ilRbacAdmin Class Reference

Class ilRbacAdmin Core functions for role based access control. More...

Collaboration diagram for ilRbacAdmin:

Public Member Functions
	__construct ()
	Constructor @access public. More...
	setBlockedStatus ($a_role_id, $a_ref_id, $a_blocked_status)
	Set blocked status. More...
	removeUser ($a_usr_id)
	deletes a user from rbac_ua all user <-> role relations are deleted @access public More...
	deleteRole ($a_rol_id, $a_ref_id)
	Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa @access public. More...
	deleteTemplate ($a_obj_id)
	Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public. More...
	deleteLocalRole ($a_rol_id, $a_ref_id=0)
	Deletes a local role and entries in rbac_fa and rbac_templates @access public. More...
	assignUserLimited ($a_role_id, $a_usr_id, $a_limit, $a_limited_roles=array())
	Assign user limited. More...
	assignUser ($a_rol_id, $a_usr_id)
	Assigns an user to a role. More...
	deassignUser ($a_rol_id, $a_usr_id)
	Deassigns a user from a role. More...
	grantPermission ($a_rol_id, $a_ops, $a_ref_id)
	Grants a permission to an object and a specific role. More...
	revokePermission ($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
	Revokes permissions of an object of one role. More...
	revokeSubtreePermissions ($a_ref_id, $a_role_id)
	Revoke subtree permissions. More...
	deleteSubtreeTemplates ($a_ref_id, $a_rol_id)
	Delete all template permissions of subtree nodes. More...
	revokePermissionList ($a_ref_ids, $a_rol_id)
	Revokes permissions of a LIST of objects of ONE role. More...
	copyRolePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
	Copies template permissions and permission of one role to another. More...
	copyRoleTemplatePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
	Copies template permissions of one role to another. More...
	copyRolePermissionIntersection ($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
	Copies the intersection of the template permissions of two roles to a third role. More...
	copyRolePermissionUnion ( $a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_id, $a_dest_parent)
	@global <type> $ilDB More...
	copyRolePermissionSubtract ($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
	Subtract role permissions. More...
	deleteRolePermission ($a_rol_id, $a_ref_id, $a_type=false)
	Deletes all entries of a template. More...
	setRolePermission ($a_rol_id, $a_type, $a_ops, $a_ref_id)
	Inserts template permissions in rbac_templates for an specific object type. More...
	assignRoleToFolder ($a_rol_id, $a_parent, $a_assign="y")
	Assigns a role to an role folder A role folder is an object to store roles. More...
	assignOperationToObject ($a_type_id, $a_ops_id)
	Assign an existing operation to an object Update of rbac_ta. More...
	deassignOperationFromObject ($a_type_id, $a_ops_id)
	Deassign an existing operation from an object Update of rbac_ta @access public. More...
	setProtected ($a_ref_id, $a_role_id, $a_value)
	Set protected @global $ilDB. More...
	copyLocalRoles ($a_source_id, $a_target_id)
	Copy local roles This method creates a copy of all local role. More...
	initIntersectionPermissions ($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
	Init intersection permissions. More...
	adjustMovedObjectPermissions ($a_ref_id, $a_old_parent)
	Adjust permissions of moved objects. More...

Protected Member Functions
	addDesktopItem ($a_rol_id, $a_usr_id)
	Add desktop item. More...
	applyMovedObjectDidacticTemplates ($a_ref_id, $a_old_parent)
	Apply didactic templates after object movement. More...

Detailed Description

Class ilRbacAdmin Core functions for role based access control.

Creation and maintenance of Relations. The main relations of Rbac are user <-> role (UR) assignment relation and the permission <-> role (PR) assignment relation. This class contains methods to 'create' and 'delete' instances of the (UR) relation e.g.: assignUser(), deassignUser() Required methods for the PR relation are grantPermission(), revokePermission()

Author

Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om

Version

$Id$

Definition at line 18 of file class.ilRbacAdmin.php.

Constructor & Destructor Documentation

__construct()

ilRbacAdmin::__construct

(

)

Constructor @access public.

Definition at line 24 of file class.ilRbacAdmin.php.

    {
        global $ilDB,$ilErr,$ilias;
 
        // set db & error handler
        (isset($ilDB)) ? $this->ilDB =&$ilDB : $this->ilDB =&$ilias->db;
        
        if (!isset($ilErr)) {
            $ilErr = new ilErrorHandling();
            $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK, array($ilErr,'errorHandler'));
        } else {
            $this->ilErr =&$ilErr;
        }
    }

References $ilDB, $ilErr, and PEAR_ERROR_CALLBACK.

Member Function Documentation

addDesktopItem()

ilRbacAdmin::addDesktopItem (   $a_rol_id,   $a_usr_id  )

protected

Add desktop item.

Parameters

type	$a_rol_id
type	$a_usr_id

Definition at line 240 of file class.ilRbacAdmin.php.

    {
        include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
        $role_desk_item_obj = new ilRoleDesktopItem($a_rol_id);
        foreach ($role_desk_item_obj->getAll() as $item_data) {
            include_once './Services/User/classes/class.ilObjUser.php';
            ilObjUser::_addDesktopItem($a_usr_id, $item_data['item_id'], $item_data['item_type']);
        }
    }

References ilObjUser\_addDesktopItem().

Referenced by assignUser(), and assignUserLimited().

Here is the call graph for this function:

Here is the caller graph for this function:

adjustMovedObjectPermissions()

ilRbacAdmin::adjustMovedObjectPermissions	(		$a_ref_id,
			$a_old_parent
	)

Adjust permissions of moved objects.

• Delete permissions of parent roles that do not exist in new context
• Delete role templates of parent roles that do not exist in new context
• Add permissions for parent roles that did not exist in old context

@access public

Parameters

int	ref id of moved object
int	ref_id of old parent

Definition at line 1222 of file class.ilRbacAdmin.php.

    {
        global $rbacreview,$tree,$ilLog;
        
        $new_parent = $tree->getParentId($a_ref_id);
        $old_context_roles = $rbacreview->getParentRoleIds($a_old_parent, false);
        $new_context_roles = $rbacreview->getParentRoleIds($new_parent, false);
        
        $for_addition = $for_deletion = array();
        foreach ($new_context_roles as $new_role_id => $new_role) {
            if (!isset($old_context_roles[$new_role_id])) {
                $for_addition[$new_role_id] = $new_role;
            } elseif ($new_role['parent'] != $old_context_roles[$new_role_id]['parent']) {
                // handle stopped inheritance
                $for_deletion[$new_role_id] = $new_role;
                $for_addition[$new_role_id] = $new_role;
            }
        }
        foreach ($old_context_roles as $old_role_id => $old_role) {
            if (!isset($new_context_roles[$old_role_id])) {
                $for_deletion[$old_role_id] = $old_role;
            }
        }
        
        if (!count($for_deletion) and !count($for_addition)) {
            $this->applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent);
            return true;
        }
        
        include_once "Services/AccessControl/classes/class.ilRbacLog.php";
        $rbac_log_active = ilRbacLog::isActive();
        if ($rbac_log_active) {
            $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
        }
        
        foreach ($nodes = $tree->getSubTree($tree->getNodeData($a_ref_id), true) as $node_data) {
            $node_id = $node_data['child'];
 
            if ($rbac_log_active) {
                $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
            }
            
            // If $node_data['type'] is not set, this means there is a tree entry without
            // object_reference and/or object_data entry
            // Continue in this case
            if (!$node_data['type']) {
                $ilLog->write(__METHOD__ . ': No type give. Choosing next tree entry.');
                continue;
            }
            
            if (!$node_id) {
                $ilLog->write(__METHOD__ . ': Missing subtree node_id');
                continue;
            }
            
            foreach ($for_deletion as $role_id => $role_data) {
                $this->deleteLocalRole($role_id, $node_id);
                $this->revokePermission($node_id, $role_id, false);
                //var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
            }
            foreach ($for_addition as $role_id => $role_data) {
                switch ($node_data['type']) {
                    case 'grp':
                        include_once './Modules/Group/classes/class.ilObjGroup.php';
                        $tpl_id = ilObjGroup::lookupGroupStatusTemplateId($node_data['obj_id']);
                        $this->initIntersectionPermissions(
                            $node_data['child'],
                            $role_id,
                            $role_data['parent'],
                            $tpl_id,
                            ROLE_FOLDER_ID
                        );
                        break;
                    
                    case 'crs':
                        include_once './Modules/Course/classes/class.ilObjCourse.php';
                        $tpl_id = ilObjCourse::lookupCourseNonMemberTemplatesId();
                        $this->initIntersectionPermissions(
                            $node_data['child'],
                            $role_id,
                            $role_data['parent'],
                            $tpl_id,
                            ROLE_FOLDER_ID
                        );
                        break;
                            
                            
                    default:
                        $this->grantPermission(
                            $role_id,
                            $ops = $rbacreview->getOperationsOfRole($role_id, $node_data['type'], $role_data['parent']),
                            $node_id
                        );
                        break;
                        
                            
                }
                
                
                //var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
            }
 
            if ($rbac_log_active) {
                $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
                $log = ilRbacLog::diffFaPa($log_old, $log_new);
                ilRbacLog::add(ilRbacLog::MOVE_OBJECT, $node_id, $log);
            }
        }
 
        $this->applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent);
    }

References $ilLog, $log, ilRbacLog\add(), applyMovedObjectDidacticTemplates(), deleteLocalRole(), ilRbacLog\diffFaPa(), ilRbacLog\gatherFaPa(), grantPermission(), initIntersectionPermissions(), ilRbacLog\isActive(), ilObjCourse\lookupCourseNonMemberTemplatesId(), ilObjGroup\lookupGroupStatusTemplateId(), ilRbacLog\MOVE_OBJECT, and revokePermission().

Here is the call graph for this function:

applyMovedObjectDidacticTemplates()

ilRbacAdmin::applyMovedObjectDidacticTemplates (   $a_ref_id,   $a_old_parent  )

protected

Apply didactic templates after object movement.

Parameters

int	$a_ref_id
int	$a_old_parent

Deprecated:

since version 5.1.0 will be removed with 5.4 and implemented using event handler

Definition at line 1192 of file class.ilRbacAdmin.php.

    {
        include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateObjSettings.php';
        $tpl_id = ilDidacticTemplateObjSettings::lookupTemplateId($a_ref_id);
        if (!$tpl_id) {
            return;
        }
        include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateActionFactory.php';
        foreach (ilDidacticTemplateActionFactory::getActionsByTemplateId($tpl_id) as $action) {
            if ($action instanceof ilDidacticTemplateLocalRoleAction) {
                continue;
            }
            $action->setRefId($a_ref_id);
            $action->apply();
        }
        return;
    }

References $action, ilDidacticTemplateActionFactory\getActionsByTemplateId(), and ilDidacticTemplateObjSettings\lookupTemplateId().

Referenced by adjustMovedObjectPermissions().

Here is the call graph for this function:

Here is the caller graph for this function:

assignOperationToObject()

ilRbacAdmin::assignOperationToObject	(		$a_type_id,
			$a_ops_id
	)

Assign an existing operation to an object Update of rbac_ta.

@access public

Parameters

integer	object type
integer	operation_id

Returns

boolean

Definition at line 1005 of file class.ilRbacAdmin.php.

    {
        global $ilDB;
        
        if (!isset($a_type_id) or !isset($a_ops_id)) {
            $message = get_class($this) . "::assignOperationToObject(): Missing parameter!" .
                       "type_id: " . $a_type_id .
                       "ops_id: " . $a_ops_id;
            $this->ilErr->raiseError($message, $this->ilErr->WARNING);
        }
 
        $query = "INSERT INTO rbac_ta (typ_id, ops_id) " .
             "VALUES(" . $ilDB->quote($a_type_id, 'integer') . "," . $ilDB->quote($a_ops_id, 'integer') . ")";
        $res = $ilDB->manipulate($query);
        return true;
    }

References $ilDB, $message, $query, and $res.

assignRoleToFolder()

ilRbacAdmin::assignRoleToFolder	(		$a_rol_id,
			$a_parent,
			$a_assign = "y"
	)

Assigns a role to an role folder A role folder is an object to store roles.

Every role is assigned to minimum one role folder If the inheritance of a role is stopped, a new role template will created, and the role is assigned to minimum two role folders. All roles with stopped inheritance need the flag '$a_assign = false'

@access public

Parameters

integer	object id of role
integer	ref_id of role folder
string	assignable('y','n'); default: 'y'

Returns

boolean

Definition at line 952 of file class.ilRbacAdmin.php.

    {
        global $ilDB,$rbacreview;
        
        if (!isset($a_rol_id) or !isset($a_parent)) {
            $message = get_class($this) . "::assignRoleToFolder(): Missing Parameter!" .
                       " role_id: " . $a_rol_id .
                       " parent_id: " . $a_parent .
                       " assign: " . $a_assign;
            $this->ilErr->raiseError($message, $this->ilErr->WARNING);
        }
 
        // exclude system role from rbac
        if ($a_rol_id == SYSTEM_ROLE_ID) {
            return true;
        }
        
        // if a wrong value is passed, always set assign to "n"
        if ($a_assign != "y") {
            $a_assign = "n";
        }
 
        // check if already assigned
        $query = 'SELECT rol_id FROM rbac_fa ' .
            'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
            'AND parent = ' . $ilDB->quote($a_parent, 'integer');
        $res = $ilDB->query($query);
        if ($res->numRows()) {
            ilLoggerFactory::getLogger('ac')->info('Role already assigned to object');
            return false;
        }
        
        $query = sprintf(
            'INSERT INTO rbac_fa (rol_id, parent, assign, protected) ' .
            'VALUES (%s,%s,%s,%s)',
            $ilDB->quote($a_rol_id, 'integer'),
            $ilDB->quote($a_parent, 'integer'),
            $ilDB->quote($a_assign, 'text'),
            $ilDB->quote('n', 'text')
        );
        $res = $ilDB->manipulate($query);
 
        return true;
    }

References $ilDB, $message, $query, $res, ilLoggerFactory\getLogger(), and sprintf.

Referenced by copyLocalRoles(), and initIntersectionPermissions().

Here is the call graph for this function:

Here is the caller graph for this function:

assignUser()

ilRbacAdmin::assignUser	(		$a_rol_id,
			$a_usr_id
	)

Assigns an user to a role.

Update of table rbac_ua

Parameters

int	$a_rol_id	Object-ID of role
int	$a_usr_id	Object-ID of user

Returns

boolean

Definition at line 259 of file class.ilRbacAdmin.php.

    {
        global $ilDB,$rbacreview;
        
        if (!isset($a_rol_id) or !isset($a_usr_id)) {
            $message = get_class($this) . "::assignUser(): Missing parameter! role_id: " . $a_rol_id . " usr_id: " . $a_usr_id;
            #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
        }
        
        // check if already assigned user id and role_id
        $alreadyAssigned = $rbacreview->isAssigned($a_usr_id, $a_rol_id);
        
        // enhanced: only if we haven't had this role for this user
        if (!$alreadyAssigned) {
            $query = "INSERT INTO rbac_ua (usr_id, rol_id) " .
             "VALUES (" . $ilDB->quote($a_usr_id, 'integer') . "," . $ilDB->quote($a_rol_id, 'integer') . ")";
            $res = $ilDB->manipulate($query);
        
            $this->addDesktopItem($a_rol_id, $a_usr_id);
 
            $rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, true);
        }
        
        include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
        $mapping = ilLDAPRoleGroupMapping::_getInstance();
        $mapping->assign($a_rol_id, $a_usr_id);
        
        
        $ref_id = $GLOBALS['rbacreview']->getObjectReferenceOfRole($a_rol_id);
        $obj_id = ilObject::_lookupObjId($ref_id);
        $type = ilObject::_lookupType($obj_id);
        
        if (!$alreadyAssigned) {
            ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event assign user');
            $GLOBALS['ilAppEventHandler']->raise(
                'Services/AccessControl',
                'assignUser',
                array(
                        'obj_id' => $obj_id,
                        'usr_id' => $a_usr_id,
                        'role_id' => $a_rol_id,
                        'type' => $type
                    )
            );
        }
        return true;
    }

References $GLOBALS, $ilDB, $message, $query, $res, $type, ilLDAPRoleGroupMapping\_getInstance(), ilObject\_lookupObjId(), ilObject\_lookupType(), addDesktopItem(), and ilLoggerFactory\getInstance().

Here is the call graph for this function:

assignUserLimited()

ilRbacAdmin::assignUserLimited	(		$a_role_id,
			$a_usr_id,
			$a_limit,
			$a_limited_roles = array()
	)

Assign user limited.

Parameters

type	$a_role_id
type	$a_usr_id
type	$a_limit

Definition at line 192 of file class.ilRbacAdmin.php.

    {
        global $ilDB;
 
        $ilAtomQuery = $ilDB->buildAtomQuery();
        $ilAtomQuery->addTableLock('rbac_ua');
 
        $ilAtomQuery->addQueryCallable(
            function (ilDBInterface $ilDB) use (&$ret, $a_role_id, $a_usr_id,$a_limit, $a_limited_roles) {
                $ret = true;
                $limit_query = 'SELECT COUNT(*) num FROM rbac_ua ' .
                'WHERE ' . $ilDB->in('rol_id', (array) $a_limited_roles, false, 'integer');
                $res = $ilDB->query($limit_query);
                $row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT);
                if ($row->num >= $a_limit) {
                    $ret = false;
                    return;
                }
 
                $query = "INSERT INTO rbac_ua (usr_id, rol_id) " .
                "VALUES (" .
                $ilDB->quote($a_usr_id, 'integer') . "," . $ilDB->quote($a_role_id, 'integer') .
                ")";
                $res = $ilDB->manipulate($query);
            }
        );
 
        $ilAtomQuery->run();
 
        if (!$ret) {
            return false;
        }
 
        $GLOBALS['rbacreview']->setAssignedCacheEntry($a_role_id, $a_usr_id, true);
        
        $this->addDesktopItem($a_role_id, $a_usr_id);
    
        include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
        $mapping = ilLDAPRoleGroupMapping::_getInstance();
        $mapping->assign($a_role_id, $a_usr_id);
        return true;
    }

References $GLOBALS, $ilDB, $query, $res, $ret, $row, ilLDAPRoleGroupMapping\_getInstance(), addDesktopItem(), and ilDBConstants\FETCHMODE_OBJECT.

Here is the call graph for this function:

copyLocalRoles()

ilRbacAdmin::copyLocalRoles	(		$a_source_id,
			$a_target_id
	)

Copy local roles This method creates a copy of all local role.

Note: auto generated roles are excluded

@access public

Parameters

int	source id of object (not role folder)
int	target id of object

Definition at line 1080 of file class.ilRbacAdmin.php.

    {
        global $rbacreview,$ilLog,$ilObjDataCache;
        
        $real_local = array();
        foreach ($rbacreview->getRolesOfRoleFolder($a_source_id, false) as $role_data) {
            $title = $ilObjDataCache->lookupTitle($role_data);
            if (substr($title, 0, 3) == 'il_') {
                continue;
            }
            $real_local[] = $role_data;
        }
        if (!count($real_local)) {
            return true;
        }
        // Create role folder
        foreach ($real_local as $role) {
            include_once("./Services/AccessControl/classes/class.ilObjRole.php");
            $orig = new ilObjRole($role);
            $orig->read();
            
            $ilLog->write(__METHOD__ . ': Start copying of role ' . $orig->getTitle());
            $roleObj = new ilObjRole();
            $roleObj->setTitle($orig->getTitle());
            $roleObj->setDescription($orig->getDescription());
            $roleObj->setImportId($orig->getImportId());
            $roleObj->create();
            
            $this->assignRoleToFolder($roleObj->getId(), $a_target_id, "y");
            $this->copyRolePermissions($role, $a_source_id, $a_target_id, $roleObj->getId(), true);
            $ilLog->write(__METHOD__ . ': Added new local role, id ' . $roleObj->getId());
        }
    }

References $ilLog, $orig, $title, assignRoleToFolder(), and copyRolePermissions().

Here is the call graph for this function:

copyRolePermissionIntersection()

ilRbacAdmin::copyRolePermissionIntersection	(		$a_source1_id,
			$a_source1_parent,
			$a_source2_id,
			$a_source2_parent,
			$a_dest_parent,
			$a_dest_id
	)

Copies the intersection of the template permissions of two roles to a third role.

@access public

Parameters

integer	$a_source1_id	role_id source
integer	$a_source1_parent	parent_id source
integer	$a_source2_id	role_id source
integer	$a_source2_parent	parent_id source
integer	$a_dest_id	role_id destination
integer	$a_dest_parent	parent_id destination

Returns

boolean

Definition at line 688 of file class.ilRbacAdmin.php.

    {
        global $rbacreview,$ilDB;
        
        if (!isset($a_source1_id) or !isset($a_source1_parent)
        or !isset($a_source2_id) or !isset($a_source2_parent)
                or !isset($a_dest_id) or !isset($a_dest_parent)) {
            $message = get_class($this) . "::copyRolePermissionIntersection(): Missing parameter! source1_id: " . $a_source1_id .
                       " source1_parent: " . $a_source1_parent .
                       " source2_id: " . $a_source2_id .
                       " source2_parent: " . $a_source2_parent .
                       " dest_id: " . $a_dest_id .
                       " dest_parent_id: " . $a_dest_parent;
            $this->ilErr->raiseError($message, $this->ilErr->WARNING);
        }
        
        // exclude system role from rbac
        if ($a_dest_id == SYSTEM_ROLE_ID) {
            ilLoggerFactory::getLogger('ac')->debug('Ignoring system role.');
            return true;
        }
        
        if ($rbacreview->isProtected($a_source2_parent, $a_source2_id)) {
            $GLOBALS['ilLog']->write(__METHOD__ . ': Role is protected');
            return true;
        }
 
        $query = "SELECT s1.type, s1.ops_id " .
                        "FROM rbac_templates s1, rbac_templates s2 " .
                        "WHERE s1.rol_id = " . $ilDB->quote($a_source1_id, 'integer') . " " .
                        "AND s1.parent = " . $ilDB->quote($a_source1_parent, 'integer') . " " .
                        "AND s2.rol_id = " . $ilDB->quote($a_source2_id, 'integer') . " " .
                        "AND s2.parent = " . $ilDB->quote($a_source2_parent, 'integer') . " " .
                        "AND s1.type = s2.type " .
                        "AND s1.ops_id = s2.ops_id";
        
        ilLoggerFactory::getLogger('ac')->dump($query);
        
        $res = $ilDB->query($query);
        $operations = array();
        $rowNum = 0;
        while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
            $operations[$rowNum]['type'] = $row->type;
            $operations[$rowNum]['ops_id'] = $row->ops_id;
 
            $rowNum++;
        }
        
        // Delete template permissions of target
        $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
            'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
        $res = $ilDB->manipulate($query);
 
        $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
            'VALUES (?,?,?,?)';
        $sta = $ilDB->prepareManip($query, array('integer','text','integer','integer'));
        foreach ($operations as $key => $set) {
            $ilDB->execute($sta, array(
                $a_dest_id,
                $set['type'],
                $set['ops_id'],
                $a_dest_parent));
        }
        return true;
    }

References $GLOBALS, $ilDB, $key, $message, $query, $res, $row, ilDBConstants\FETCHMODE_OBJECT, and ilLoggerFactory\getLogger().

Referenced by initIntersectionPermissions().

Here is the call graph for this function:

Here is the caller graph for this function:

copyRolePermissions()

ilRbacAdmin::copyRolePermissions	(		$a_source_id,
			$a_source_parent,
			$a_dest_parent,
			$a_dest_id,
			$a_consider_protected = true
	)

Copies template permissions and permission of one role to another.

@access public

Parameters

integer	$a_source_id	role_id source
integer	$a_source_parent	parent_id source
integer	$a_dest_parent	parent_id destination
integer	$a_dest_id	role_id destination

Returns

boolean

Definition at line 597 of file class.ilRbacAdmin.php.

    {
        global $tree,$rbacreview;
        
        // Copy template permissions
        $this->copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected);
        
        $ops = $rbacreview->getRoleOperationsOnObject($a_source_id, $a_source_parent);
        
        $this->revokePermission($a_dest_parent, $a_dest_id);
        $this->grantPermission($a_dest_id, $ops, $a_dest_parent);
        return true;
    }

References copyRoleTemplatePermissions(), grantPermission(), and revokePermission().

Referenced by copyLocalRoles().

Here is the call graph for this function:

Here is the caller graph for this function:

copyRolePermissionSubtract()

ilRbacAdmin::copyRolePermissionSubtract	(		$a_source_id,
			$a_source_parent,
			$a_dest_id,
			$a_dest_parent
	)

Subtract role permissions.

Parameters

type	$a_source_id
type	$a_source_parent
type	$a_dest_id
type	$a_dest_parent

Definition at line 825 of file class.ilRbacAdmin.php.

    {
        global $rbacreview, $ilDB;
        
        $s1_ops = $rbacreview->getAllOperationsOfRole($a_source_id, $a_source_parent);
        $d_ops = $rbacreview->getAllOperationsOfRole($a_dest_id, $a_dest_parent);
        
        foreach ($s1_ops as $type => $ops) {
            foreach ($ops as $op) {
                if (isset($d_ops[$type]) and in_array($op, $d_ops[$type])) {
                    $query = 'DELETE FROM rbac_templates ' .
                            'WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
                            'AND type = ' . $ilDB->quote($type, 'text') . ' ' .
                            'AND ops_id = ' . $ilDB->quote($op, 'integer') . ' ' .
                            'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
                    $ilDB->manipulate($query);
                }
            }
        }
        return true;
    }

References $ilDB, $query, and $type.

copyRolePermissionUnion()

ilRbacAdmin::copyRolePermissionUnion	(		$a_source1_id,
			$a_source1_parent,
			$a_source2_id,
			$a_source2_parent,
			$a_dest_id,
			$a_dest_parent
	)

@global <type> $ilDB

Parameters

<type>	$a_source1_id
<type>	$a_source1_parent
<type>	$a_source2_id
<type>	$a_source2_parent
<type>	$a_dest_id
<type>	$a_dest_parent

Returns

<type>

Definition at line 765 of file class.ilRbacAdmin.php.

      {
        global $ilDB, $rbacreview;
 
        
        $s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id, $a_source1_parent);
        $s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id, $a_source2_parent);
        
        $this->deleteRolePermission($a_dest_id, $a_dest_parent);
 
        $GLOBALS['ilLog']->write(__METHOD__ . ': ' . print_r($s1_ops, true));
        $GLOBALS['ilLog']->write(__METHOD__ . ': ' . print_r($s2_ops, true));
 
        foreach ($s1_ops as $type => $ops) {
            foreach ($ops as $op) {
                // insert all permission of source 1
                // #15469
                $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
                    'VALUES( ' .
                    $ilDB->quote($a_dest_id, 'integer') . ', ' .
                    $ilDB->quote($type, 'text') . ', ' .
                    $ilDB->quote($op, 'integer') . ', ' .
                    $ilDB->quote($a_dest_parent, 'integer') . ' ' .
                    ')';
                $ilDB->manipulate($query);
            }
        }
        
        // and the other direction...
        foreach ($s2_ops as $type => $ops) {
            foreach ($ops as $op) {
                if (!isset($s1_ops[$type]) or !in_array($op, $s1_ops[$type])) {
                    $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
                        'VALUES( ' .
                        $ilDB->quote($a_dest_id, 'integer') . ', ' .
                        $ilDB->quote($type, 'text') . ', ' .
                        $ilDB->quote($op, 'integer') . ', ' .
                        $ilDB->quote($a_dest_parent, 'integer') . ' ' .
                        ')';
                    $ilDB->manipulate($query);
                }
            }
        }
        
        return true;
    }

References $GLOBALS, $ilDB, $query, $type, and deleteRolePermission().

Here is the call graph for this function:

copyRoleTemplatePermissions()

ilRbacAdmin::copyRoleTemplatePermissions	(		$a_source_id,
			$a_source_parent,
			$a_dest_parent,
			$a_dest_id,
			$a_consider_protected = true
	)

Copies template permissions of one role to another.

It's also possible to copy template permissions from/to RoleTemplateObject @access public

Parameters

integer	$a_source_id	role_id source
integer	$a_source_parent	parent_id source
integer	$a_dest_parent	parent_id destination
integer	$a_dest_id	role_id destination

Returns

boolean

Definition at line 621 of file class.ilRbacAdmin.php.

    {
        global $rbacreview,$ilDB;
 
        if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent)) {
            $message = __METHOD__ . ": Missing parameter! source_id: " . $a_source_id .
                       " source_parent_id: " . $a_source_parent .
                       " dest_id : " . $a_dest_id .
                       " dest_parent_id: " . $a_dest_parent;
            $this->ilErr->raiseError($message, $this->ilErr->WARNING);
        }
        
        // exclude system role from rbac
        if ($a_dest_id == SYSTEM_ROLE_ID) {
            return true;
        }
 
        // Read operations
        $query = 'SELECT * FROM rbac_templates ' .
             'WHERE rol_id = ' . $ilDB->quote($a_source_id, 'integer') . ' ' .
             'AND parent = ' . $ilDB->quote($a_source_parent, 'integer');
        $res = $ilDB->query($query);
        $operations = array();
        $rownum = 0;
        while ($row = $ilDB->fetchObject($res)) {
            $operations[$rownum]['type'] = $row->type;
            $operations[$rownum]['ops_id'] = $row->ops_id;
            $rownum++;
        }
 
        // Delete target permissions
        $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
            'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
        $res = $ilDB->manipulate($query);
        
        foreach ($operations as $row => $op) {
            $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
                 'VALUES (' .
                 $ilDB->quote($a_dest_id, 'integer') . "," .
                 $ilDB->quote($op['type'], 'text') . "," .
                 $ilDB->quote($op['ops_id'], 'integer') . "," .
                 $ilDB->quote($a_dest_parent, 'integer') . ")";
            $ilDB->manipulate($query);
        }
        
        // copy also protection status if applicable
        if ($a_consider_protected == true) {
            if ($rbacreview->isProtected($a_source_parent, $a_source_id)) {
                $this->setProtected($a_dest_parent, $a_dest_id, 'y');
            }
        }
 
        return true;
    }

References $ilDB, $message, $query, $res, $row, and setProtected().

Referenced by copyRolePermissions().

Here is the call graph for this function:

Here is the caller graph for this function:

deassignOperationFromObject()

ilRbacAdmin::deassignOperationFromObject	(		$a_type_id,
			$a_ops_id
	)

Deassign an existing operation from an object Update of rbac_ta @access public.

Parameters

integer	object type
integer	operation_id

Returns

boolean

Definition at line 1030 of file class.ilRbacAdmin.php.

    {
        global $ilDB;
        
        if (!isset($a_type_id) or !isset($a_ops_id)) {
            $message = get_class($this) . "::deassignPermissionFromObject(): Missing parameter!" .
                       "type_id: " . $a_type_id .
                       "ops_id: " . $a_ops_id;
            $this->ilErr->raiseError($message, $this->ilErr->WARNING);
        }
 
        $query = "DELETE FROM rbac_ta " .
             "WHERE typ_id = " . $ilDB->quote($a_type_id, 'integer') . " " .
             "AND ops_id = " . $ilDB->quote($a_ops_id, 'integer');
        $res = $ilDB->manipulate($query);
    
        return true;
    }

References $ilDB, $message, $query, and $res.

deassignUser()

ilRbacAdmin::deassignUser	(		$a_rol_id,
			$a_usr_id
	)

Deassigns a user from a role.

Update of table rbac_ua

Parameters

int	$a_rol_id	Object-ID of role
int	$a_usr_id	Object-ID of user

Returns

boolean true on success

Definition at line 316 of file class.ilRbacAdmin.php.

    {
        global $ilDB, $rbacreview;
        
        if (!isset($a_rol_id) or !isset($a_usr_id)) {
            $message = get_class($this) . "::deassignUser(): Missing parameter! role_id: " . $a_rol_id . " usr_id: " . $a_usr_id;
            $this->ilErr->raiseError($message, $this->ilErr->WARNING);
        }
 
        $query = "DELETE FROM rbac_ua " .
             "WHERE usr_id = " . $ilDB->quote($a_usr_id, 'integer') . " " .
             "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
        $res = $ilDB->manipulate($query);
 
        $rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, false);
 
        include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
        $mapping = ilLDAPRoleGroupMapping::_getInstance();
        $mapping->deassign($a_rol_id, $a_usr_id);
 
        if ($res) {
            $ref_id = $GLOBALS['rbacreview']->getObjectReferenceOfRole($a_rol_id);
            $obj_id = ilObject::_lookupObjId($ref_id);
            $type = ilObject::_lookupType($obj_id);
 
            ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event deassign user');
            $GLOBALS['ilAppEventHandler']->raise('Services/AccessControl', 'deassignUser', array(
                    'obj_id'  => $obj_id,
                    'usr_id'  => $a_usr_id,
                    'role_id' => $a_rol_id,
                    'type'    => $type,
            ));
        }
 
        return true;
    }

References $GLOBALS, $ilDB, $message, $query, $res, $type, ilLDAPRoleGroupMapping\_getInstance(), ilObject\_lookupObjId(), ilObject\_lookupType(), and ilLoggerFactory\getInstance().

Here is the call graph for this function:

deleteLocalRole()

ilRbacAdmin::deleteLocalRole	(		$a_rol_id,
			$a_ref_id = 0
	)

Deletes a local role and entries in rbac_fa and rbac_templates @access public.

Parameters

integer	object_id of role
integer	ref_id of role folder (optional)

Returns

boolean true on success

Definition at line 156 of file class.ilRbacAdmin.php.

    {
        global $ilDB;
        
        if (!isset($a_rol_id)) {
            $message = get_class($this) . "::deleteLocalRole(): Missing parameter! role_id: '" . $a_rol_id . "'";
            $this->ilErr->raiseError($message, $this->ilErr->WARNING);
        }
        
        // exclude system role from rbac
        if ($a_rol_id == SYSTEM_ROLE_ID) {
            return true;
        }
 
        if ($a_ref_id != 0) {
            $clause = 'AND parent = ' . $ilDB->quote($a_ref_id, 'integer') . ' ';
        }
        
        $query = 'DELETE FROM rbac_fa ' .
             'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
             $clause;
        $res = $ilDB->manipulate($query);
 
        $query = 'DELETE FROM rbac_templates ' .
             'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
             $clause;
        $res = $ilDB->manipulate($query);
        return true;
    }

References $ilDB, $message, $query, and $res.

Referenced by adjustMovedObjectPermissions(), and deleteRole().

Here is the caller graph for this function:

deleteRole()

ilRbacAdmin::deleteRole	(		$a_rol_id,
			$a_ref_id
	)

Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa @access public.

Parameters

integer	obj_id of role (role_id)
integer	ref_id of role folder (ref_id)

Returns

boolean true on success

Definition at line 85 of file class.ilRbacAdmin.php.

    {
        global $lng,$ilDB;
 
        if (!isset($a_rol_id) or !isset($a_ref_id)) {
            $message = get_class($this) . "::deleteRole(): Missing parameter! role_id: " . $a_rol_id . " ref_id of role folder: " . $a_ref_id;
            $this->ilErr->raiseError($message, $this->ilErr->WARNING);
        }
 
        // exclude system role from rbac
        if ($a_rol_id == SYSTEM_ROLE_ID) {
            $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"), $this->ilErr->MESSAGE);
        }
 
        include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
        $mapping = ilLDAPRoleGroupMapping::_getInstance();
        $mapping->deleteRole($a_rol_id);
 
 
        // TODO: check assigned users before deletion
        // This is done in ilObjRole. Should be better moved to this place?
        
        // delete user assignements
        $query = "DELETE FROM rbac_ua " .
             "WHERE rol_id = " . $ilDB->quote($a_rol_id, 'integer');
        $res = $ilDB->manipulate($query);
        
        // delete permission assignments
        $query = "DELETE FROM rbac_pa " .
             "WHERE rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
        $res = $ilDB->manipulate($query);
        
        //delete rbac_templates and rbac_fa
        $this->deleteLocalRole($a_rol_id);
        
        return true;
    }

References $ilDB, $lng, $message, $query, $res, ilLDAPRoleGroupMapping\_getInstance(), and deleteLocalRole().

Here is the call graph for this function:

deleteRolePermission()

ilRbacAdmin::deleteRolePermission	(		$a_rol_id,
			$a_ref_id,
			$a_type = false
	)

Deletes all entries of a template.

If an object type is given for third parameter only the entries for that object type are deleted Update of table rbac_templates. @access public

Parameters

integer	object id of role
integer	ref_id of role folder
string	object type (optional)

Returns

boolean

Definition at line 858 of file class.ilRbacAdmin.php.

    {
        global $ilDB;
        
        if (!isset($a_rol_id) or !isset($a_ref_id)) {
            $message = get_class($this) . "::deleteRolePermission(): Missing parameter! role_id: " . $a_rol_id . " ref_id: " . $a_ref_id;
            $this->ilErr->raiseError($message, $this->ilErr->WARNING);
        }
 
        // exclude system role from rbac
        if ($a_rol_id == SYSTEM_ROLE_ID) {
            return true;
        }
        
        if ($a_type !== false) {
            $and_type = " AND type=" . $ilDB->quote($a_type, 'text') . " ";
        }
 
        $query = 'DELETE FROM rbac_templates ' .
             'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
             'AND parent = ' . $ilDB->quote($a_ref_id, 'integer') . ' ' .
             $and_type;
             
        $res = $ilDB->manipulate($query);
 
        return true;
    }

References $a_type, $ilDB, $message, $query, and $res.

Referenced by copyRolePermissionUnion().

Here is the caller graph for this function:

deleteSubtreeTemplates()

ilRbacAdmin::deleteSubtreeTemplates	(		$a_ref_id,
			$a_rol_id
	)

Delete all template permissions of subtree nodes.

Parameters

object	$a_ref_id
object	$a_rol_id

Returns

Definition at line 532 of file class.ilRbacAdmin.php.

    {
        global $ilDB;
        
        $query = 'DELETE FROM rbac_templates ' .
                'WHERE parent IN ( ' .
                $GLOBALS['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
                'AND rol_id = ' . $ilDB->quote($a_rol_id, 'integer');
        
        $ilDB->manipulate($query);
 
        $query = 'DELETE FROM rbac_fa ' .
                'WHERE parent IN ( ' .
                $GLOBALS['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
                'AND rol_id = ' . $ilDB->quote($a_rol_id, 'integer');
        
        $ilDB->manipulate($query);
 
        return true;
    }

References $GLOBALS, $ilDB, and $query.

deleteTemplate()

ilRbacAdmin::deleteTemplate

(

$a_obj_id

)

Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public.

Parameters

integer

object_id of role template

Returns

boolean

Definition at line 129 of file class.ilRbacAdmin.php.

    {
        global $ilDB;
        
        if (!isset($a_obj_id)) {
            $message = get_class($this) . "::deleteTemplate(): No obj_id given!";
            $this->ilErr->raiseError($message, $this->ilErr->WARNING);
        }
 
        $query = 'DELETE FROM rbac_templates ' .
             'WHERE rol_id = ' . $ilDB->quote($a_obj_id, 'integer');
        $res = $ilDB->manipulate($query);
 
        $query = 'DELETE FROM rbac_fa ' .
            'WHERE rol_id = ' . $ilDB->quote($a_obj_id, 'integer');
        $res = $ilDB->manipulate($query);
 
        return true;
    }

References $ilDB, $message, $query, and $res.

grantPermission()

ilRbacAdmin::grantPermission	(		$a_rol_id,
			$a_ops,
			$a_ref_id
	)

Grants a permission to an object and a specific role.

Update of table rbac_pa @access public

Parameters

integer	object id of role
array	array of operation ids
integer	reference id of that object which is granted the permissions

Returns

boolean

Definition at line 361 of file class.ilRbacAdmin.php.

    {
        global $ilDB;
        
        if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id)) {
            $this->ilErr->raiseError(get_class($this) . "::grantPermission(): Missing parameter! " .
                            "role_id: " . $a_rol_id . " ref_id: " . $a_ref_id . " operations: ", $this->ilErr->WARNING);
        }
 
        if (!is_array($a_ops)) {
            $this->ilErr->raiseError(
                get_class($this) . "::grantPermission(): Wrong datatype for operations!",
                $this->ilErr->WARNING
            );
        }
        
        /*
        if (count($a_ops) == 0)
        {
            return false;
        }
        */
        // exclude system role from rbac
        if ($a_rol_id == SYSTEM_ROLE_ID) {
            return true;
        }
        
        // convert all values to integer
        foreach ($a_ops as $key => $operation) {
            $a_ops[$key] = (int) $operation;
        }
 
        // Serialization des ops_id Arrays
        $ops_ids = serialize($a_ops);
        
        $query = 'DELETE FROM rbac_pa ' .
            'WHERE rol_id = %s ' .
            'AND ref_id = %s';
        $res = $ilDB->queryF(
            $query,
            array('integer','integer'),
            array($a_rol_id,$a_ref_id)
        );
            
        if (!count($a_ops)) {
            return false;
        }
 
        $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) " .
             "VALUES " .
             "(" . $ilDB->quote($a_rol_id, 'integer') . "," . $ilDB->quote($ops_ids, 'text') . "," . $ilDB->quote($a_ref_id, 'integer') . ")";
        $res = $ilDB->manipulate($query);
 
        return true;
    }

References $ilDB, $key, $query, and $res.

Referenced by adjustMovedObjectPermissions(), copyRolePermissions(), and initIntersectionPermissions().

Here is the caller graph for this function:

initIntersectionPermissions()

ilRbacAdmin::initIntersectionPermissions	(		$a_ref_id,
			$a_role_id,
			$a_role_parent,
			$a_template_id,
			$a_template_parent
	)

Init intersection permissions.

@global type $rbacreview

Parameters

type	$a_ref_id
type	$a_role_id
type	$a_role_parent
type	$a_template_id
type	$a_template_parent

Returns

type

Definition at line 1124 of file class.ilRbacAdmin.php.

    {
        global $rbacreview;
        
        if ($rbacreview->isProtected($a_role_parent, $a_role_id)) {
            // Assign object permissions
            $new_ops = $rbacreview->getOperationsOfRole(
                $a_role_id,
                ilObject::_lookupType($a_ref_id, true),
                $a_role_parent
            );
 
            // set new permissions for object
            $this->grantPermission(
                $a_role_id,
                (array) $new_ops,
                $a_ref_id
            );
            return;
        }
        if (!$a_template_id) {
            ilLoggerFactory::getLogger('ac')->info('No template id given. Aborting.');
            return;
        }
        // create template permission intersection
        $this->copyRolePermissionIntersection(
            $a_template_id,
            $a_template_parent,
            $a_role_id,
            $a_role_parent,
            $a_ref_id,
            $a_role_id
        );
 
        // assign role to folder
        $this->assignRoleToFolder(
            $a_role_id,
            $a_ref_id,
            'n'
        );
 
        // Assign object permissions
        $new_ops = $rbacreview->getOperationsOfRole(
            $a_role_id,
            ilObject::_lookupType($a_ref_id, true),
            $a_ref_id
        );
        
        // revoke existing permissions
        $this->revokePermission($a_ref_id, $a_role_id);
        
        // set new permissions for object
        $this->grantPermission(
            $a_role_id,
            (array) $new_ops,
            $a_ref_id
        );
            
        return;
    }

References ilObject\_lookupType(), assignRoleToFolder(), copyRolePermissionIntersection(), ilLoggerFactory\getLogger(), grantPermission(), and revokePermission().

Referenced by adjustMovedObjectPermissions().

Here is the call graph for this function:

Here is the caller graph for this function:

removeUser()

ilRbacAdmin::removeUser

(

$a_usr_id

)

deletes a user from rbac_ua all user <-> role relations are deleted @access public

Parameters

integer

user_id

Returns

boolean true on success

Definition at line 63 of file class.ilRbacAdmin.php.

    {
        global $ilDB;
        
        if (!isset($a_usr_id)) {
            $message = get_class($this) . "::removeUser(): No usr_id given!";
            $this->ilErr->raiseError($message, $this->ilErr->WARNING);
        }
 
        $query = "DELETE FROM rbac_ua WHERE usr_id = " . $ilDB->quote($a_usr_id, 'integer');
        $res = $ilDB->manipulate($query);
        
        return true;
    }

References $ilDB, $message, $query, and $res.

revokePermission()

ilRbacAdmin::revokePermission	(		$a_ref_id,
			$a_rol_id = 0,
			$a_keep_protected = true
	)

Revokes permissions of an object of one role.

Update of table rbac_pa. Revokes all permission for all roles for that object (with this reference). When a role_id is given this applies only to that role @access public

Parameters

integer	reference id of object where permissions should be revoked
integer	role_id (optional: if you want to revoke permissions of object only for a specific role)

Returns

boolean

Definition at line 426 of file class.ilRbacAdmin.php.

    {
        global $rbacreview,$log,$ilDB,$ilLog;
 
        if (!isset($a_ref_id)) {
            $ilLog->logStack();
            $message = get_class($this) . "::revokePermission(): Missing parameter! ref_id: " . $a_ref_id;
            $this->ilErr->raiseError($message, $this->ilErr->WARNING);
        }
        #$log->write("ilRBACadmin::revokePermission(), 0");
 
        // bypass protected status of roles
        if ($a_keep_protected != true) {
            // exclude system role from rbac
            if ($a_rol_id == SYSTEM_ROLE_ID) {
                return true;
            }
    
            if ($a_rol_id) {
                $and1 = " AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
            } else {
                $and1 = "";
            }
    
            $query = "DELETE FROM rbac_pa " .
                 "WHERE ref_id = " . $ilDB->quote($a_ref_id, 'integer') .
                 $and1;
            
            $res = $ilDB->manipulate($query);
    
            return true;
        }
        
        // consider protected status of roles
    
        // in any case, get all roles in scope first
        $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
 
        if (!$a_rol_id) {
            #$log->write("ilRBACadmin::revokePermission(), 1");
 
            $role_ids = array();
            
            foreach ($roles_in_scope as $role) {
                if ($role['protected'] == true) {
                    continue;
                }
                
                $role_ids[] = $role['obj_id'];
            }
            
            // return if no role in array
            if (!$role_ids) {
                return true;
            }
            
            $query = 'DELETE FROM rbac_pa ' .
                'WHERE ' . $ilDB->in('rol_id', $role_ids, false, 'integer') . ' ' .
                'AND ref_id = ' . $ilDB->quote($a_ref_id, 'integer');
            $res = $ilDB->manipulate($query);
        } else {
            #$log->write("ilRBACadmin::revokePermission(), 2");
            // exclude system role from rbac
            if ($a_rol_id == SYSTEM_ROLE_ID) {
                return true;
            }
            
            // exclude protected permission settings from revoking
            if ($roles_in_scope[$a_rol_id]['protected'] == true) {
                return true;
            }
 
            $query = "DELETE FROM rbac_pa " .
                 "WHERE ref_id = " . $ilDB->quote($a_ref_id, 'integer') . " " .
                 "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
            $res = $ilDB->manipulate($query);
        }
 
        return true;
    }

References $ilDB, $ilLog, $log, $message, $query, and $res.

Referenced by adjustMovedObjectPermissions(), copyRolePermissions(), and initIntersectionPermissions().

Here is the caller graph for this function:

revokePermissionList()

ilRbacAdmin::revokePermissionList	(		$a_ref_ids,
			$a_rol_id
	)

Revokes permissions of a LIST of objects of ONE role.

Update of table rbac_pa. @access public

Parameters

array	list of reference_ids to revoke permissions
integer	role_id

Returns

boolean

Definition at line 560 of file class.ilRbacAdmin.php.

    {
        global $ilDB;
        
        if (!isset($a_ref_ids) or !is_array($a_ref_ids)) {
            $message = get_class($this) . "::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: " . var_dump($a_ref_ids);
            $this->ilErr->raiseError($message, $this->ilErr->WARNING);
        }
 
        if (!isset($a_rol_id)) {
            $message = get_class($this) . "::revokePermissionList(): Missing parameter! rol_id: " . $a_rol_id;
            $this->ilErr->raiseError($message, $this->ilErr->WARNING);
        }
 
        // exclude system role from rbac
        if ($a_rol_id == SYSTEM_ROLE_ID) {
            return true;
        }
 
        $query = "DELETE FROM rbac_pa " .
             "WHERE " . $ilDB->in('ref_id', $a_ref_ids, false, 'integer') . ' ' .
             "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer');
        $res = $ilDB->manipulate($query);
 
        return true;
    }

References $ilDB, $message, $query, and $res.

revokeSubtreePermissions()

ilRbacAdmin::revokeSubtreePermissions	(		$a_ref_id,
			$a_role_id
	)

Revoke subtree permissions.

Parameters

object	$a_ref_id
object	$a_role_id

Returns

Definition at line 513 of file class.ilRbacAdmin.php.

    {
        global $ilDB;
        
        $query = 'DELETE FROM rbac_pa ' .
                'WHERE ref_id IN ' .
                '( ' . $GLOBALS['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
                'AND rol_id = ' . $ilDB->quote($a_role_id, 'integer');
        
        $ilDB->manipulate($query);
        return true;
    }

References $GLOBALS, $ilDB, and $query.

setBlockedStatus()

ilRbacAdmin::setBlockedStatus	(		$a_role_id,
			$a_ref_id,
			$a_blocked_status
	)

Set blocked status.

Parameters

type	$a_role_id
type	$a_ref_id
type	$a_blocked_status

Definition at line 45 of file class.ilRbacAdmin.php.

    {
        global $ilDB;
        
        ilLoggerFactory::getLogger('crs')->logStack();
        $query = 'UPDATE rbac_fa set blocked = ' . $ilDB->quote($a_blocked_status, 'integer') . ' ' .
                'WHERE rol_id = ' . $ilDB->quote($a_role_id, 'integer') . ' ' .
                'AND parent = ' . $ilDB->quote($a_ref_id, 'integer');
        $ilDB->manipulate($query);
    }

References $ilDB, $query, and ilLoggerFactory\getLogger().

Here is the call graph for this function:

setProtected()

ilRbacAdmin::setProtected	(		$a_ref_id,
			$a_role_id,
			$a_value
	)

Set protected @global $ilDB.

Parameters

type	$a_ref_id
type	$a_role_id
type	$a_value	y or n

Returns

boolean

Definition at line 1057 of file class.ilRbacAdmin.php.

    {
        global $ilDB;
        
        // ref_id not used yet. protected permission acts 'global' for each role,
        // regardless of any broken inheritance before
        $query = 'UPDATE rbac_fa ' .
            'SET protected = ' . $ilDB->quote($a_value, 'text') . ' ' .
            'WHERE rol_id = ' . $ilDB->quote($a_role_id, 'integer');
        $res = $ilDB->manipulate($query);
        return true;
    }

References $ilDB, $query, and $res.

Referenced by copyRoleTemplatePermissions().

Here is the caller graph for this function:

setRolePermission()

ilRbacAdmin::setRolePermission	(		$a_rol_id,
			$a_type,
			$a_ops,
			$a_ref_id
	)

Inserts template permissions in rbac_templates for an specific object type.

Update of table rbac_templates @access public

Parameters

integer	role_id
string	object type
array	operation_ids
integer	ref_id of role folder object

Returns

boolean

Definition at line 896 of file class.ilRbacAdmin.php.

    {
        global $ilDB;
        
        if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id)) {
            $message = get_class($this) . "::setRolePermission(): Missing parameter!" .
                       " role_id: " . $a_rol_id .
                       " type: " . $a_type .
                       " operations: " . $a_ops .
                       " ref_id: " . $a_ref_id;
            $this->ilErr->raiseError($message, $this->ilErr->WARNING);
        }
 
        if (!is_string($a_type) or empty($a_type)) {
            $message = get_class($this) . "::setRolePermission(): a_type is no string or empty!";
            $this->ilErr->raiseError($message, $this->ilErr->WARNING);
        }
 
        if (!is_array($a_ops) or empty($a_ops)) {
            $message = get_class($this) . "::setRolePermission(): a_ops is no array or empty!";
            $this->ilErr->raiseError($message, $this->ilErr->WARNING);
        }
        
        // exclude system role from rbac
        if ($a_rol_id == SYSTEM_ROLE_ID) {
            return true;
        }
        
        foreach ($a_ops as $op) {
            $ilDB->replace(
                'rbac_templates',
                [
                    'rol_id'    => ['integer', $a_rol_id],
                    'type'              => ['text', $a_type],
                    'ops_id'    => ['integer', $op],
                    'parent'    => ['integer', $a_ref_id]
                ],
                []
            );
        }
        return true;
    }

References $a_type, $ilDB, and $message.

---

The documentation for this class was generated from the following file:

• Services/AccessControl/classes/class.ilRbacAdmin.php