ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
Public Member Functions | Static Public Member Functions | Data Fields | Protected Member Functions | Protected Attributes | Static Protected Attributes | Private Member Functions | Static Private Attributes
ilRbacSystem Class Reference
Services/AccessControl

class ilRbacSystem system function like checkAccess, addActiveRole ... Supporting system functions are required for session management and in making access control decisions. More...

+ Collaboration diagram for ilRbacSystem:

Public Member Functions

 checkAccess ($a_operations, $a_ref_id, $a_type="")
 checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this method you check the permissions a use may have due to its roles on an specific object. More...
 
 checkAccessOfUser ($a_user_id, $a_operations, $a_ref_id, $a_type="")
 
 preloadRbacPaCache ($a_ref_ids, $a_user_id)
 Preload rbac_pa cache. More...
 
 checkPermission ($a_ref_id, $a_rol_id, $a_operation)
 check if a specific role has the permission '$a_operation' of an object @access public More...
 
 __filterOwnerPermissions ($a_user_id, $a_operations, $a_ref_id)
 
 initMemberView ()
 Init member view. More...
 
 addTemporaryRole ($a_usr_id, $a_role_id)
 
 resetPACache ($a_usr_id, $a_ref_id)
 

Static Public Member Functions

static getInstance ()
 
static resetCaches ()
 Reset internal caches. More...
 

Data Fields

 $ilias
 

Protected Member Functions

 __construct ()
 Constructor @access public. More...
 

Protected Attributes

 $mem_view
 

Static Protected Attributes

static $instance = null
 
static $user_role_cache = array()
 

Private Member Functions

 fetchAssignedRoles ($a_usr_id, $a_ref_id)
 Fetch assigned roles This method caches the assigned roles per user. More...
 

Static Private Attributes

static $_paCache = null
 
static $_checkAccessOfUserCache = null
 

Detailed Description

class ilRbacSystem system function like checkAccess, addActiveRole ... Supporting system functions are required for session management and in making access control decisions.

This class depends on the session since we offer the possiblility to add or delete active roles during one session.

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
$Id$

Definition at line 16 of file class.ilRbacSystem.php.

Constructor & Destructor Documentation

◆ __construct()

ilRbacSystem::__construct ( )
protected

Constructor @access public.

Definition at line 35 of file class.ilRbacSystem.php.

36 {
37 global $DIC;
38
39 $ilDB = $DIC['ilDB'];
40 $ilErr = $DIC['ilErr'];
41 $ilias = $DIC['ilias'];
42
43 $this->ilias = &$ilias;
44
45 // set db & error handler
46 (isset($ilDB)) ? $this->ilDB = &$ilDB : $this->ilDB = &$ilias->db;
47
48 if (!isset($ilErr)) {
49 $ilErr = new ilErrorHandling();
50 $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK, array($ilErr,'errorHandler'));
51 } else {
52 $this->ilErr = &$ilErr;
53 }
54 }
PEAR_ERROR_CALLBACK
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
if
if(!file_exists(getcwd() . '/ilias.ini.php'))
registration confirmation script for ilias
Definition: confirmReg.php:12
ilias
redirection script todo: (a better solution should control the processing via a xml file)
$ilErr
$ilErr
Definition: raiseError.php:18
$DIC
global $DIC
Definition: saml.php:7
$ilDB
global $ilDB
Definition: storeScorm2004.php:19

References $DIC, $ilDB, $ilErr, $ilias, if, and PEAR_ERROR_CALLBACK.

Member Function Documentation

◆ __filterOwnerPermissions()

ilRbacSystem::__filterOwnerPermissions (   $a_user_id,
  $a_operations,
  $a_ref_id 
)

Definition at line 319 of file class.ilRbacSystem.php.

320 {
321 global $DIC;
322
323 $ilObjDataCache = $DIC['ilObjDataCache'];
324 $ilUser = $DIC['ilUser'];
325
326 // member view constraints
327 if ($this->mem_view['active'] and $a_user_id == $ilUser->getId()) {
328 if (in_array($a_ref_id, $this->mem_view['items'])) {
329 return $a_operations;
330 }
331 }
332
333 if ($a_user_id != $ilObjDataCache->lookupOwner($ilObjDataCache->lookupObjId($a_ref_id))) {
334 return $a_operations;
335 }
336 // Is owner
337 $new_ops = false;
338 foreach (explode(",", $a_operations) as $operation) {
339 if ($operation != 'cat_administrate_users' and $operation != 'edit_permission' and $operation != 'edit_learning_progress' and $operation != 'read_learning_progress' and !preg_match('/^create/', $operation)) {
340 continue;
341 }
342 if (!strlen($new_ops)) {
343 $new_ops = $operation;
344 } else {
345 $new_ops .= (',' . $operation);
346 }
347 }
348 return $new_ops;
349 }
$ilUser
$ilUser
Definition: imgupload.php:18

References $DIC, and $ilUser.

Referenced by checkAccessOfUser().

+ Here is the caller graph for this function:

◆ addTemporaryRole()

ilRbacSystem::addTemporaryRole (   $a_usr_id,
  $a_role_id 
)

Definition at line 431 of file class.ilRbacSystem.php.

432 {
433 if (!in_array($a_role_id, self::$user_role_cache[$a_usr_id])) {
434 self::$user_role_cache[$a_usr_id][] = $a_role_id;
435 }
436 }

◆ checkAccess()

ilRbacSystem::checkAccess (   $a_operations,
  $a_ref_id,
  $a_type = "" 
)

checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this method you check the permissions a use may have due to its roles on an specific object.

The first parameter are the operation(s) the user must have The second & third parameter specifies the object where the operation(s) may apply to The last parameter is only required, if you ask for the 'create' operation. Here you specify the object type which you want to create.

example: $rbacSystem->checkAccess("visible,read",23); Here you ask if the user is allowed to see ('visible') and access the object by reading it ('read'). The reference_id is 23 in the tree structure.

@access public

Parameters
stringone or more operations, separated by commas (i.e.: visible,read,join)
integerthe child_id in tree (usually a reference_id, no object_id !!)
stringthe type definition abbreviation (i.e.: frm,grp,crs)
Returns
boolean returns true if ALL passed operations are given, otherwise false

Definition at line 93 of file class.ilRbacSystem.php.

94 {
95 global $DIC;
96
97 $ilUser = $DIC['ilUser'];
98 $ilBench = $DIC['ilBench'];
99
100 $ilBench->start("RBAC", "system_checkAccess");
101
102 $result = $this->checkAccessOfUser($ilUser->getId(), $a_operations, $a_ref_id, $a_type);
103
104 $ilBench->stop("RBAC", "system_checkAccess");
105
106 return $result;
107 }
$result
$result
Definition: CleanUpTest.php:463
ilRbacSystem\checkAccessOfUser
checkAccessOfUser($a_user_id, $a_operations, $a_ref_id, $a_type="")
Definition: class.ilRbacSystem.php:109
$ilBench
global $ilBench
Definition: ilias.php:18
$a_type
$a_type
Definition: workflow.php:92

References $a_type, $DIC, $ilBench, $ilUser, $result, and checkAccessOfUser().

Referenced by initMemberView().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ checkAccessOfUser()

ilRbacSystem::checkAccessOfUser (   $a_user_id,
  $a_operations,
  $a_ref_id,
  $a_type = "" 
)

Definition at line 109 of file class.ilRbacSystem.php.

110 {
111 global $DIC;
112
113 $ilUser = $DIC['ilUser'];
114 $rbacreview = $DIC['rbacreview'];
115 $ilObjDataCache = $DIC['ilObjDataCache'];
116 $ilDB = $DIC['ilDB'];
117 $ilLog = $DIC['ilLog'];
118
119 // Create the user cache key
120 $cacheKey = $a_user_id . ':' . $a_operations . ':' . $a_ref_id . ':' . $a_type;
121
122 // Create the cache if it does not yet exist
123 if (!is_array(self::$_checkAccessOfUserCache)) {
124 self::$_checkAccessOfUserCache = array();
125 }
126
127 // Try to return result from cache
128 if (array_key_exists($cacheKey, self::$_checkAccessOfUserCache)) {
129 return self::$_checkAccessOfUserCache[$cacheKey];
130 }
131
132
133 // DISABLED
134 // Check For owner
135 // Owners do always have full access to their objects
136 // Excluded are the permissions create and perm
137 // This method call return all operations that are NOT granted by the owner status
138 if (!$a_operations = $this->__filterOwnerPermissions($a_user_id, $a_operations, $a_ref_id)) {
139 // Store positive outcome in cache.
140 // Note: we only cache up to 1000 results to avoid memory overflows
141 if (count(self::$_checkAccessOfUserCache) < 1000) {
142 self::$_checkAccessOfUserCache[$cacheKey] = true;
143 }
144 return true;
145 }
146
147
148 // get roles using role cache
149 $roles = $this->fetchAssignedRoles($a_user_id, $a_ref_id);
150
151 // exclude system role from rbac
152 if (in_array(SYSTEM_ROLE_ID, $roles)) {
153 // Store positive outcome in cache.
154 // Note: we only cache up to 1000 results to avoid memory overflows
155 if (count(self::$_checkAccessOfUserCache) < 1000) {
156 self::$_checkAccessOfUserCache[$cacheKey] = true;
157 }
158 return true;
159 }
160
161 if (!isset($a_operations) or !isset($a_ref_id)) {
162 $GLOBALS['DIC']['ilLog']->logStack();
163 $this->ilErr->raiseError(get_class($this) . "::checkAccess(): Missing parameter! " .
164 "ref_id: " . $a_ref_id . " operations: " . $a_operations, $this->ilErr->WARNING);
165 }
166
167 if (!is_string($a_operations)) {
168 $GLOBALS['DIC']['ilLog']->logStack();
169 $this->ilErr->raiseError(get_class($this) . "::checkAccess(): Wrong datatype for operations!", $this->ilErr->WARNING);
170 }
171
172 // Create the PA cache if it does not exist yet
173 $paCacheKey = $a_user_id . ':' . $a_ref_id;
174 if (!is_array(self::$_paCache)) {
175 self::$_paCache = array();
176 }
177
178 if (array_key_exists($paCacheKey, self::$_paCache)) {
179 // Return result from PA cache
180 $ops = self::$_paCache[$paCacheKey];
181 } else {
182 // Data is not in PA cache, perform database query
183 $q = "SELECT * FROM rbac_pa " .
184 "WHERE ref_id = " . $ilDB->quote($a_ref_id, 'integer');
185
186 $r = $this->ilDB->query($q);
187
188 $ops = array();
189
190 while ($row = $r->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
191 if (in_array($row->rol_id, $roles)) {
192 $ops = array_merge($ops, unserialize(stripslashes($row->ops_id)));
193 }
194 }
195 // Cache up to 1000 entries in the PA cache
196 if (count(self::$_paCache) < 1000) {
197 self::$_paCache[$paCacheKey] = $ops;
198 }
199 }
200
201 $operations = explode(",", $a_operations);
202 foreach ($operations as $operation) {
203 if ($operation == "create") {
204 if (empty($a_type)) {
205 $this->ilErr->raiseError(
206 get_class($this) . "::CheckAccess(): Expect a type definition for checking a 'create' permission",
207 $this->ilErr->WARNING
208 );
209 }
210
211 $ops_id = ilRbacReview::_getOperationIdByName($operation . "_" . $a_type);
212 } else {
213 $ops_id = ilRbacReview::_getOperationIdByName($operation);
214 }
215 if (!in_array($ops_id, (array) $ops)) {
216 //$ilLog->write('PERMISSION: '.$a_ref_id.' -> '.$a_ops_id.' failed');
217 // Store negative outcome in cache.
218 // Note: we only cache up to 1000 results to avoid memory overflows
219 if (count(self::$_checkAccessOfUserCache) < 1000) {
220 self::$_checkAccessOfUserCache[$cacheKey] = false;
221 }
222 return false;
223 }
224 }
225
226 // Store positive outcome in cache.
227 // Note: we only cache up to 1000 results to avoid memory overflows
228 if (count(self::$_checkAccessOfUserCache) < 1000) {
229 //$ilLog->write('PERMISSION: '.$a_ref_id.' -> '.$ops_id.' granted');
230 self::$_checkAccessOfUserCache[$cacheKey] = true;
231 }
232 return true;
233 }
ilRbacReview\_getOperationIdByName
static _getOperationIdByName($a_operation)
get operation id by name of operation @access public @access static
Definition: class.ilRbacReview.php:1315
ilRbacSystem\fetchAssignedRoles
fetchAssignedRoles($a_usr_id, $a_ref_id)
Fetch assigned roles This method caches the assigned roles per user.
Definition: class.ilRbacSystem.php:359
ilRbacSystem\__filterOwnerPermissions
__filterOwnerPermissions($a_user_id, $a_operations, $a_ref_id)
Definition: class.ilRbacSystem.php:319
$r
$r
Definition: example_031.php:79
$ilLog
$ilLog
Definition: inc.setup_header.php:123
$row
$row
Definition: migrateto20.php:360
$GLOBALS
$GLOBALS['JPEG_Segment_Names']
Global Variable: XMP_tag_captions.
Definition: module.tag.xmp.php:702

References $a_type, $DIC, $GLOBALS, $ilDB, $ilLog, $ilUser, $r, $row, __filterOwnerPermissions(), ilRbacReview\_getOperationIdByName(), fetchAssignedRoles(), and ilDBConstants\FETCHMODE_OBJECT.

Referenced by checkAccess().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ checkPermission()

ilRbacSystem::checkPermission (   $a_ref_id,
  $a_rol_id,
  $a_operation 
)

check if a specific role has the permission '$a_operation' of an object @access public

Parameters
integerreference id of object
integerrole id
stringthe permission to check
Returns
boolean

Definition at line 293 of file class.ilRbacSystem.php.

294 {
295 global $DIC;
296
297 $ilDB = $DIC['ilDB'];
298
299 $ops = array();
300
301 $query = 'SELECT ops_id FROM rbac_operations ' .
302 'WHERE operation = ' . $ilDB->quote($a_operation, 'text');
303 $res = $ilDB->query($query);
304 while ($row = $ilDB->fetchObject($res)) {
305 $ops_id = $row->ops_id;
306 }
307
308 $query = "SELECT * FROM rbac_pa " .
309 "WHERE rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " " .
310 "AND ref_id = " . $ilDB->quote($a_ref_id, 'integer') . " ";
311 $res = $ilDB->query($query);
312
313 while ($row = $ilDB->fetchObject($res)) {
314 $ops = array_merge($ops, unserialize($row->ops_id));
315 }
316 return in_array($ops_id, $ops);
317 }
$query
$query
Definition: proxy_ylocal.php:13
$res
foreach($_POST as $key=> $value) $res
Definition: save_question_post_data.php:15

References $DIC, $ilDB, $query, $res, and $row.

◆ fetchAssignedRoles()

ilRbacSystem::fetchAssignedRoles (   $a_usr_id,
  $a_ref_id 
)
private

Fetch assigned roles This method caches the assigned roles per user.

@access private

Parameters
intuser id

Definition at line 359 of file class.ilRbacSystem.php.

360 {
361 global $DIC;
362
363 $ilUser = $DIC['ilUser'];
364 $rbacreview = $DIC['rbacreview'];
365
366 // Member view constraints
367 if ($this->mem_view['active'] and $a_usr_id == $ilUser->getId()) {
368 // check if current ref_id is subitem of active container
369 if (in_array($a_ref_id, $this->mem_view['items']) and $this->mem_view['role']) {
370 // Return default member role
371 return array($this->mem_view['role']);
372 }
373 }
374
375 if (isset(self::$user_role_cache[$a_usr_id]) and is_array(self::$user_role_cache)) {
376 return self::$user_role_cache[$a_usr_id];
377 }
378
379
380
381 return self::$user_role_cache[$a_usr_id] = $rbacreview->assignedRoles($a_usr_id);
382 }

References $DIC, and $ilUser.

Referenced by checkAccessOfUser(), and preloadRbacPaCache().

+ Here is the caller graph for this function:

◆ getInstance()

static ilRbacSystem::getInstance ( )
static

Definition at line 56 of file class.ilRbacSystem.php.

57 {
58 if (self::$instance) {
59 return self::$instance;
60 }
61 return self::$instance = new ilRbacSystem();
62 }
ilRbacSystem
class ilRbacSystem system function like checkAccess, addActiveRole ... Supporting system functions ar...
Definition: class.ilRbacSystem.php:17

References $instance.

Referenced by ilInitialisation\initAccessHandling().

+ Here is the caller graph for this function:

◆ initMemberView()

ilRbacSystem::initMemberView ( )

Init member view.

Returns

Definition at line 388 of file class.ilRbacSystem.php.

389 {
390 include_once './Services/Container/classes/class.ilMemberViewSettings.php';
391 $settings = ilMemberViewSettings::getInstance();
392
393 // disable member view
394 if (
395 isset($_GET['mv']) &&
396 $_GET['mv'] == 0
397 ) {
398 // force deactivation
399 $settings->toggleActivation((int) $_GET['ref_id'], false);
400 }
401 if (
402 isset($_GET['mv']) &&
403 $_GET['mv'] == 1
404 ) {
405 if ($this->checkAccess('write', (int) $_GET['ref_id'])) {
406 $settings->toggleActivation((int) $_GET['ref_id'], true);
407 // reset caches
408 self::resetCaches();
409 }
410 }
411
412 if (!$settings->isActive()) {
413 $this->mem_view['active'] = false;
414 $this->mem_view['items'] = array();
415 $this->mem_view['role'] = 0;
416 } else {
417 global $DIC;
418
419 $tree = $DIC['tree'];
420
421 $this->mem_view['active'] = true;
422 $this->mem_view['items'] = $tree->getSubTreeIds($settings->getContainer());
423 $this->mem_view['items'] = array_merge($this->mem_view['items'], array($settings->getContainer()));
424
425 include_once './Services/Membership/classes/class.ilParticipants.php';
426 $this->mem_view['role'] = ilParticipants::getDefaultMemberRole($settings->getContainer());
427 }
428 return true;
429 }
$_GET
$_GET["client_id"]
Definition: cfg.phpunit.template.php:12
ilMemberViewSettings\getInstance
static getInstance()
Get instance.
Definition: class.ilMemberViewSettings.php:67
ilParticipants\getDefaultMemberRole
static getDefaultMemberRole($a_ref_id)
Definition: class.ilParticipants.php:481
ilRbacSystem\resetCaches
static resetCaches()
Reset internal caches.
Definition: class.ilRbacSystem.php:67
ilRbacSystem\checkAccess
checkAccess($a_operations, $a_ref_id, $a_type="")
checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this ...
Definition: class.ilRbacSystem.php:93

References $_GET, $DIC, $tree, checkAccess(), ilParticipants\getDefaultMemberRole(), ilMemberViewSettings\getInstance(), and resetCaches().

+ Here is the call graph for this function:

◆ preloadRbacPaCache()

ilRbacSystem::preloadRbacPaCache (   $a_ref_ids,
  $a_user_id 
)

Preload rbac_pa cache.

Parameters

return

Definition at line 241 of file class.ilRbacSystem.php.

242 {
243 global $DIC;
244
245 $ilDB = $DIC['ilDB'];
246
247 if (!is_array($a_ref_ids)) {
248 return;
249 }
250
251 $ref_ids = array();
252 foreach ($a_ref_ids as $ref_id) {
253 if (!isset(self::$_paCache[$a_user_id . ":" . $ref_id])) {
254 $roles[$ref_id] = $this->fetchAssignedRoles($a_user_id, $ref_id);
255 $ops[$ref_id] = array();
256 $ref_ids[] = $ref_id;
257 }
258 }
259
260 if (count($ref_ids) > 0) {
261
262 // Data is not in PA cache, perform database query
263 $q = "SELECT * FROM rbac_pa " .
264 "WHERE " . $ilDB->in("ref_id", $ref_ids, false, "integer");
265
266 $r = $this->ilDB->query($q);
267
268 while ($row = $r->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
269 if (in_array($row->rol_id, $roles[$row->ref_id])) {
270 $ops[$row->ref_id] = array_merge(
271 $ops[$row->ref_id],
272 unserialize(stripslashes($row->ops_id))
273 );
274 }
275 }
276 foreach ($a_ref_ids as $ref_id) {
277 // #11313
278 if (!isset(self::$_paCache[$a_user_id . ":" . $ref_id])) {
279 self::$_paCache[$a_user_id . ":" . $ref_id] = $ops[$ref_id];
280 }
281 }
282 }
283 }

References $DIC, $ilDB, $r, $row, fetchAssignedRoles(), and ilDBConstants\FETCHMODE_OBJECT.

+ Here is the call graph for this function:

◆ resetCaches()

static ilRbacSystem::resetCaches ( )
static

Reset internal caches.

Definition at line 67 of file class.ilRbacSystem.php.

68 {
69 self::$user_role_cache = array();
70 self::$_paCache = null;
71 self::$_checkAccessOfUserCache = null;
72 }

Referenced by initMemberView(), and ilObjSessionGUI\unregisterObject().

+ Here is the caller graph for this function:

◆ resetPACache()

ilRbacSystem::resetPACache (   $a_usr_id,
  $a_ref_id 
)

Definition at line 438 of file class.ilRbacSystem.php.

439 {
440 $paCacheKey = $a_usr_id . ':' . $a_ref_id;
441 unset(self::$_paCache[$paCacheKey]);
442 }

Field Documentation

◆ $_checkAccessOfUserCache

ilRbacSystem::$_checkAccessOfUserCache = null
staticprivate

Definition at line 29 of file class.ilRbacSystem.php.

◆ $_paCache

ilRbacSystem::$_paCache = null
staticprivate

Definition at line 26 of file class.ilRbacSystem.php.

◆ $ilias

ilRbacSystem::$ilias

Definition at line 23 of file class.ilRbacSystem.php.

Referenced by __construct().

◆ $instance

ilRbacSystem::$instance = null
staticprotected

Definition at line 18 of file class.ilRbacSystem.php.

Referenced by getInstance().

◆ $mem_view

ilRbacSystem::$mem_view
protected

Definition at line 20 of file class.ilRbacSystem.php.

◆ $user_role_cache

ilRbacSystem::$user_role_cache = array()
staticprotected

Definition at line 22 of file class.ilRbacSystem.php.

The documentation for this class was generated from the following file: