object
1176 $this->grantPermission(
1177 $a_role_id,
1178 (array) $new_ops,
1179 $a_ref_id
1180 );
1181
1182 return;
1183 }
1184
1192 protected function applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent)
1193 {
1194 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateObjSettings.php';
1196 if (!$tpl_id) {
1197 return;
1198 }
1199 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateActionFactory.php';
1202 continue;
1203 }
1204 $action->setRefId($a_ref_id);
1205 $action->apply();
1206 }
1207 return;
1208 }
1209
1210
1222 public function adjustMovedObjectPermissions($a_ref_id, $a_old_parent)
1223 {
1224 global $rbacreview,$tree,$ilLog;
1225
1226 $new_parent = $tree->getParentId($a_ref_id);
1227 $old_context_roles = $rbacreview->getParentRoleIds($a_old_parent, false);
1228 $new_context_roles = $rbacreview->getParentRoleIds($new_parent, false);
1229
1230 $for_addition = $for_deletion = array();
1231 foreach ($new_context_roles as $new_role_id => $new_role) {
1232 if (!isset($old_context_roles[$new_role_id])) {
1233 $for_addition[$new_role_id] = $new_role;
1234 } elseif ($new_role['parent'] != $old_context_roles[$new_role_id]['parent']) {
1235 // handle stopped inheritance
1236 $for_deletion[$new_role_id] = $new_role;
1237 $for_addition[$new_role_id] = $new_role;
1238 }
1239 }
1240 foreach ($old_context_roles as $old_role_id => $old_role) {
1241 if (!isset($new_context_roles[$old_role_id])) {
1242 $for_deletion[$old_role_id] = $old_role;
1243 }
1244 }
1245
1246 if (!count($for_deletion) and !count($for_addition)) {
1247 $this->applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent);
1248 return true;
1249 }
1250
1251 include_once "Services/AccessControl/classes/class.ilRbacLog.php";
1252 $rbac_log_active = ilRbacLog::isActive();
1253 if ($rbac_log_active) {
1254 $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
1255 }
1256
1257 foreach ($nodes = $tree->getSubTree($tree->getNodeData($a_ref_id), true) as $node_data) {
1258 $node_id = $node_data['child'];
1259
1260 if ($rbac_log_active) {
1261 $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
1262 }
1263
1264 // If $node_data['type'] is not set, this means there is a tree entry without
1265 // object_reference and/or object_data entry
1266 // Continue in this case
1267 if (!$node_data['type']) {
1268 $ilLog->write(__METHOD__ . ': No type give. Choosing next tree entry.');
1269 continue;
1270 }
1271
1272 if (!$node_id) {
1273 $ilLog->write(__METHOD__ . ': Missing subtree node_id');
1274 continue;
1275 }
1276
1277 foreach ($for_deletion as $role_id => $role_data) {
1278 $this->deleteLocalRole($role_id, $node_id);
1279 $this->revokePermission($node_id, $role_id, false);
1280 //var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
1281 }
1282 foreach ($for_addition as $role_id => $role_data) {
1283 switch ($node_data['type']) {
1284 case 'grp':
1285 include_once './Modules/Group/classes/class.ilObjGroup.php';
1286 $tpl_id = ilObjGroup::lookupGroupStatusTemplateId($node_data['obj_id']);
1288 $node_data['child'],
1289 $role_id,
1290 $role_data['parent'],
1291 $tpl_id,
1292 ROLE_FOLDER_ID
1293 );
1294 break;
1295
1296 case 'crs':
1297 include_once './Modules/Course/classes/class.ilObjCourse.php';
1300 $node_data['child'],
1301 $role_id,
1302 $role_data['parent'],
1303 $tpl_id,
1304 ROLE_FOLDER_ID
1305 );
1306 break;
1307
1308
1309 default:
1310 $this->grantPermission(
1311 $role_id,
1312 $ops = $rbacreview->getOperationsOfRole($role_id, $node_data['type'], $role_data['parent']),
1313 $node_id
1314 );
1315 break;
1316
1317
1318 }
1319
1320
1321 //var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
1322 }
1323
1324 if ($rbac_log_active) {
1325 $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
1326 $log = ilRbacLog::diffFaPa($log_old, $log_new);
1328 }
1329 }
1330
1331 $this->applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent);
1332 }
1333} // END class.ilRbacAdmin
sprintf('%.4f', $callTime)
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
PHPExcel root directory.
Definition: PHPExcel.php:30
An exception for terminatinating execution or to throw for unit testing.
Database Wrapper.
Definition: class.ilDB.php:30
static getActionsByTemplateId($a_tpl_id)
Get actions of one template.
represents a creation of local roles action
static lookupTemplateId($a_ref_id)
Lookup template id @global ilDB $ilDB.
static _getInstance()
Get singleton instance of this class.
static getLogger($a_component_id)
Get component logger.
static lookupCourseNonMemberTemplatesId()
Lookup course non member id.
static lookupGroupStatusTemplateId($a_obj_id)
@global $ilDB $ilDB
Class ilObjRole.
static _addDesktopItem($a_usr_id, $a_item_id, $a_type, $a_par="")
add an item to user's personal desktop
static _lookupObjId($a_id)
static _lookupType($a_id, $a_reference=false)
lookup object type
Class ilRbacAdmin Core functions for role based access control.
setProtected($a_ref_id, $a_role_id, $a_value)
Set protected @global $ilDB.
revokePermission($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
Revokes permissions of an object of one role.
deleteRole($a_rol_id, $a_ref_id)
Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua,...
deleteSubtreeTemplates($a_ref_id, $a_rol_id)
Delete all template permissions of subtree nodes.
__construct()
Constructor @access public.
copyRolePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions and permission of one role to another.
deassignOperationFromObject($a_type_id, $a_ops_id)
Deassign an existing operation from an object Update of rbac_ta @access public.
adjustMovedObjectPermissions($a_ref_id, $a_old_parent)
Adjust permissions of moved objects.
assignUser($a_rol_id, $a_usr_id)
Assigns an user to a role.
assignRoleToFolder($a_rol_id, $a_parent, $a_assign="y")
Assigns a role to an role folder A role folder is an object to store roles.
removeUser($a_usr_id)
deletes a user from rbac_ua all user <-> role relations are deleted @access public
assignUserLimited($a_role_id, $a_usr_id, $a_limit, $a_limited_roles=array())
Assign user limited.
deleteLocalRole($a_rol_id, $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates @access public.
copyLocalRoles($a_source_id, $a_target_id)
Copy local roles This method creates a copy of all local role.
revokePermissionList($a_ref_ids, $a_rol_id)
Revokes permissions of a LIST of objects of ONE role.
setRolePermission($a_rol_id, $a_type, $a_ops, $a_ref_id)
Inserts template permissions in rbac_templates for an specific object type.
initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
Init intersection permissions.
copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions of one role to another.
applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent)
Apply didactic templates after object movement.
copyRolePermissionUnion( $a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_id, $a_dest_parent)
@global <type> $ilDB
deassignUser($a_rol_id, $a_usr_id)
Deassigns a user from a role.
setBlockedStatus($a_role_id, $a_ref_id, $a_blocked_status)
Set blocked status.
revokeSubtreePermissions($a_ref_id, $a_role_id)
Revoke subtree permissions.
copyRolePermissionIntersection($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
Copies the intersection of the template permissions of two roles to a third role.
assignOperationToObject($a_type_id, $a_ops_id)
Assign an existing operation to an object Update of rbac_ta.
deleteTemplate($a_obj_id)
Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public...
grantPermission($a_rol_id, $a_ops, $a_ref_id)
Grants a permission to an object and a specific role.
deleteRolePermission($a_rol_id, $a_ref_id, $a_type=false)
Deletes all entries of a template.
addDesktopItem($a_rol_id, $a_usr_id)
Add desktop item.
copyRolePermissionSubtract($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
Subtract role permissions.
const MOVE_OBJECT
static diffFaPa(array $a_old, array $a_new)
static add($a_action, $a_ref_id, array $a_diff, $a_source_ref_id=false)
static gatherFaPa($a_ref_id, array $a_role_ids, $a_add_action=false)
static isActive()
$action
$key
Definition: croninfo.php:18
$GLOBALS['loaded']
Global hash that tracks already loaded includes.
Interface ilDBInterface.
catch(Exception $e) $message
$ret
Definition: parser.php:6
global $lng
Definition: privfeed.php:17
$query
$type
global $ilErr
Definition: raiseError.php:16
foreach($_POST as $key=> $value) $res
global $ilDB
$a_type
Definition: workflow.php:92