ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
class.ilObjRole.php
Go to the documentation of this file.
1 <?php
2 
3 /* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
4 
5 require_once "./Services/Object/classes/class.ilObject.php";
6 require_once('./Services/Repository/classes/class.ilObjectPlugin.php');
7 
16 class ilObjRole extends ilObject
17 {
18  const MODE_PROTECTED_DELETE_LOCAL_POLICIES = 1;
19  const MODE_PROTECTED_KEEP_LOCAL_POLICIES = 2;
20  const MODE_UNPROTECTED_DELETE_LOCAL_POLICIES = 3;
21  const MODE_UNPROTECTED_KEEP_LOCAL_POLICIES = 4;
22 
23  const MODE_ADD_OPERATIONS = 1;
24  const MODE_READ_OPERATIONS = 2;
25  const MODE_REMOVE_OPERATIONS = 3;
26 
30  private $logger = null;
31 
39  public $parent;
40 
41  public $allow_register;
42  public $assign_users;
43 
45  public $disk_quota;
46  public $wsp_disk_quota;
53  public function __construct($a_id = 0, $a_call_by_reference = false)
54  {
55  global $DIC;
56 
57  $this->logger = $DIC->logger()->ac();
58  $this->type = "role";
59  $this->disk_quota = 0;
60  $this->wsp_disk_quota = 0;
61  parent::__construct($a_id, $a_call_by_reference);
62  }
63 
72  public static function createDefaultRole($a_title, $a_description, $a_tpl_name, $a_ref_id)
73  {
74  global $DIC;
75 
76  $ilDB = $DIC['ilDB'];
77 
78  // SET PERMISSION TEMPLATE OF NEW LOCAL CONTRIBUTOR ROLE
79  $res = $ilDB->query("SELECT obj_id FROM object_data " .
80  " WHERE type=" . $ilDB->quote("rolt", "text") .
81  " AND title=" . $ilDB->quote($a_tpl_name, "text"));
82  while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
83  $tpl_id = $row->obj_id;
84  }
85 
86  if (!$tpl_id) {
87  return null;
88  }
89 
90  include_once './Services/AccessControl/classes/class.ilObjRole.php';
91  $role = new ilObjRole();
92  $role->setTitle($a_title);
93  $role->setDescription($a_description);
94  $role->create();
95 
96  $GLOBALS['DIC']['rbacadmin']->assignRoleToFolder($role->getId(), $a_ref_id, 'y');
97 
98  $GLOBALS['DIC']['rbacadmin']->copyRoleTemplatePermissions(
99  $tpl_id,
100  ROLE_FOLDER_ID,
101  $a_ref_id,
102  $role->getId()
103  );
104 
105  $ops = $GLOBALS['DIC']['rbacreview']->getOperationsOfRole(
106  $role->getId(),
107  ilObject::_lookupType($a_ref_id, true),
108  $a_ref_id
109  );
110  $GLOBALS['DIC']['rbacadmin']->grantPermission(
111  $role->getId(),
112  $ops,
113  $a_ref_id
114  );
115  return $role;
116  }
117 
118 
123  public function validate()
124  {
125  global $DIC;
126 
127  $ilErr = $DIC['ilErr'];
128 
129  if (substr($this->getTitle(), 0, 3) == 'il_') {
130  $ilErr->setMessage('msg_role_reserved_prefix');
131  return false;
132  }
133  return true;
134  }
135 
140  public function getPresentationTitle()
141  {
142  return ilObjRole::_getTranslation($this->getTitle());
143  }
144 
145  public function toggleAssignUsersStatus($a_assign_users)
146  {
147  $this->assign_users = (int) $a_assign_users;
148  }
149  public function getAssignUsersStatus()
150  {
151  return $this->assign_users ? $this->assign_users : 0;
152  }
153  // Same method (static)
154  public static function _getAssignUsersStatus($a_role_id)
155  {
156  global $DIC;
157 
158  $ilDB = $DIC['ilDB'];
159 
160  $query = "SELECT assign_users FROM role_data WHERE role_id = " . $ilDB->quote($a_role_id, 'integer') . " ";
161  $res = $ilDB->query($query);
162  while ($row = $ilDB->fetchObject($res)) {
163  return $row->assign_users ? true : false;
164  }
165  return false;
166  }
167 
172  public function read()
173  {
174  global $DIC;
175 
176  $ilDB = $DIC['ilDB'];
177 
178  $query = "SELECT * FROM role_data WHERE role_id= " . $ilDB->quote($this->id, 'integer') . " ";
179 
180  $res = $ilDB->query($query);
181  if ($res->numRows() > 0) {
182  $data = $ilDB->fetchAssoc($res);
183 
184  // fill member vars in one shot
185  $this->assignData($data);
186  } else {
187  $this->ilias->raiseError("<b>Error: There is no dataset with id " . $this->id . "!</b><br />class: " . get_class($this) . "<br />Script: " . __FILE__ . "<br />Line: " . __LINE__, $this->ilias->FATAL);
188  }
189 
190  parent::read();
191  }
192 
198  public function assignData($a_data)
199  {
200  $this->setTitle(ilUtil::stripSlashes($a_data["title"]));
201  $this->setDescription(ilUtil::stripslashes($a_data["desc"]));
202  $this->setAllowRegister($a_data["allow_register"]);
203  $this->toggleAssignUsersStatus($a_data['assign_users']);
204  $this->setDiskQuota($a_data['disk_quota']);
205  $this->setPersonalWorkspaceDiskQuota($a_data['wsp_disk_quota']);
206  }
207 
212  public function update()
213  {
214  global $DIC;
215 
216  $ilDB = $DIC['ilDB'];
217 
218  $query = "UPDATE role_data SET " .
219  "allow_register= " . $ilDB->quote($this->allow_register, 'integer') . ", " .
220  "assign_users = " . $ilDB->quote($this->getAssignUsersStatus(), 'integer') . ", " .
221  "disk_quota = " . $ilDB->quote($this->getDiskQuota(), 'integer') . ", " .
222  "wsp_disk_quota = " . $ilDB->quote($this->getPersonalWorkspaceDiskQuota(), 'integer') . " " .
223  "WHERE role_id= " . $ilDB->quote($this->id, 'integer') . " ";
224  $res = $ilDB->manipulate($query);
225 
226  parent::update();
227 
228  $this->read();
229 
230  return true;
231  }
232 
240  public function create()
241  {
242  global $DIC;
243 
244  $ilDB = $DIC['ilDB'];
245 
246  $this->id = parent::create();
247 
248  $query = "INSERT INTO role_data " .
249  "(role_id,allow_register,assign_users,disk_quota,wsp_disk_quota) " .
250  "VALUES " .
251  "(" . $ilDB->quote($this->id, 'integer') . "," .
252  $ilDB->quote($this->getAllowRegister(), 'integer') . "," .
253  $ilDB->quote($this->getAssignUsersStatus(), 'integer') . "," .
254  $ilDB->quote($this->getDiskQuota(), 'integer') . "," .
255  $ilDB->quote($this->getPersonalWorkspaceDiskQuota(), 'integer') . ")"
256  ;
257  $res = $ilDB->query($query);
258 
259  return $this->id;
260  }
261 
268  public function setAllowRegister($a_allow_register)
269  {
270  if (empty($a_allow_register)) {
271  $a_allow_register == 0;
272  }
273 
274  $this->allow_register = (int) $a_allow_register;
275  }
276 
283  public function getAllowRegister()
284  {
285  return $this->allow_register ? $this->allow_register : false;
286  }
287 
296  public function setDiskQuota($a_disk_quota)
297  {
298  $this->disk_quota = $a_disk_quota;
299  }
300 
310  public function getDiskQuota()
311  {
312  return $this->disk_quota;
313  }
314 
315 
324  public function setPersonalWorkspaceDiskQuota($a_disk_quota)
325  {
326  $this->wsp_disk_quota = $a_disk_quota;
327  }
328 
338  public function getPersonalWorkspaceDiskQuota()
339  {
340  return $this->wsp_disk_quota;
341  }
342 
349  public static function _lookupRegisterAllowed()
350  {
351  global $DIC;
352 
353  $ilDB = $DIC['ilDB'];
354 
355  $query = "SELECT * FROM role_data " .
356  "JOIN object_data ON object_data.obj_id = role_data.role_id " .
357  "WHERE allow_register = 1";
358  $res = $ilDB->query($query);
359 
360  $roles = array();
361  while ($role = $ilDB->fetchAssoc($res)) {
362  $roles[] = array("id" => $role["obj_id"],
363  "title" => $role["title"],
364  "auth_mode" => $role['auth_mode']);
365  }
366 
367  return $roles;
368  }
369 
376  public static function _lookupAllowRegister($a_role_id)
377  {
378  global $DIC;
379 
380  $ilDB = $DIC['ilDB'];
381 
382  $query = "SELECT * FROM role_data " .
383  " WHERE role_id =" . $ilDB->quote($a_role_id, 'integer');
384 
385  $res = $ilDB->query($query);
386  if ($role_rec = $ilDB->fetchAssoc($res)) {
387  if ($role_rec["allow_register"]) {
388  return true;
389  }
390  }
391  return false;
392  }
393 
401  public function setParent($a_parent_ref)
402  {
403  $this->parent = $a_parent_ref;
404  }
405 
412  public function getParent()
413  {
414  return $this->parent;
415  }
416 
417 
424  public function delete()
425  {
426  global $DIC;
427 
428  $rbacadmin = $DIC['rbacadmin'];
429  $rbacreview = $DIC['rbacreview'];
430  $ilDB = $DIC['ilDB'];
431 
432  // Temporary bugfix
433  if ($rbacreview->hasMultipleAssignments($this->getId())) {
434  ilLoggerFactory::getLogger('ac')->warning('Found role with multiple assignments: role_id: ' . $this->getId());
435  ilLoggerFactory::getLogger('ac')->warning('Aborted deletion of role.');
436  return false;
437  }
438 
439  if ($rbacreview->isAssignable($this->getId(), $this->getParent())) {
440  ilLoggerFactory::getLogger('ac')->debug('Handling assignable role...');
441  // do not delete a global role, if the role is the last
442  // role a user is assigned to.
443  //
444  // Performance improvement: In the code section below, we
445  // only need to consider _global_ roles. We don't need
446  // to check for _local_ roles, because a user who has
447  // a local role _always_ has a global role too.
448  $last_role_user_ids = array();
449  if ($this->getParent() == ROLE_FOLDER_ID) {
450  ilLoggerFactory::getLogger('ac')->debug('Handling global role...');
451  // The role is a global role: check if
452  // we find users who aren't assigned to any
453  // other global role than this one.
454  $user_ids = $rbacreview->assignedUsers($this->getId());
455 
456  foreach ($user_ids as $user_id) {
457  // get all roles each user has
458  $role_ids = $rbacreview->assignedRoles($user_id);
459 
460  // is last role?
461  if (count($role_ids) == 1) {
462  $last_role_user_ids[] = $user_id;
463  }
464  }
465  }
466 
467  // users with last role found?
468  if (count($last_role_user_ids) > 0) {
469  $user_names = array();
470  foreach ($last_role_user_ids as $user_id) {
471  // GET OBJECT TITLE
472  $user_names[] = ilObjUser::_lookupLogin($user_id);
473  }
474 
475  // TODO: This check must be done in rolefolder object because if multiple
476  // roles were selected the other roles are still deleted and the system does not
477  // give any feedback about this.
478  $users = implode(', ', $user_names);
479  ilLoggerFactory::getLogger('ac')->info('Cannot delete last global role of users.');
480  $this->ilias->raiseError($this->lng->txt("msg_user_last_role1") . " " .
481  $users . "<br/>" . $this->lng->txt("msg_user_last_role2"), $this->ilias->error_obj->WARNING);
482  } else {
483  ilLoggerFactory::getLogger('ac')->debug('Starting deletion of assignable role: role_id: ' . $this->getId());
484  $rbacadmin->deleteRole($this->getId(), $this->getParent());
485 
486  // Delete ldap role group mappings
487  include_once('./Services/LDAP/classes/class.ilLDAPRoleGroupMappingSettings.php');
488  ilLDAPRoleGroupMappingSettings::_deleteByRole($this->getId());
489 
490  // delete object_data entry
491  parent::delete();
492 
493  // delete role_data entry
494  $query = "DELETE FROM role_data WHERE role_id = " . $ilDB->quote($this->getId(), 'integer');
495  $res = $ilDB->manipulate($query);
496 
497  include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
498  $role_desk_item_obj = new ilRoleDesktopItem($this->getId());
499  $role_desk_item_obj->deleteAll();
500  }
501  } else {
502  ilLoggerFactory::getLogger('ac')->debug('Starting deletion of linked role: role_id ' . $this->getId());
503  // linked local role: INHERITANCE WAS STOPPED, SO DELETE ONLY THIS LOCAL ROLE
504  $rbacadmin->deleteLocalRole($this->getId(), $this->getParent());
505  }
506  return true;
507  }
508 
509  public function getCountMembers()
510  {
511  global $DIC;
512 
513  $rbacreview = $DIC['rbacreview'];
514 
515  return count($rbacreview->assignedUsers($this->getId()));
516  }
517 
518  public static function _getTranslation($a_role_title)
519  {
520  global $DIC;
521 
522  $lng = $DIC['lng'];
523 
524  $role_title = self::_removeObjectId($a_role_title);
525 
526  if (preg_match("/^il_./", $role_title)) {
527  return $lng->txt($role_title);
528  }
529 
530  return $a_role_title;
531  }
532 
533  public static function _removeObjectId($a_role_title)
534  {
535  $role_title_parts = explode('_', $a_role_title);
536 
537  $test2 = (int) $role_title_parts[3];
538  if ($test2 > 0) {
539  unset($role_title_parts[3]);
540  }
541 
542  return implode('_', $role_title_parts);
543  }
544 
552  public static function getSubObjects($a_obj_type, $a_add_admin_objects)
553  {
554  global $DIC;
558  $objDefinition = $DIC['objDefinition'];
559  $lng = $DIC->language();
560  $subs = $objDefinition->getSubObjectsRecursively($a_obj_type, true, $a_add_admin_objects);
561 
562  $filter = array();
563  $sorted = array();
564 
565  if (!ilECSSetting::ecsConfigured()) {
566  $filter = array_merge($filter, ilECSUtils::getPossibleRemoteTypes(false));
567  $filter[] = 'rtst';
568  }
569 
570  foreach ($subs as $subtype => $def) {
571  if (in_array($def["name"], $filter)) {
572  continue;
573  }
574 
575  if ($objDefinition->isPlugin($subtype)) {
576  $translation = ilObjectPlugin::lookupTxtById($subtype, "obj_" . $subtype);
577  } elseif ($objDefinition->isSystemObject($subtype)) {
578  $translation = $lng->txt("obj_" . $subtype);
579  } else {
580  $translation = $lng->txt('objs_' . $subtype);
581  }
582 
583  $sorted[$subtype] = $def;
584  $sorted[$subtype]['translation'] = $translation;
585  }
586 
587  return ilUtil::sortArray($sorted, 'translation', 'asc', true, true);
588  }
589 
590  public static function _updateAuthMode($a_roles)
591  {
592  global $DIC;
593 
594  $ilDB = $DIC['ilDB'];
595 
596  foreach ($a_roles as $role_id => $auth_mode) {
597  $query = "UPDATE role_data SET " .
598  "auth_mode= " . $ilDB->quote($auth_mode, 'text') . " " .
599  "WHERE role_id= " . $ilDB->quote($role_id, 'integer') . " ";
600  $res = $ilDB->manipulate($query);
601  }
602  }
603 
604  public static function _getAuthMode($a_role_id)
605  {
606  global $DIC;
607 
608  $ilDB = $DIC['ilDB'];
609 
610  $query = "SELECT auth_mode FROM role_data " .
611  "WHERE role_id= " . $ilDB->quote($a_role_id, 'integer') . " ";
612  $res = $ilDB->query($query);
613  $row = $ilDB->fetchAssoc($res);
614 
615  return $row['auth_mode'];
616  }
617 
625  public static function _getRolesByAuthMode($a_auth_mode)
626  {
627  global $DIC;
628 
629  $ilDB = $DIC['ilDB'];
630 
631  $query = "SELECT * FROM role_data " .
632  "WHERE auth_mode = " . $ilDB->quote($a_auth_mode, 'text');
633  $res = $ilDB->query($query);
634  $roles = array();
635  while ($row = $ilDB->fetchObject($res)) {
636  $roles[] = $row->role_id;
637  }
638  return $roles;
639  }
640 
649  public static function _resetAuthMode($a_auth_mode)
650  {
651  global $DIC;
652 
653  $ilDB = $DIC['ilDB'];
654 
655  $query = "UPDATE role_data SET auth_mode = 'default' WHERE auth_mode = " . $ilDB->quote($a_auth_mode, 'text');
656  $res = $ilDB->manipulate($query);
657  }
658 
659  // returns array of operation/objecttype definitions
660  // private
661  public function __getPermissionDefinitions()
662  {
663  global $DIC;
664 
665  $ilDB = $DIC['ilDB'];
666  $lng = $DIC['lng'];
667  $objDefinition = $DIC['objDefinition'];
668  $rbacreview = $DIC['rbacreview'];
669 
670  $operation_info = $rbacreview->getOperationAssignment();
671  foreach ($operation_info as $info) {
672  if ($objDefinition->getDevMode($info['type'])) {
673  continue;
674  }
675  $rbac_objects[$info['typ_id']] = array("obj_id" => $info['typ_id'],
676  "type" => $info['type']);
677 
678  // handle plugin permission texts
679  $txt = $objDefinition->isPlugin($info['type'])
680  ? ilObjectPlugin::lookupTxtById($info['type'], $info['type'] . "_" . $info['operation'])
681  : $lng->txt($info['type'] . "_" . $info['operation']);
682  if (substr($info['operation'], 0, 7) == "create_" &&
683  $objDefinition->isPlugin(substr($info['operation'], 7))) {
684  $txt = ilObjectPlugin::lookupTxtById(substr($info['operation'], 7), $info['type'] . "_" . $info['operation']);
685  }
686  $rbac_operations[$info['typ_id']][$info['ops_id']] = array(
687  "ops_id" => $info['ops_id'],
688  "title" => $info['operation'],
689  "name" => $txt);
690  }
691  return array($rbac_objects,$rbac_operations);
692  }
693 
694 
695  public static function isAutoGenerated($a_role_id)
696  {
697  return substr(ilObject::_lookupTitle($a_role_id), 0, 3) == 'il_';
698  }
699 
707  public function changeExistingObjects($a_start_node, $a_mode, $a_filter, $a_exclusion_filter = array(),$a_operation_mode = self::MODE_READ_OPERATIONS, $a_operation_stack = [])
708  {
709  global $DIC;
710 
711  $tree = $DIC->repositoryTree();
712  $rbacreview = $DIC->rbac()->review();
713 
714  // Get node info of subtree
715  $nodes = $tree->getRbacSubtreeInfo($a_start_node);
716 
717  // get local policies
718  $all_local_policies = $rbacreview->getObjectsWithStopedInheritance($this->getId());
719 
720  // filter relevant roles
721  $local_policies = array();
722  foreach ($all_local_policies as $lp) {
723  if (isset($nodes[$lp])) {
724  $local_policies[] = $lp;
725  }
726  }
727 
728  // Delete deprecated policies
729  switch ($a_mode) {
730  case self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES:
731  case self::MODE_PROTECTED_DELETE_LOCAL_POLICIES:
732  $local_policies = $this->deleteLocalPolicies($a_start_node, $local_policies, $a_filter);
733  #$local_policies = array($a_start_node == ROOT_FOLDER_ID ? SYSTEM_FOLDER_ID : $a_start_node);
734  break;
735  }
736  $this->adjustPermissions($a_mode, $nodes, $local_policies, $a_filter, $a_exclusion_filter, $a_operation_mode, $a_operation_stack);
737 
738 
739  #var_dump(memory_get_peak_usage());
740  #var_dump(memory_get_usage());
741  }
742 
748  protected function deleteLocalPolicies($a_start, $a_policies, $a_filter)
749  {
750  global $DIC;
751 
752  $rbacreview = $DIC['rbacreview'];
753  $rbacadmin = $DIC['rbacadmin'];
754 
755  $local_policies = array();
756  foreach ($a_policies as $policy) {
757  if ($policy == $a_start or $policy == SYSTEM_FOLDER_ID) {
758  $local_policies[] = $policy;
759  continue;
760  }
761  if (!in_array('all', $a_filter) and !in_array(ilObject::_lookupType(ilObject::_lookupObjId($policy)), $a_filter)) {
762  $local_policies[] = $policy;
763  continue;
764  }
765  $rbacadmin->deleteLocalRole($this->getId(), $policy);
766  }
767  return $local_policies;
768  }
769 
778  protected function adjustPermissions($a_mode, $a_nodes, $a_policies, $a_filter, $a_exclusion_filter = array(), $a_operation_mode = self::MODE_READ_OPERATIONS, $a_operation_stack = [])
779  {
780  global $DIC;
781 
782  $rbacadmin = $DIC['rbacadmin'];
783  $rbacreview = $DIC['rbacreview'];
784  $tree = $DIC['tree'];
785 
786  $operation_stack = array();
787  $policy_stack = array();
788  $node_stack = array();
789 
790  $start_node = current($a_nodes);
791  array_push($node_stack, $start_node);
792  $this->updatePolicyStack($policy_stack, $start_node['child']);
793 
794  if ($a_operation_mode == self::MODE_READ_OPERATIONS) {
795  $this->updateOperationStack($operation_stack, $start_node['child'], true);
796  }
797  else {
798  $operation_stack = $a_operation_stack;
799  }
800 
801  $this->logger->debug('adjust permissions operation stack');
802  $this->logger->dump($operation_stack);
803 
804  include_once "Services/AccessControl/classes/class.ilRbacLog.php";
805  $rbac_log_active = ilRbacLog::isActive();
806 
807  $local_policy = false;
808  foreach ($a_nodes as $node) {
809  $cmp_node = end($node_stack);
810  while ($relation = $tree->getRelationOfNodes($node, $cmp_node)) {
811  switch ($relation) {
812  case ilTree::RELATION_NONE:
813  case ilTree::RELATION_SIBLING:
814  $GLOBALS['DIC']['ilLog']->write(__METHOD__ . ': Handling sibling/none relation.');
815  array_pop($operation_stack);
816  array_pop($policy_stack);
817  array_pop($node_stack);
818  $cmp_node = end($node_stack);
819  $local_policy = false;
820  break;
821 
822  case ilTree::RELATION_CHILD:
823  case ilTree::RELATION_EQUALS:
824  case ilTree::RELATION_PARENT:
825  default:
826  $GLOBALS['DIC']['ilLog']->write(__METHOD__ . ': Handling child/equals/parent ' . $relation);
827  break 2;
828  }
829  }
830 
831  if ($local_policy) {
832  continue;
833  }
834 
835  // Start node => set permissions and continue
836  if ($node['child'] == $start_node['child']) {
837  if ($this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) {
838  if ($rbac_log_active) {
839  $rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false);
840  $rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
841  }
842 
843  // Set permissions
844  $perms = end($operation_stack);
845  $this->changeExistingObjectsGrantPermissions(
846  $this->getId(),
847  (array) $perms[$node['type']],
848  $node['child'],
849  $a_operation_mode
850  );
851 
852  if ($rbac_log_active) {
853  $rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
854  $rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new);
855  ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log);
856  }
857  }
858  continue;
859  }
860 
861  // Node has local policies => update permission stack and continue
862  if (in_array($node['child'], $a_policies) and ($node['child'] != SYSTEM_FOLDER_ID)) {
863  $local_policy = true;
864  $this->updatePolicyStack($policy_stack, $node['child']);
865  $this->updateOperationStack($operation_stack, $node['child']);
866  array_push($node_stack, $node);
867  continue;
868  }
869 
870  // Continue if this object type is not in filter
871  if (!$this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) {
872  continue;
873  }
874 
875  if ($rbac_log_active) {
876  $rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false);
877  $rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
878  }
879 
880  // Node is course => create course permission intersection
881  if (($a_mode == self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES or
882  $a_mode == self::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES) and ($node['type'] == 'crs')) {
883  // Copy role permission intersection
884  $perms = end($operation_stack);
885  $this->createPermissionIntersection($policy_stack, $perms['crs'], $node['child'], $node['type']);
886  if ($this->updateOperationStack($operation_stack, $node['child'])) {
887  $this->updatePolicyStack($policy_stack, $node['child']);
888  array_push($node_stack, $node);
889  }
890  }
891 
892  // Node is group => create group permission intersection
893  if (($a_mode == self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES or
894  $a_mode == self::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES) and ($node['type'] == 'grp')) {
895  // Copy role permission intersection
896  $perms = end($operation_stack);
897  $this->createPermissionIntersection($policy_stack, $perms['grp'], $node['child'], $node['type']);
898  if ($this->updateOperationStack($operation_stack, $node['child'])) {
899  $this->updatePolicyStack($policy_stack, $node['child']);
900  array_push($node_stack, $node);
901  }
902  }
903 
904  // Set permission
905  $perms = end($operation_stack);
906 
907  $this->changeExistingObjectsGrantPermissions(
908  $this->getId(),
909  (array) $perms[$node['type']],
910  $node['child'],
911  $a_operation_mode
912  );
913  if ($rbac_log_active) {
914  $rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
915  $rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new);
916  ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log);
917  }
918  }
919  }
920 
927  protected function changeExistingObjectsGrantPermissions($a_role_id, $a_permissions, $a_ref_id, $a_operation_mode)
928  {
929  global $DIC;
930 
931  $admin = $DIC->rbac()->admin();
932  $review = $DIC->rbac()->review();
933  if ($a_operation_mode == self::MODE_READ_OPERATIONS) {
934  $admin->grantPermission(
935  $a_role_id,
936  $a_permissions,
937  $a_ref_id
938  );
939  }
940  elseif ($a_operation_mode == self::MODE_ADD_OPERATIONS) {
941  $current_operations = $review->getRoleOperationsOnObject(
942  $a_role_id,
943  $a_ref_id
944  );
945  $this->logger->debug('Current operations');
946  $this->logger->dump($current_operations);
947 
948  $new_ops = array_unique(array_merge($a_permissions, $current_operations));
949  $this->logger->debug('New operations');
950  $this->logger->dump($new_ops);
951 
952  $admin->grantPermission(
953  $a_role_id,
954  $new_ops,
955  $a_ref_id
956  );
957  }
958  elseif ($a_operation_mode == self::MODE_REMOVE_OPERATIONS) {
959  $current_operations = $review->getRoleOperationsOnObject(
960  $a_role_id,
961  $a_ref_id
962  );
963  $this->logger->debug('Current operations');
964  $this->logger->dump($current_operations);
965 
966  $new_ops = array_diff($current_operations, $a_permissions);
967 
968  $admin->grantPermission(
969  $a_role_id,
970  $new_ops,
971  $a_ref_id
972  );
973  }
974  }
975 
976 
983  protected function isHandledObjectType($a_filter, $a_exclusion_filter, $a_type)
984  {
985  if (in_array($a_type, $a_exclusion_filter)) {
986  return false;
987  }
988 
989  if (in_array('all', $a_filter)) {
990  return true;
991  }
992  return in_array($a_type, $a_filter);
993  }
994 
1001  protected function updateOperationStack(&$a_stack, $a_node, $a_init = false)
1002  {
1003  global $DIC;
1004 
1005  $rbacreview = $DIC['rbacreview'];
1006 
1007  $has_policies = null;
1008  $policy_origin = null;
1009 
1010  if ($a_node == ROOT_FOLDER_ID) {
1011  $has_policies = true;
1012  $policy_origin = ROLE_FOLDER_ID;
1013  } else {
1014  $has_policies = $rbacreview->getLocalPolicies($a_node);
1015  $policy_origin = $a_node;
1016 
1017  if ($a_init) {
1018  $parent_roles = $rbacreview->getParentRoleIds($a_node, false);
1019  if ($parent_roles[$this->getId()]) {
1020  $a_stack[] = $rbacreview->getAllOperationsOfRole(
1021  $this->getId(),
1022  $parent_roles[$this->getId()]['parent']
1023  );
1024  }
1025  return true;
1026  }
1027  }
1028 
1029  if (!$has_policies) {
1030  return false;
1031  }
1032 
1033  $a_stack[] = $rbacreview->getAllOperationsOfRole(
1034  $this->getId(),
1035  $policy_origin
1036  );
1037  return true;
1038  }
1039 
1045  protected function updatePolicyStack(&$a_stack, $a_node)
1046  {
1047  global $DIC;
1048 
1049  $rbacreview = $DIC['rbacreview'];
1050 
1051  $has_policies = null;
1052  $policy_origin = null;
1053 
1054  if ($a_node == ROOT_FOLDER_ID) {
1055  $has_policies = true;
1056  $policy_origin = ROLE_FOLDER_ID;
1057  } else {
1058  $has_policies = $rbacreview->getLocalPolicies($a_node);
1059  $policy_origin = $a_node;
1060  }
1061 
1062  if (!$has_policies) {
1063  return false;
1064  }
1065 
1066  $a_stack[] = $policy_origin;
1067  return true;
1068  }
1069 
1077  protected function createPermissionIntersection($policy_stack, $a_current_ops, $a_id, $a_type)
1078  {
1079  global $DIC;
1080 
1081  $ilDB = $DIC['ilDB'];
1082  $rbacreview = $DIC['rbacreview'];
1083  $rbacadmin = $DIC['rbacadmin'];
1084 
1085  static $course_non_member_id = null;
1086  static $group_non_member_id = null;
1087  static $group_open_id = null;
1088  static $group_closed_id = null;
1089 
1090  // Get template id
1091  switch ($a_type) {
1092  case 'grp':
1093 
1094  include_once './Modules/Group/classes/class.ilObjGroup.php';
1095  $type = ilObjGroup::lookupGroupTye(ilObject::_lookupObjId($a_id));
1096  #var_dump("GROUP TYPE",$type);
1097  switch ($type) {
1098  case GRP_TYPE_CLOSED:
1099  if (!$group_closed_id) {
1100  $query = "SELECT obj_id FROM object_data WHERE type='rolt' AND title='il_grp_status_closed'";
1101  $res = $ilDB->query($query);
1102  while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
1103  $group_closed_id = $row->obj_id;
1104  }
1105  }
1106  $template_id = $group_closed_id;
1107  #var_dump("GROUP CLOSED id:" . $template_id);
1108  break;
1109 
1110  case GRP_TYPE_OPEN:
1111  default:
1112  if (!$group_open_id) {
1113  $query = "SELECT obj_id FROM object_data WHERE type='rolt' AND title='il_grp_status_open'";
1114  $res = $ilDB->query($query);
1115  while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
1116  $group_open_id = $row->obj_id;
1117  }
1118  }
1119  $template_id = $group_open_id;
1120  #var_dump("GROUP OPEN id:" . $template_id);
1121  break;
1122  }
1123  break;
1124 
1125  case 'crs':
1126  if (!$course_non_member_id) {
1127  $query = "SELECT obj_id FROM object_data WHERE type='rolt' AND title='il_crs_non_member'";
1128  $res = $ilDB->query($query);
1129  while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
1130  $course_non_member_id = $row->obj_id;
1131  }
1132  }
1133  $template_id = $course_non_member_id;
1134  break;
1135  }
1136 
1137  $current_ops = $a_current_ops[$a_type];
1138 
1139  // Create intersection template permissions
1140  if ($template_id) {
1141  //$rolf = $rbacreview->getRoleFolderIdOfObject($a_id);
1142 
1143  $rbacadmin->copyRolePermissionIntersection(
1144  $template_id,
1145  ROLE_FOLDER_ID,
1146  $this->getId(),
1147  end($policy_stack),
1148  $a_id,
1149  $this->getId()
1150  );
1151  } else {
1152  #echo "No template id for ".$a_id.' of type'.$a_type.'<br>';
1153  }
1154  #echo "ROLE ASSIGN: ".$rolf.' AID'.$a_id;
1155  if ($a_id and !$GLOBALS['DIC']['rbacreview']->isRoleAssignedToObject($this->getId(), $a_id)) {
1156  $rbacadmin->assignRoleToFolder($this->getId(), $a_id, "n");
1157  }
1158  return true;
1159  }
1160 } // END class.ilObjRole
GRP_TYPE_OPEN
const GRP_TYPE_OPEN
Definition: class.ilObjGroup.php:20
ilObjUser\_lookupLogin
static _lookupLogin($a_user_id)
lookup login
Definition: class.ilObjUser.php:811
ilObjRole
Class ilObjRole.
Definition: class.ilObjRole.php:16
ilUtil\sortArray
static sortArray( $array, $a_array_sortby, $a_array_sortorder=0, $a_numeric=false, $a_keep_keys=false)
sortArray
Definition: class.ilUtil.php:3072
ilObjRole\$disk_quota
$disk_quota
The disk quota in bytes.
Definition: class.ilObjRole.php:45
ilRoleDesktopItem
Class ilObjRoleGUI.
Definition: class.ilRoleDesktopItem.php:17
ilECSUtils\getPossibleRemoteTypes
static getPossibleRemoteTypes($a_with_captions=false)
Get all possible remote object types.
Definition: class.ilECSUtils.php:102
ilObjectPlugin\lookupTxtById
static lookupTxtById($plugin_id, $lang_var)
Definition: class.ilObjectPlugin.php:99
ilObjRole\getPresentationTitle
getPresentationTitle()
return translated title for autogenerated roles
Definition: class.ilObjRole.php:140
ilObjRole\_lookupRegisterAllowed
static _lookupRegisterAllowed()
get all roles that are activated in user registration
Definition: class.ilObjRole.php:349
ilObjRole\getPersonalWorkspaceDiskQuota
getPersonalWorkspaceDiskQuota()
Gets the minimal personal workspace disk quota imposed by this role.
Definition: class.ilObjRole.php:338
ilECSSetting\ecsConfigured
static ecsConfigured()
Checks if an ecs server is configured.
Definition: class.ilECSSetting.php:131
$DIC
global $DIC
Definition: saml.php:7
ilObjRole\MODE_PROTECTED_DELETE_LOCAL_POLICIES
const MODE_PROTECTED_DELETE_LOCAL_POLICIES
Definition: class.ilObjRole.php:18
ilObjRole\createPermissionIntersection
createPermissionIntersection($policy_stack, $a_current_ops, $a_id, $a_type)
Create course group permission intersection.
Definition: class.ilObjRole.php:1077
ilObjRole\setParent
setParent($a_parent_ref)
set reference id of parent object this is neccessary for non RBAC protected objects!!! ...
Definition: class.ilObjRole.php:401
ilObjRole\toggleAssignUsersStatus
toggleAssignUsersStatus($a_assign_users)
Definition: class.ilObjRole.php:145
ilObjRole\_updateAuthMode
static _updateAuthMode($a_roles)
Definition: class.ilObjRole.php:590
ilTree\RELATION_PARENT
const RELATION_PARENT
Definition: class.ilTree.php:31
ilObject\_lookupTitle
static _lookupTitle($a_id)
lookup object title
Definition: class.ilObject.php:988
ilObjRole\setAllowRegister
setAllowRegister($a_allow_register)
set allow_register of role
Definition: class.ilObjRole.php:268
ilObjRole\update
update()
updates a record "role" and write it into database public
Definition: class.ilObjRole.php:212
ilRbacLog\isActive
static isActive()
Definition: class.ilRbacLog.php:25
ilObjRole\updatePolicyStack
updatePolicyStack(&$a_stack, $a_node)
Update policy stack.
Definition: class.ilObjRole.php:1045
ilObjRole\MODE_REMOVE_OPERATIONS
const MODE_REMOVE_OPERATIONS
Definition: class.ilObjRole.php:25
ilObjRole\_getAuthMode
static _getAuthMode($a_role_id)
Definition: class.ilObjRole.php:604
ilObjRole\_resetAuthMode
static _resetAuthMode($a_auth_mode)
Reset auth mode to default.
Definition: class.ilObjRole.php:649
ilObjRole\deleteLocalPolicies
deleteLocalPolicies($a_start, $a_policies, $a_filter)
Delete local policies.
Definition: class.ilObjRole.php:748
ilObjRole\_getAssignUsersStatus
static _getAssignUsersStatus($a_role_id)
Definition: class.ilObjRole.php:154
ilRbacLog\gatherFaPa
static gatherFaPa($a_ref_id, array $a_role_ids, $a_add_action=false)
Definition: class.ilRbacLog.php:35
ilObjRole\getAllowRegister
getAllowRegister()
get allow_register
Definition: class.ilObjRole.php:283
ilRbacLog\diffFaPa
static diffFaPa(array $a_old, array $a_new)
Definition: class.ilRbacLog.php:69
$ilErr
$ilErr
Definition: raiseError.php:18
ilObjRole\getDiskQuota
getDiskQuota()
Gets the minimal disk quota imposed by this role.
Definition: class.ilObjRole.php:310
ilObject\setTitle
setTitle($a_title)
set object title
Definition: class.ilObject.php:418
ilObjRole\createDefaultRole
static createDefaultRole($a_title, $a_description, $a_tpl_name, $a_ref_id)
Definition: class.ilObjRole.php:72
ilObjRole\MODE_PROTECTED_KEEP_LOCAL_POLICIES
const MODE_PROTECTED_KEEP_LOCAL_POLICIES
Definition: class.ilObjRole.php:19
ilObjRole\MODE_READ_OPERATIONS
const MODE_READ_OPERATIONS
Definition: class.ilObjRole.php:24
ilObjRole\create
create()
create
Definition: class.ilObjRole.php:240
$a_type
$a_type
Definition: workflow.php:92
ilObjRole\isAutoGenerated
static isAutoGenerated($a_role_id)
Definition: class.ilObjRole.php:695
$res
foreach($_POST as $key=> $value) $res
Definition: save_question_post_data.php:15
ilObject\getId
getId()
get object id public
Definition: class.ilObject.php:320
GRP_TYPE_CLOSED
const GRP_TYPE_CLOSED
Definition: class.ilObjGroup.php:19
ilObject\_lookupObjId
static _lookupObjId($a_id)
Definition: class.ilObject.php:1107
ilObjRole\isHandledObjectType
isHandledObjectType($a_filter, $a_exclusion_filter, $a_type)
Check if type is filterer.
Definition: class.ilObjRole.php:983
ilObject\getTitle
getTitle()
get object title public
Definition: class.ilObject.php:396
ilObjRole\_getRolesByAuthMode
static _getRolesByAuthMode($a_auth_mode)
Get roles by auth mode.
Definition: class.ilObjRole.php:625
ilias
redirection script todo: (a better solution should control the processing via a xml file) ...
$query
$query
Definition: proxy_ylocal.php:13
ilUtil\stripSlashes
static stripSlashes($a_str, $a_strip_html=true, $a_allow="")
strip slashes if magic qoutes is enabled
Definition: class.ilUtil.php:2406
ilObjRole\__construct
__construct($a_id=0, $a_call_by_reference=false)
Constructor public.
Definition: class.ilObjRole.php:53
ilTree\RELATION_EQUALS
const RELATION_EQUALS
Definition: class.ilTree.php:33
ilObjRole\setPersonalWorkspaceDiskQuota
setPersonalWorkspaceDiskQuota($a_disk_quota)
Sets the minimal personal workspace disk quota imposed by this role.
Definition: class.ilObjRole.php:324
$txt
$txt
Definition: error.php:11
ilTree\RELATION_CHILD
const RELATION_CHILD
Definition: class.ilTree.php:30
ilTree\RELATION_NONE
const RELATION_NONE
Definition: class.ilTree.php:34
ilObjRole\_getTranslation
static _getTranslation($a_role_title)
Definition: class.ilObjRole.php:518
ilObjRole\validate
validate()
Validate role data.
Definition: class.ilObjRole.php:123
ilObject\_lookupType
static _lookupType($a_id, $a_reference=false)
lookup object type
Definition: class.ilObject.php:1275
$users
$users
Definition: authpage.php:44
ilObjRole\getParent
getParent()
get reference id of parent object
Definition: class.ilObjRole.php:412
ilObjRole\MODE_ADD_OPERATIONS
const MODE_ADD_OPERATIONS
Definition: class.ilObjRole.php:23
$row
$row
Definition: migrateto20.php:360
ilObjRole\__getPermissionDefinitions
__getPermissionDefinitions()
Definition: class.ilObjRole.php:661
League\Flysystem\Adapter\Polyfill\update
update($pash, $contents, Config $config)
ilObjRole\changeExistingObjects
changeExistingObjects($a_start_node, $a_mode, $a_filter, $a_exclusion_filter=array(), $a_operation_mode=self::MODE_READ_OPERATIONS, $a_operation_stack=[])
Change existing objects.
Definition: class.ilObjRole.php:707
ilObjRole\_removeObjectId
static _removeObjectId($a_role_title)
Definition: class.ilObjRole.php:533
ilObjRole\MODE_UNPROTECTED_DELETE_LOCAL_POLICIES
const MODE_UNPROTECTED_DELETE_LOCAL_POLICIES
Definition: class.ilObjRole.php:20
ilObjRole\adjustPermissions
adjustPermissions($a_mode, $a_nodes, $a_policies, $a_filter, $a_exclusion_filter=array(), $a_operation_mode=self::MODE_READ_OPERATIONS, $a_operation_stack=[])
Adjust permissions.
Definition: class.ilObjRole.php:778
ilRbacLog\add
static add($a_action, $a_ref_id, array $a_diff, $a_source_ref_id=false)
Definition: class.ilRbacLog.php:137
ilObjRole\MODE_UNPROTECTED_KEEP_LOCAL_POLICIES
const MODE_UNPROTECTED_KEEP_LOCAL_POLICIES
Definition: class.ilObjRole.php:21
ilObjRole\changeExistingObjectsGrantPermissions
changeExistingObjectsGrantPermissions($a_role_id, $a_permissions, $a_ref_id, $a_operation_mode)
Definition: class.ilObjRole.php:927
$ilDB
global $ilDB
Definition: storeScorm2004.php:16
ilObjGroup\lookupGroupTye
static lookupGroupTye($a_id)
Lookup group type.
Definition: class.ilObjGroup.php:131
ilRbacLog\EDIT_TEMPLATE_EXISTING
const EDIT_TEMPLATE_EXISTING
Definition: class.ilRbacLog.php:22
$def
$def
Definition: croninfo.php:21
ilObjRole\updateOperationStack
updateOperationStack(&$a_stack, $a_node, $a_init=false)
Update operation stack.
Definition: class.ilObjRole.php:1001
ilTree\RELATION_SIBLING
const RELATION_SIBLING
Definition: class.ilTree.php:32
ilObject\setDescription
setDescription($a_desc)
set object description
Definition: class.ilObject.php:443
ilLoggerFactory\getLogger
static getLogger($a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:74
ilObjRole\read
read()
loads "role" from database private
Definition: class.ilObjRole.php:172
$info
$info
Definition: index.php:5
$template_id
$template_id
Definition: logout-iframe.php:118
ilObjRole\_lookupAllowRegister
static _lookupAllowRegister($a_role_id)
check whether role is allowed in user registration or not
Definition: class.ilObjRole.php:376
ilObjRole\setDiskQuota
setDiskQuota($a_disk_quota)
Sets the minimal disk quota imposed by this role.
Definition: class.ilObjRole.php:296
$GLOBALS
$GLOBALS['JPEG_Segment_Names']
Global Variable: XMP_tag_captions.
Definition: module.tag.xmp.php:702
ilObjRole\assignData
assignData($a_data)
loads a record "role" from array public
Definition: class.ilObjRole.php:198
$data
$data
Definition: bench.php:6