ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
class.ilObjRole.php
Go to the documentation of this file.
1<?php
2
3/* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
4
5require_once "./Services/Object/classes/class.ilObject.php";
6require_once('./Services/Repository/classes/class.ilObjectPlugin.php');
7
16class ilObjRole extends ilObject
17{
18 const MODE_PROTECTED_DELETE_LOCAL_POLICIES = 1;
19 const MODE_PROTECTED_KEEP_LOCAL_POLICIES = 2;
20 const MODE_UNPROTECTED_DELETE_LOCAL_POLICIES = 3;
21 const MODE_UNPROTECTED_KEEP_LOCAL_POLICIES = 4;
22
23 const MODE_ADD_OPERATIONS = 1;
24 const MODE_READ_OPERATIONS = 2;
25 const MODE_REMOVE_OPERATIONS = 3;
26
30 private $logger = null;
31
39 public $parent;
40
41 public $allow_register;
42 public $assign_users;
43
45 public $disk_quota;
46 public $wsp_disk_quota;
53 public function __construct($a_id = 0, $a_call_by_reference = false)
54 {
55 global $DIC;
56
57 $this->logger = $DIC->logger()->ac();
58 $this->type = "role";
59 $this->disk_quota = 0;
60 $this->wsp_disk_quota = 0;
61 parent::__construct($a_id, $a_call_by_reference);
62 }
63
72 public static function createDefaultRole($a_title, $a_description, $a_tpl_name, $a_ref_id)
73 {
74 global $DIC;
75
76 $ilDB = $DIC['ilDB'];
77
78 // SET PERMISSION TEMPLATE OF NEW LOCAL CONTRIBUTOR ROLE
79 $res = $ilDB->query("SELECT obj_id FROM object_data " .
80 " WHERE type=" . $ilDB->quote("rolt", "text") .
81 " AND title=" . $ilDB->quote($a_tpl_name, "text"));
82 while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
83 $tpl_id = $row->obj_id;
84 }
85
86 if (!$tpl_id) {
87 return null;
88 }
89
90 include_once './Services/AccessControl/classes/class.ilObjRole.php';
91 $role = new ilObjRole();
92 $role->setTitle($a_title);
93 $role->setDescription($a_description);
94 $role->create();
95
96 $GLOBALS['DIC']['rbacadmin']->assignRoleToFolder($role->getId(), $a_ref_id, 'y');
97
98 $GLOBALS['DIC']['rbacadmin']->copyRoleTemplatePermissions(
99 $tpl_id,
100 ROLE_FOLDER_ID,
101 $a_ref_id,
102 $role->getId()
103 );
104
105 $ops = $GLOBALS['DIC']['rbacreview']->getOperationsOfRole(
106 $role->getId(),
107 ilObject::_lookupType($a_ref_id, true),
108 $a_ref_id
109 );
110 $GLOBALS['DIC']['rbacadmin']->grantPermission(
111 $role->getId(),
112 $ops,
113 $a_ref_id
114 );
115 return $role;
116 }
117
118
123 public function validate()
124 {
125 global $DIC;
126
127 $ilErr = $DIC['ilErr'];
128
129 if (substr($this->getTitle(), 0, 3) == 'il_') {
130 $ilErr->setMessage('msg_role_reserved_prefix');
131 return false;
132 }
133 return true;
134 }
135
140 public function getPresentationTitle()
141 {
142 return ilObjRole::_getTranslation($this->getTitle());
143 }
144
145 public function toggleAssignUsersStatus($a_assign_users)
146 {
147 $this->assign_users = (int) $a_assign_users;
148 }
149 public function getAssignUsersStatus()
150 {
151 return $this->assign_users ? $this->assign_users : 0;
152 }
153 // Same method (static)
154 public static function _getAssignUsersStatus($a_role_id)
155 {
156 global $DIC;
157
158 $ilDB = $DIC['ilDB'];
159
160 $query = "SELECT assign_users FROM role_data WHERE role_id = " . $ilDB->quote($a_role_id, 'integer') . " ";
161 $res = $ilDB->query($query);
162 while ($row = $ilDB->fetchObject($res)) {
163 return $row->assign_users ? true : false;
164 }
165 return false;
166 }
167
172 public function read()
173 {
174 global $DIC;
175
176 $ilDB = $DIC['ilDB'];
177
178 $query = "SELECT * FROM role_data WHERE role_id= " . $ilDB->quote($this->id, 'integer') . " ";
179
180 $res = $ilDB->query($query);
181 if ($res->numRows() > 0) {
182 $data = $ilDB->fetchAssoc($res);
183
184 // fill member vars in one shot
185 $this->assignData($data);
186 } else {
187 $this->ilias->raiseError("<b>Error: There is no dataset with id " . $this->id . "!</b><br />class: " . get_class($this) . "<br />Script: " . __FILE__ . "<br />Line: " . __LINE__, $this->ilias->FATAL);
188 }
189
190 parent::read();
191 }
192
198 public function assignData($a_data)
199 {
200 $this->setTitle(ilUtil::stripSlashes($a_data["title"]));
201 $this->setDescription(ilUtil::stripslashes($a_data["desc"]));
202 $this->setAllowRegister($a_data["allow_register"]);
203 $this->toggleAssignUsersStatus($a_data['assign_users']);
204 $this->setDiskQuota($a_data['disk_quota']);
205 $this->setPersonalWorkspaceDiskQuota($a_data['wsp_disk_quota']);
206 }
207
212 public function update()
213 {
214 global $DIC;
215
216 $ilDB = $DIC['ilDB'];
217
218 $query = "UPDATE role_data SET " .
219 "allow_register= " . $ilDB->quote($this->allow_register, 'integer') . ", " .
220 "assign_users = " . $ilDB->quote($this->getAssignUsersStatus(), 'integer') . ", " .
221 "disk_quota = " . $ilDB->quote($this->getDiskQuota(), 'integer') . ", " .
222 "wsp_disk_quota = " . $ilDB->quote($this->getPersonalWorkspaceDiskQuota(), 'integer') . " " .
223 "WHERE role_id= " . $ilDB->quote($this->id, 'integer') . " ";
224 $res = $ilDB->manipulate($query);
225
226 parent::update();
227
228 $this->read();
229
230 return true;
231 }
232
240 public function create()
241 {
242 global $DIC;
243
244 $ilDB = $DIC['ilDB'];
245
246 $this->id = parent::create();
247
248 $query = "INSERT INTO role_data " .
249 "(role_id,allow_register,assign_users,disk_quota,wsp_disk_quota) " .
250 "VALUES " .
251 "(" . $ilDB->quote($this->id, 'integer') . "," .
252 $ilDB->quote($this->getAllowRegister(), 'integer') . "," .
253 $ilDB->quote($this->getAssignUsersStatus(), 'integer') . "," .
254 $ilDB->quote($this->getDiskQuota(), 'integer') . "," .
255 $ilDB->quote($this->getPersonalWorkspaceDiskQuota(), 'integer') . ")"
256 ;
257 $res = $ilDB->query($query);
258
259 return $this->id;
260 }
261
268 public function setAllowRegister($a_allow_register)
269 {
270 if (empty($a_allow_register)) {
271 $a_allow_register == 0;
272 }
273
274 $this->allow_register = (int) $a_allow_register;
275 }
276
283 public function getAllowRegister()
284 {
285 return $this->allow_register ? $this->allow_register : false;
286 }
287
296 public function setDiskQuota($a_disk_quota)
297 {
298 $this->disk_quota = $a_disk_quota;
299 }
300
310 public function getDiskQuota()
311 {
312 return $this->disk_quota;
313 }
314
315
324 public function setPersonalWorkspaceDiskQuota($a_disk_quota)
325 {
326 $this->wsp_disk_quota = $a_disk_quota;
327 }
328
338 public function getPersonalWorkspaceDiskQuota()
339 {
340 return $this->wsp_disk_quota;
341 }
342
349 public static function _lookupRegisterAllowed()
350 {
351 global $DIC;
352
353 $ilDB = $DIC['ilDB'];
354
355 $query = "SELECT * FROM role_data " .
356 "JOIN object_data ON object_data.obj_id = role_data.role_id " .
357 "WHERE allow_register = 1";
358 $res = $ilDB->query($query);
359
360 $roles = array();
361 while ($role = $ilDB->fetchAssoc($res)) {
362 $roles[] = array("id" => $role["obj_id"],
363 "title" => $role["title"],
364 "auth_mode" => $role['auth_mode']);
365 }
366
367 return $roles;
368 }
369
376 public static function _lookupAllowRegister($a_role_id)
377 {
378 global $DIC;
379
380 $ilDB = $DIC['ilDB'];
381
382 $query = "SELECT * FROM role_data " .
383 " WHERE role_id =" . $ilDB->quote($a_role_id, 'integer');
384
385 $res = $ilDB->query($query);
386 if ($role_rec = $ilDB->fetchAssoc($res)) {
387 if ($role_rec["allow_register"]) {
388 return true;
389 }
390 }
391 return false;
392 }
393
401 public function setParent($a_parent_ref)
402 {
403 $this->parent = $a_parent_ref;
404 }
405
412 public function getParent()
413 {
414 return $this->parent;
415 }
416
417
424 public function delete()
425 {
426 global $DIC;
427
428 $rbacadmin = $DIC['rbacadmin'];
429 $rbacreview = $DIC['rbacreview'];
430 $ilDB = $DIC['ilDB'];
431
432 // Temporary bugfix
433 if ($rbacreview->hasMultipleAssignments($this->getId())) {
434 ilLoggerFactory::getLogger('ac')->warning('Found role with multiple assignments: role_id: ' . $this->getId());
435 ilLoggerFactory::getLogger('ac')->warning('Aborted deletion of role.');
436 return false;
437 }
438
439 if ($rbacreview->isAssignable($this->getId(), $this->getParent())) {
440 ilLoggerFactory::getLogger('ac')->debug('Handling assignable role...');
441 // do not delete a global role, if the role is the last
442 // role a user is assigned to.
443 //
444 // Performance improvement: In the code section below, we
445 // only need to consider _global_ roles. We don't need
446 // to check for _local_ roles, because a user who has
447 // a local role _always_ has a global role too.
448 $last_role_user_ids = array();
449 if ($this->getParent() == ROLE_FOLDER_ID) {
450 ilLoggerFactory::getLogger('ac')->debug('Handling global role...');
451 // The role is a global role: check if
452 // we find users who aren't assigned to any
453 // other global role than this one.
454 $user_ids = $rbacreview->assignedUsers($this->getId());
455
456 foreach ($user_ids as $user_id) {
457 // get all roles each user has
458 $role_ids = $rbacreview->assignedRoles($user_id);
459
460 // is last role?
461 if (count($role_ids) == 1) {
462 $last_role_user_ids[] = $user_id;
463 }
464 }
465 }
466
467 // users with last role found?
468 if (count($last_role_user_ids) > 0) {
469 $user_names = array();
470 foreach ($last_role_user_ids as $user_id) {
471 // GET OBJECT TITLE
472 $user_names[] = ilObjUser::_lookupLogin($user_id);
473 }
474
475 // TODO: This check must be done in rolefolder object because if multiple
476 // roles were selected the other roles are still deleted and the system does not
477 // give any feedback about this.
478 $users = implode(', ', $user_names);
479 ilLoggerFactory::getLogger('ac')->info('Cannot delete last global role of users.');
480 $this->ilias->raiseError($this->lng->txt("msg_user_last_role1") . " " .
481 $users . "<br/>" . $this->lng->txt("msg_user_last_role2"), $this->ilias->error_obj->WARNING);
482 } else {
483 ilLoggerFactory::getLogger('ac')->debug('Starting deletion of assignable role: role_id: ' . $this->getId());
484 $rbacadmin->deleteRole($this->getId(), $this->getParent());
485
486 // Delete ldap role group mappings
487 include_once('./Services/LDAP/classes/class.ilLDAPRoleGroupMappingSettings.php');
488 ilLDAPRoleGroupMappingSettings::_deleteByRole($this->getId());
489
490 // delete object_data entry
491 parent::delete();
492
493 // delete role_data entry
494 $query = "DELETE FROM role_data WHERE role_id = " . $ilDB->quote($this->getId(), 'integer');
495 $res = $ilDB->manipulate($query);
496
497 include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
498 $role_desk_item_obj = new ilRoleDesktopItem($this->getId());
499 $role_desk_item_obj->deleteAll();
500 }
501 } else {
502 ilLoggerFactory::getLogger('ac')->debug('Starting deletion of linked role: role_id ' . $this->getId());
503 // linked local role: INHERITANCE WAS STOPPED, SO DELETE ONLY THIS LOCAL ROLE
504 $rbacadmin->deleteLocalRole($this->getId(), $this->getParent());
505 }
506 return true;
507 }
508
509 public function getCountMembers()
510 {
511 global $DIC;
512
513 $rbacreview = $DIC['rbacreview'];
514
515 return count($rbacreview->assignedUsers($this->getId()));
516 }
517
518 public static function _getTranslation($a_role_title)
519 {
520 global $DIC;
521
522 $lng = $DIC['lng'];
523
524 $role_title = self::_removeObjectId($a_role_title);
525
526 if (preg_match("/^il_./", $role_title)) {
527 return $lng->txt($role_title);
528 }
529
530 return $a_role_title;
531 }
532
533 public static function _removeObjectId($a_role_title)
534 {
535 $role_title_parts = explode('_', $a_role_title);
536
537 $test2 = (int) $role_title_parts[3];
538 if ($test2 > 0) {
539 unset($role_title_parts[3]);
540 }
541
542 return implode('_', $role_title_parts);
543 }
544
552 public static function getSubObjects($a_obj_type, $a_add_admin_objects)
553 {
554 global $DIC;
558 $objDefinition = $DIC['objDefinition'];
559 $lng = $DIC->language();
560 $subs = $objDefinition->getSubObjectsRecursively($a_obj_type, true, $a_add_admin_objects);
561
562 $filter = array();
563 $sorted = array();
564
565 if (!ilECSSetting::ecsConfigured()) {
566 $filter = array_merge($filter, ilECSUtils::getPossibleRemoteTypes(false));
567 $filter[] = 'rtst';
568 }
569
570 foreach ($subs as $subtype => $def) {
571 if (in_array($def["name"], $filter)) {
572 continue;
573 }
574
575 if ($objDefinition->isPlugin($subtype)) {
576 $translation = ilObjectPlugin::lookupTxtById($subtype, "obj_" . $subtype);
577 } elseif ($objDefinition->isSystemObject($subtype)) {
578 $translation = $lng->txt("obj_" . $subtype);
579 } else {
580 $translation = $lng->txt('objs_' . $subtype);
581 }
582
583 $sorted[$subtype] = $def;
584 $sorted[$subtype]['translation'] = $translation;
585 }
586
587 return ilUtil::sortArray($sorted, 'translation', 'asc', true, true);
588 }
589
590 public static function _updateAuthMode($a_roles)
591 {
592 global $DIC;
593
594 $ilDB = $DIC['ilDB'];
595
596 foreach ($a_roles as $role_id => $auth_mode) {
597 $query = "UPDATE role_data SET " .
598 "auth_mode= " . $ilDB->quote($auth_mode, 'text') . " " .
599 "WHERE role_id= " . $ilDB->quote($role_id, 'integer') . " ";
600 $res = $ilDB->manipulate($query);
601 }
602 }
603
604 public static function _getAuthMode($a_role_id)
605 {
606 global $DIC;
607
608 $ilDB = $DIC['ilDB'];
609
610 $query = "SELECT auth_mode FROM role_data " .
611 "WHERE role_id= " . $ilDB->quote($a_role_id, 'integer') . " ";
612 $res = $ilDB->query($query);
613 $row = $ilDB->fetchAssoc($res);
614
615 return $row['auth_mode'];
616 }
617
625 public static function _getRolesByAuthMode($a_auth_mode)
626 {
627 global $DIC;
628
629 $ilDB = $DIC['ilDB'];
630
631 $query = "SELECT * FROM role_data " .
632 "WHERE auth_mode = " . $ilDB->quote($a_auth_mode, 'text');
633 $res = $ilDB->query($query);
634 $roles = array();
635 while ($row = $ilDB->fetchObject($res)) {
636 $roles[] = $row->role_id;
637 }
638 return $roles;
639 }
640
649 public static function _resetAuthMode($a_auth_mode)
650 {
651 global $DIC;
652
653 $ilDB = $DIC['ilDB'];
654
655 $query = "UPDATE role_data SET auth_mode = 'default' WHERE auth_mode = " . $ilDB->quote($a_auth_mode, 'text');
656 $res = $ilDB->manipulate($query);
657 }
658
659 // returns array of operation/objecttype definitions
660 // private
661 public function __getPermissionDefinitions()
662 {
663 global $DIC;
664
665 $ilDB = $DIC['ilDB'];
666 $lng = $DIC['lng'];
667 $objDefinition = $DIC['objDefinition'];
668 $rbacreview = $DIC['rbacreview'];
669
670 $operation_info = $rbacreview->getOperationAssignment();
671 foreach ($operation_info as $info) {
672 if ($objDefinition->getDevMode($info['type'])) {
673 continue;
674 }
675 $rbac_objects[$info['typ_id']] = array("obj_id" => $info['typ_id'],
676 "type" => $info['type']);
677
678 // handle plugin permission texts
679 $txt = $objDefinition->isPlugin($info['type'])
680 ? ilObjectPlugin::lookupTxtById($info['type'], $info['type'] . "_" . $info['operation'])
681 : $lng->txt($info['type'] . "_" . $info['operation']);
682 if (substr($info['operation'], 0, 7) == "create_" &&
683 $objDefinition->isPlugin(substr($info['operation'], 7))) {
684 $txt = ilObjectPlugin::lookupTxtById(substr($info['operation'], 7), $info['type'] . "_" . $info['operation']);
685 }
686 $rbac_operations[$info['typ_id']][$info['ops_id']] = array(
687 "ops_id" => $info['ops_id'],
688 "title" => $info['operation'],
689 "name" => $txt);
690 }
691 return array($rbac_objects,$rbac_operations);
692 }
693
694
695 public static function isAutoGenerated($a_role_id)
696 {
697 return substr(ilObject::_lookupTitle($a_role_id), 0, 3) == 'il_';
698 }
699
707 public function changeExistingObjects($a_start_node, $a_mode, $a_filter, $a_exclusion_filter = array(),$a_operation_mode = self::MODE_READ_OPERATIONS, $a_operation_stack = [])
708 {
709 global $DIC;
710
711 $tree = $DIC->repositoryTree();
712 $rbacreview = $DIC->rbac()->review();
713
714 // Get node info of subtree
715 $nodes = $tree->getRbacSubtreeInfo($a_start_node);
716
717 // get local policies
718 $all_local_policies = $rbacreview->getObjectsWithStopedInheritance($this->getId());
719
720 // filter relevant roles
721 $local_policies = array();
722 foreach ($all_local_policies as $lp) {
723 if (isset($nodes[$lp])) {
724 $local_policies[] = $lp;
725 }
726 }
727
728 // Delete deprecated policies
729 switch ($a_mode) {
730 case self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES:
731 case self::MODE_PROTECTED_DELETE_LOCAL_POLICIES:
732 $local_policies = $this->deleteLocalPolicies($a_start_node, $local_policies, $a_filter);
733 #$local_policies = array($a_start_node == ROOT_FOLDER_ID ? SYSTEM_FOLDER_ID : $a_start_node);
734 break;
735 }
736 $this->adjustPermissions($a_mode, $nodes, $local_policies, $a_filter, $a_exclusion_filter, $a_operation_mode, $a_operation_stack);
737
738
739 #var_dump(memory_get_peak_usage());
740 #var_dump(memory_get_usage());
741 }
742
748 protected function deleteLocalPolicies($a_start, $a_policies, $a_filter)
749 {
750 global $DIC;
751
752 $rbacreview = $DIC['rbacreview'];
753 $rbacadmin = $DIC['rbacadmin'];
754
755 $local_policies = array();
756 foreach ($a_policies as $policy) {
757 if ($policy == $a_start or $policy == SYSTEM_FOLDER_ID) {
758 $local_policies[] = $policy;
759 continue;
760 }
761 if (!in_array('all', $a_filter) and !in_array(ilObject::_lookupType(ilObject::_lookupObjId($policy)), $a_filter)) {
762 $local_policies[] = $policy;
763 continue;
764 }
765 $rbacadmin->deleteLocalRole($this->getId(), $policy);
766 }
767 return $local_policies;
768 }
769
778 protected function adjustPermissions($a_mode, $a_nodes, $a_policies, $a_filter, $a_exclusion_filter = array(), $a_operation_mode = self::MODE_READ_OPERATIONS, $a_operation_stack = [])
779 {
780 global $DIC;
781
782 $rbacadmin = $DIC['rbacadmin'];
783 $rbacreview = $DIC['rbacreview'];
784 $tree = $DIC['tree'];
785
786 $operation_stack = array();
787 $policy_stack = array();
788 $node_stack = array();
789
790 $start_node = current($a_nodes);
791 array_push($node_stack, $start_node);
792 $this->updatePolicyStack($policy_stack, $start_node['child']);
793
794 if ($a_operation_mode == self::MODE_READ_OPERATIONS) {
795 $this->updateOperationStack($operation_stack, $start_node['child'], true);
796 }
797 else {
798 $operation_stack = $a_operation_stack;
799 }
800
801 $this->logger->debug('adjust permissions operation stack');
802 $this->logger->dump($operation_stack);
803
804 include_once "Services/AccessControl/classes/class.ilRbacLog.php";
805 $rbac_log_active = ilRbacLog::isActive();
806
807 $local_policy = false;
808 foreach ($a_nodes as $node) {
809 $cmp_node = end($node_stack);
810 while ($relation = $tree->getRelationOfNodes($node, $cmp_node)) {
811 switch ($relation) {
812 case ilTree::RELATION_NONE:
813 case ilTree::RELATION_SIBLING:
814 $GLOBALS['DIC']['ilLog']->write(__METHOD__ . ': Handling sibling/none relation.');
815 array_pop($operation_stack);
816 array_pop($policy_stack);
817 array_pop($node_stack);
818 $cmp_node = end($node_stack);
819 $local_policy = false;
820 break;
821
822 case ilTree::RELATION_CHILD:
823 case ilTree::RELATION_EQUALS:
824 case ilTree::RELATION_PARENT:
825 default:
826 $GLOBALS['DIC']['ilLog']->write(__METHOD__ . ': Handling child/equals/parent ' . $relation);
827 break 2;
828 }
829 }
830
831 if ($local_policy) {
832 continue;
833 }
834
835 // Start node => set permissions and continue
836 if ($node['child'] == $start_node['child']) {
837 if ($this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) {
838 if ($rbac_log_active) {
839 $rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false);
840 $rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
841 }
842
843 // Set permissions
844 $perms = end($operation_stack);
845 $this->changeExistingObjectsGrantPermissions(
846 $this->getId(),
847 (array) $perms[$node['type']],
848 $node['child'],
849 $a_operation_mode
850 );
851
852 if ($rbac_log_active) {
853 $rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
854 $rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new);
855 ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log);
856 }
857 }
858 continue;
859 }
860
861 // Node has local policies => update permission stack and continue
862 if (in_array($node['child'], $a_policies) and ($node['child'] != SYSTEM_FOLDER_ID)) {
863 $local_policy = true;
864 $this->updatePolicyStack($policy_stack, $node['child']);
865 $this->updateOperationStack($operation_stack, $node['child']);
866 array_push($node_stack, $node);
867 continue;
868 }
869
870 // Continue if this object type is not in filter
871 if (!$this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) {
872 continue;
873 }
874
875 if ($rbac_log_active) {
876 $rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false);
877 $rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
878 }
879
880 // Node is course => create course permission intersection
881 if (($a_mode == self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES or
882 $a_mode == self::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES) and ($node['type'] == 'crs')) {
883 // Copy role permission intersection
884 $perms = end($operation_stack);
885 $this->createPermissionIntersection($policy_stack, $perms['crs'], $node['child'], $node['type']);
886 if ($this->updateOperationStack($operation_stack, $node['child'])) {
887 $this->updatePolicyStack($policy_stack, $node['child']);
888 array_push($node_stack, $node);
889 }
890 }
891
892 // Node is group => create group permission intersection
893 if (($a_mode == self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES or
894 $a_mode == self::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES) and ($node['type'] == 'grp')) {
895 // Copy role permission intersection
896 $perms = end($operation_stack);
897 $this->createPermissionIntersection($policy_stack, $perms['grp'], $node['child'], $node['type']);
898 if ($this->updateOperationStack($operation_stack, $node['child'])) {
899 $this->updatePolicyStack($policy_stack, $node['child']);
900 array_push($node_stack, $node);
901 }
902 }
903
904 // Set permission
905 $perms = end($operation_stack);
906
907 $this->changeExistingObjectsGrantPermissions(
908 $this->getId(),
909 (array) $perms[$node['type']],
910 $node['child'],
911 $a_operation_mode
912 );
913 if ($rbac_log_active) {
914 $rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
915 $rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new);
916 ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log);
917 }
918 }
919 }
920
927 protected function changeExistingObjectsGrantPermissions($a_role_id, $a_permissions, $a_ref_id, $a_operation_mode)
928 {
929 global $DIC;
930
931 $admin = $DIC->rbac()->admin();
932 $review = $DIC->rbac()->review();
933 if ($a_operation_mode == self::MODE_READ_OPERATIONS) {
934 $admin->grantPermission(
935 $a_role_id,
936 $a_permissions,
937 $a_ref_id
938 );
939 }
940 elseif ($a_operation_mode == self::MODE_ADD_OPERATIONS) {
941 $current_operations = $review->getRoleOperationsOnObject(
942 $a_role_id,
943 $a_ref_id
944 );
945 $this->logger->debug('Current operations');
946 $this->logger->dump($current_operations);
947
948 $new_ops = array_unique(array_merge($a_permissions, $current_operations));
949 $this->logger->debug('New operations');
950 $this->logger->dump($new_ops);
951
952 $admin->grantPermission(
953 $a_role_id,
954 $new_ops,
955 $a_ref_id
956 );
957 }
958 elseif ($a_operation_mode == self::MODE_REMOVE_OPERATIONS) {
959 $current_operations = $review->getRoleOperationsOnObject(
960 $a_role_id,
961 $a_ref_id
962 );
963 $this->logger->debug('Current operations');
964 $this->logger->dump($current_operations);
965
966 $new_ops = array_diff($current_operations, $a_permissions);
967
968 $admin->grantPermission(
969 $a_role_id,
970 $new_ops,
971 $a_ref_id
972 );
973 }
974 }
975
976
983 protected function isHandledObjectType($a_filter, $a_exclusion_filter, $a_type)
984 {
985 if (in_array($a_type, $a_exclusion_filter)) {
986 return false;
987 }
988
989 if (in_array('all', $a_filter)) {
990 return true;
991 }
992 return in_array($a_type, $a_filter);
993 }
994
1001 protected function updateOperationStack(&$a_stack, $a_node, $a_init = false)
1002 {
1003 global $DIC;
1004
1005 $rbacreview = $DIC['rbacreview'];
1006
1007 $has_policies = null;
1008 $policy_origin = null;
1009
1010 if ($a_node == ROOT_FOLDER_ID) {
1011 $has_policies = true;
1012 $policy_origin = ROLE_FOLDER_ID;
1013 } else {
1014 $has_policies = $rbacreview->getLocalPolicies($a_node);
1015 $policy_origin = $a_node;
1016
1017 if ($a_init) {
1018 $parent_roles = $rbacreview->getParentRoleIds($a_node, false);
1019 if ($parent_roles[$this->getId()]) {
1020 $a_stack[] = $rbacreview->getAllOperationsOfRole(
1021 $this->getId(),
1022 $parent_roles[$this->getId()]['parent']
1023 );
1024 }
1025 return true;
1026 }
1027 }
1028
1029 if (!$has_policies) {
1030 return false;
1031 }
1032
1033 $a_stack[] = $rbacreview->getAllOperationsOfRole(
1034 $this->getId(),
1035 $policy_origin
1036 );
1037 return true;
1038 }
1039
1045 protected function updatePolicyStack(&$a_stack, $a_node)
1046 {
1047 global $DIC;
1048
1049 $rbacreview = $DIC['rbacreview'];
1050
1051 $has_policies = null;
1052 $policy_origin = null;
1053
1054 if ($a_node == ROOT_FOLDER_ID) {
1055 $has_policies = true;
1056 $policy_origin = ROLE_FOLDER_ID;
1057 } else {
1058 $has_policies = $rbacreview->getLocalPolicies($a_node);
1059 $policy_origin = $a_node;
1060 }
1061
1062 if (!$has_policies) {
1063 return false;
1064 }
1065
1066 $a_stack[] = $policy_origin;
1067 return true;
1068 }
1069
1077 protected function createPermissionIntersection($policy_stack, $a_current_ops, $a_id, $a_type)
1078 {
1079 global $DIC;
1080
1081 $ilDB = $DIC['ilDB'];
1082 $rbacreview = $DIC['rbacreview'];
1083 $rbacadmin = $DIC['rbacadmin'];
1084
1085 static $course_non_member_id = null;
1086 static $group_non_member_id = null;
1087 static $group_open_id = null;
1088 static $group_closed_id = null;
1089
1090 // Get template id
1091 switch ($a_type) {
1092 case 'grp':
1093
1094 include_once './Modules/Group/classes/class.ilObjGroup.php';
1095 $type = ilObjGroup::lookupGroupTye(ilObject::_lookupObjId($a_id));
1096 #var_dump("GROUP TYPE",$type);
1097 switch ($type) {
1098 case GRP_TYPE_CLOSED:
1099 if (!$group_closed_id) {
1100 $query = "SELECT obj_id FROM object_data WHERE type='rolt' AND title='il_grp_status_closed'";
1101 $res = $ilDB->query($query);
1102 while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
1103 $group_closed_id = $row->obj_id;
1104 }
1105 }
1106 $template_id = $group_closed_id;
1107 #var_dump("GROUP CLOSED id:" . $template_id);
1108 break;
1109
1110 case GRP_TYPE_OPEN:
1111 default:
1112 if (!$group_open_id) {
1113 $query = "SELECT obj_id FROM object_data WHERE type='rolt' AND title='il_grp_status_open'";
1114 $res = $ilDB->query($query);
1115 while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
1116 $group_open_id = $row->obj_id;
1117 }
1118 }
1119 $template_id = $group_open_id;
1120 #var_dump("GROUP OPEN id:" . $template_id);
1121 break;
1122 }
1123 break;
1124
1125 case 'crs':
1126 if (!$course_non_member_id) {
1127 $query = "SELECT obj_id FROM object_data WHERE type='rolt' AND title='il_crs_non_member'";
1128 $res = $ilDB->query($query);
1129 while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
1130 $course_non_member_id = $row->obj_id;
1131 }
1132 }
1133 $template_id = $course_non_member_id;
1134 break;
1135 }
1136
1137 $current_ops = $a_current_ops[$a_type];
1138
1139 // Create intersection template permissions
1140 if ($template_id) {
1141 //$rolf = $rbacreview->getRoleFolderIdOfObject($a_id);
1142
1143 $rbacadmin->copyRolePermissionIntersection(
1144 $template_id,
1145 ROLE_FOLDER_ID,
1146 $this->getId(),
1147 end($policy_stack),
1148 $a_id,
1149 $this->getId()
1150 );
1151 } else {
1152 #echo "No template id for ".$a_id.' of type'.$a_type.'<br>';
1153 }
1154 #echo "ROLE ASSIGN: ".$rolf.' AID'.$a_id;
1155 if ($a_id and !$GLOBALS['DIC']['rbacreview']->isRoleAssignedToObject($this->getId(), $a_id)) {
1156 $rbacadmin->assignRoleToFolder($this->getId(), $a_id, "n");
1157 }
1158 return true;
1159 }
1160} // END class.ilObjRole
$users
$users
Definition: authpage.php:44
php
An exception for terminatinating execution or to throw for unit testing.
GRP_TYPE_OPEN
const GRP_TYPE_OPEN
Definition: class.ilObjGroup.php:20
GRP_TYPE_CLOSED
const GRP_TYPE_CLOSED
Definition: class.ilObjGroup.php:19
ilECSSetting\ecsConfigured
static ecsConfigured()
Checks if an ecs server is configured.
Definition: class.ilECSSetting.php:131
ilECSUtils\getPossibleRemoteTypes
static getPossibleRemoteTypes($a_with_captions=false)
Get all possible remote object types.
Definition: class.ilECSUtils.php:102
ilLoggerFactory\getLogger
static getLogger($a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:74
ilObjGroup\lookupGroupTye
static lookupGroupTye($a_id)
Lookup group type.
Definition: class.ilObjGroup.php:131
ilObjRole
Class ilObjRole.
Definition: class.ilObjRole.php:17
ilObjRole\setAllowRegister
setAllowRegister($a_allow_register)
set allow_register of role
Definition: class.ilObjRole.php:268
ilObjRole\MODE_UNPROTECTED_KEEP_LOCAL_POLICIES
const MODE_UNPROTECTED_KEEP_LOCAL_POLICIES
Definition: class.ilObjRole.php:21
ilObjRole\MODE_PROTECTED_DELETE_LOCAL_POLICIES
const MODE_PROTECTED_DELETE_LOCAL_POLICIES
Definition: class.ilObjRole.php:18
ilObjRole\createPermissionIntersection
createPermissionIntersection($policy_stack, $a_current_ops, $a_id, $a_type)
Create course group permission intersection.
Definition: class.ilObjRole.php:1077
ilObjRole\MODE_UNPROTECTED_DELETE_LOCAL_POLICIES
const MODE_UNPROTECTED_DELETE_LOCAL_POLICIES
Definition: class.ilObjRole.php:20
ilObjRole\changeExistingObjectsGrantPermissions
changeExistingObjectsGrantPermissions($a_role_id, $a_permissions, $a_ref_id, $a_operation_mode)
Definition: class.ilObjRole.php:927
ilObjRole\__getPermissionDefinitions
__getPermissionDefinitions()
Definition: class.ilObjRole.php:661
ilObjRole\create
create()
create
Definition: class.ilObjRole.php:240
ilObjRole\updatePolicyStack
updatePolicyStack(&$a_stack, $a_node)
Update policy stack.
Definition: class.ilObjRole.php:1045
ilObjRole\_getRolesByAuthMode
static _getRolesByAuthMode($a_auth_mode)
Get roles by auth mode.
Definition: class.ilObjRole.php:625
ilObjRole\getPersonalWorkspaceDiskQuota
getPersonalWorkspaceDiskQuota()
Gets the minimal personal workspace disk quota imposed by this role.
Definition: class.ilObjRole.php:338
ilObjRole\_lookupAllowRegister
static _lookupAllowRegister($a_role_id)
check whether role is allowed in user registration or not
Definition: class.ilObjRole.php:376
ilObjRole\isHandledObjectType
isHandledObjectType($a_filter, $a_exclusion_filter, $a_type)
Check if type is filterer.
Definition: class.ilObjRole.php:983
ilObjRole\setParent
setParent($a_parent_ref)
set reference id of parent object this is neccessary for non RBAC protected objects!...
Definition: class.ilObjRole.php:401
ilObjRole\_getAuthMode
static _getAuthMode($a_role_id)
Definition: class.ilObjRole.php:604
ilObjRole\getAllowRegister
getAllowRegister()
get allow_register
Definition: class.ilObjRole.php:283
ilObjRole\MODE_REMOVE_OPERATIONS
const MODE_REMOVE_OPERATIONS
Definition: class.ilObjRole.php:25
ilObjRole\deleteLocalPolicies
deleteLocalPolicies($a_start, $a_policies, $a_filter)
Delete local policies.
Definition: class.ilObjRole.php:748
ilObjRole\_getTranslation
static _getTranslation($a_role_title)
Definition: class.ilObjRole.php:518
ilObjRole\updateOperationStack
updateOperationStack(&$a_stack, $a_node, $a_init=false)
Update operation stack.
Definition: class.ilObjRole.php:1001
ilObjRole\update
update()
updates a record "role" and write it into database @access public
Definition: class.ilObjRole.php:212
ilObjRole\MODE_PROTECTED_KEEP_LOCAL_POLICIES
const MODE_PROTECTED_KEEP_LOCAL_POLICIES
Definition: class.ilObjRole.php:19
ilObjRole\adjustPermissions
adjustPermissions($a_mode, $a_nodes, $a_policies, $a_filter, $a_exclusion_filter=array(), $a_operation_mode=self::MODE_READ_OPERATIONS, $a_operation_stack=[])
Adjust permissions.
Definition: class.ilObjRole.php:778
ilObjRole\_removeObjectId
static _removeObjectId($a_role_title)
Definition: class.ilObjRole.php:533
ilObjRole\read
read()
loads "role" from database @access private
Definition: class.ilObjRole.php:172
ilObjRole\$disk_quota
$disk_quota
The disk quota in bytes.
Definition: class.ilObjRole.php:45
ilObjRole\isAutoGenerated
static isAutoGenerated($a_role_id)
Definition: class.ilObjRole.php:695
ilObjRole\getDiskQuota
getDiskQuota()
Gets the minimal disk quota imposed by this role.
Definition: class.ilObjRole.php:310
ilObjRole\toggleAssignUsersStatus
toggleAssignUsersStatus($a_assign_users)
Definition: class.ilObjRole.php:145
ilObjRole\_resetAuthMode
static _resetAuthMode($a_auth_mode)
Reset auth mode to default.
Definition: class.ilObjRole.php:649
ilObjRole\_getAssignUsersStatus
static _getAssignUsersStatus($a_role_id)
Definition: class.ilObjRole.php:154
ilObjRole\_lookupRegisterAllowed
static _lookupRegisterAllowed()
get all roles that are activated in user registration
Definition: class.ilObjRole.php:349
ilObjRole\MODE_ADD_OPERATIONS
const MODE_ADD_OPERATIONS
Definition: class.ilObjRole.php:23
ilObjRole\getPresentationTitle
getPresentationTitle()
return translated title for autogenerated roles
Definition: class.ilObjRole.php:140
ilObjRole\_updateAuthMode
static _updateAuthMode($a_roles)
Definition: class.ilObjRole.php:590
ilObjRole\validate
validate()
Validate role data.
Definition: class.ilObjRole.php:123
ilObjRole\MODE_READ_OPERATIONS
const MODE_READ_OPERATIONS
Definition: class.ilObjRole.php:24
ilObjRole\__construct
__construct($a_id=0, $a_call_by_reference=false)
Constructor @access public.
Definition: class.ilObjRole.php:53
ilObjRole\assignData
assignData($a_data)
loads a record "role" from array @access public
Definition: class.ilObjRole.php:198
ilObjRole\setDiskQuota
setDiskQuota($a_disk_quota)
Sets the minimal disk quota imposed by this role.
Definition: class.ilObjRole.php:296
ilObjRole\getParent
getParent()
get reference id of parent object
Definition: class.ilObjRole.php:412
ilObjRole\createDefaultRole
static createDefaultRole($a_title, $a_description, $a_tpl_name, $a_ref_id)
Definition: class.ilObjRole.php:72
ilObjRole\setPersonalWorkspaceDiskQuota
setPersonalWorkspaceDiskQuota($a_disk_quota)
Sets the minimal personal workspace disk quota imposed by this role.
Definition: class.ilObjRole.php:324
ilObjRole\changeExistingObjects
changeExistingObjects($a_start_node, $a_mode, $a_filter, $a_exclusion_filter=array(), $a_operation_mode=self::MODE_READ_OPERATIONS, $a_operation_stack=[])
Change existing objects.
Definition: class.ilObjRole.php:707
ilObjUser\_lookupLogin
static _lookupLogin($a_user_id)
lookup login
Definition: class.ilObjUser.php:811
ilObjectPlugin\lookupTxtById
static lookupTxtById($plugin_id, $lang_var)
Definition: class.ilObjectPlugin.php:99
ilObject
Class ilObject Basic functions for all objects.
Definition: class.ilObject.php:14
ilObject\_lookupObjId
static _lookupObjId($a_id)
Definition: class.ilObject.php:1107
ilObject\_lookupTitle
static _lookupTitle($a_id)
lookup object title
Definition: class.ilObject.php:988
ilObject\setTitle
setTitle($a_title)
set object title
Definition: class.ilObject.php:418
ilObject\setDescription
setDescription($a_desc)
set object description
Definition: class.ilObject.php:443
ilObject\getId
getId()
get object id @access public
Definition: class.ilObject.php:320
ilObject\_lookupType
static _lookupType($a_id, $a_reference=false)
lookup object type
Definition: class.ilObject.php:1275
ilObject\getTitle
getTitle()
get object title @access public
Definition: class.ilObject.php:396
ilRbacLog\diffFaPa
static diffFaPa(array $a_old, array $a_new)
Definition: class.ilRbacLog.php:69
ilRbacLog\add
static add($a_action, $a_ref_id, array $a_diff, $a_source_ref_id=false)
Definition: class.ilRbacLog.php:137
ilRbacLog\EDIT_TEMPLATE_EXISTING
const EDIT_TEMPLATE_EXISTING
Definition: class.ilRbacLog.php:22
ilRbacLog\gatherFaPa
static gatherFaPa($a_ref_id, array $a_role_ids, $a_add_action=false)
Definition: class.ilRbacLog.php:35
ilRbacLog\isActive
static isActive()
Definition: class.ilRbacLog.php:25
ilTree\RELATION_EQUALS
const RELATION_EQUALS
Definition: class.ilTree.php:33
ilTree\RELATION_PARENT
const RELATION_PARENT
Definition: class.ilTree.php:31
ilTree\RELATION_NONE
const RELATION_NONE
Definition: class.ilTree.php:34
ilTree\RELATION_SIBLING
const RELATION_SIBLING
Definition: class.ilTree.php:32
ilTree\RELATION_CHILD
const RELATION_CHILD
Definition: class.ilTree.php:30
ilUtil\sortArray
static sortArray( $array, $a_array_sortby, $a_array_sortorder=0, $a_numeric=false, $a_keep_keys=false)
sortArray
Definition: class.ilUtil.php:3072
ilUtil\stripSlashes
static stripSlashes($a_str, $a_strip_html=true, $a_allow="")
strip slashes if magic qoutes is enabled
Definition: class.ilUtil.php:2406
$def
$def
Definition: croninfo.php:21
$txt
$txt
Definition: error.php:11
$info
$info
Definition: index.php:5
$row
$row
Definition: migrateto20.php:360
$GLOBALS
$GLOBALS['JPEG_Segment_Names']
Global Variable: XMP_tag_captions.
Definition: module.tag.xmp.php:702
League\Flysystem\Adapter\Polyfill\update
update($pash, $contents, Config $config)
ilias
redirection script todo: (a better solution should control the processing via a xml file)
$query
$query
Definition: proxy_ylocal.php:13
$ilErr
$ilErr
Definition: raiseError.php:18
$DIC
global $DIC
Definition: saml.php:7
$res
foreach($_POST as $key=> $value) $res
Definition: save_question_post_data.php:15
$ilDB
global $ilDB
Definition: storeScorm2004.php:19
$data
$data
Definition: bench.php:6
$a_type
$a_type
Definition: workflow.php:92
$template_id
$template_id
Definition: logout-iframe.php:118