ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
Public Member Functions | Static Public Member Functions | Data Fields | Protected Member Functions | Protected Attributes | Static Protected Attributes | Private Member Functions | Static Private Attributes
ilRbacSystem Class Reference
Services/AccessControl

class ilRbacSystem system function like checkAccess, addActiveRole ... More...

+ Collaboration diagram for ilRbacSystem:

Public Member Functions

 checkAccess ($a_operations, $a_ref_id, $a_type="")
 checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this method you check the permissions a use may have due to its roles on an specific object. More...
 
 checkAccessOfUser ($a_user_id, $a_operations, $a_ref_id, $a_type="")
 
 preloadRbacPaCache ($a_ref_ids, $a_user_id)
 Preload rbac_pa cache. More...
 
 checkPermission ($a_ref_id, $a_rol_id, $a_operation)
 check if a specific role has the permission '$a_operation' of an object public More...
 
 __filterOwnerPermissions ($a_user_id, $a_operations, $a_ref_id)
 
 initMemberView ()
 Init member view. More...
 
 addTemporaryRole ($a_usr_id, $a_role_id)
 
 resetPACache ($a_usr_id, $a_ref_id)
 

Static Public Member Functions

static getInstance ()
 
static resetCaches ()
 Reset internal caches. More...
 

Data Fields

 $ilias
 

Protected Member Functions

 __construct ()
 Constructor public. More...
 

Protected Attributes

 $mem_view
 

Static Protected Attributes

static $instance = null
 
static $user_role_cache = array()
 

Private Member Functions

 fetchAssignedRoles ($a_usr_id, $a_ref_id)
 Fetch assigned roles This method caches the assigned roles per user. More...
 

Static Private Attributes

static $_paCache = null
 
static $_checkAccessOfUserCache = null
 

Detailed Description

class ilRbacSystem system function like checkAccess, addActiveRole ...

Supporting system functions are required for session management and in making access control decisions. This class depends on the session since we offer the possiblility to add or delete active roles during one session.

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
$Id$

Definition at line 16 of file class.ilRbacSystem.php.

Constructor & Destructor Documentation

◆ __construct()

ilRbacSystem::__construct ( )
protected

Constructor public.

Definition at line 35 of file class.ilRbacSystem.php.

References $DIC, $ilDB, $ilErr, $ilias, if, and PEAR_ERROR_CALLBACK.

36  {
37  global $DIC;
38 
39  $ilDB = $DIC['ilDB'];
40  $ilErr = $DIC['ilErr'];
41  $ilias = $DIC['ilias'];
42 
43  $this->ilias = &$ilias;
44 
45  // set db & error handler
46  (isset($ilDB)) ? $this->ilDB = &$ilDB : $this->ilDB = &$ilias->db;
47 
48  if (!isset($ilErr)) {
49  $ilErr = new ilErrorHandling();
50  $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK, array($ilErr,'errorHandler'));
51  } else {
52  $this->ilErr = &$ilErr;
53  }
54  }
PEAR_ERROR_CALLBACK
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
$DIC
global $DIC
Definition: saml.php:7
$ilErr
$ilErr
Definition: raiseError.php:18
if
if(!file_exists(getcwd() . '/ilias.ini.php'))
registration confirmation script for ilias
Definition: confirmReg.php:12
ilias
redirection script todo: (a better solution should control the processing via a xml file) ...
$ilDB
global $ilDB
Definition: storeScorm2004.php:16

Member Function Documentation

◆ __filterOwnerPermissions()

ilRbacSystem::__filterOwnerPermissions (   $a_user_id,
  $a_operations,
  $a_ref_id 
)

Definition at line 319 of file class.ilRbacSystem.php.

References $DIC, and $ilUser.

Referenced by checkAccessOfUser().

320  {
321  global $DIC;
322 
323  $ilObjDataCache = $DIC['ilObjDataCache'];
324  $ilUser = $DIC['ilUser'];
325 
326  // member view constraints
327  if ($this->mem_view['active'] and $a_user_id == $ilUser->getId()) {
328  if (in_array($a_ref_id, $this->mem_view['items'])) {
329  return $a_operations;
330  }
331  }
332 
333  if ($a_user_id != $ilObjDataCache->lookupOwner($ilObjDataCache->lookupObjId($a_ref_id))) {
334  return $a_operations;
335  }
336  // Is owner
337  $new_ops = false;
338  foreach (explode(",", $a_operations) as $operation) {
339  if ($operation != 'cat_administrate_users' and $operation != 'edit_permission' and $operation != 'edit_learning_progress' and $operation != 'read_learning_progress' and !preg_match('/^create/', $operation)) {
340  continue;
341  }
342  if (!strlen($new_ops)) {
343  $new_ops = $operation;
344  } else {
345  $new_ops .= (',' . $operation);
346  }
347  }
348  return $new_ops;
349  }
$DIC
global $DIC
Definition: saml.php:7
$ilUser
$ilUser
Definition: imgupload.php:18
+ Here is the caller graph for this function:

◆ addTemporaryRole()

ilRbacSystem::addTemporaryRole (   $a_usr_id,
  $a_role_id 
)

Definition at line 431 of file class.ilRbacSystem.php.

432  {
433  if (!in_array($a_role_id, self::$user_role_cache[$a_usr_id])) {
434  self::$user_role_cache[$a_usr_id][] = $a_role_id;
435  }
436  }

◆ checkAccess()

ilRbacSystem::checkAccess (   $a_operations,
  $a_ref_id,
  $a_type = "" 
)

checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this method you check the permissions a use may have due to its roles on an specific object.

The first parameter are the operation(s) the user must have The second & third parameter specifies the object where the operation(s) may apply to The last parameter is only required, if you ask for the 'create' operation. Here you specify the object type which you want to create.

example: $rbacSystem->checkAccess("visible,read",23); Here you ask if the user is allowed to see ('visible') and access the object by reading it ('read'). The reference_id is 23 in the tree structure.

public

Parameters
stringone or more operations, separated by commas (i.e.: visible,read,join)
integerthe child_id in tree (usually a reference_id, no object_id !!)
stringthe type definition abbreviation (i.e.: frm,grp,crs)
Returns
boolean returns true if ALL passed operations are given, otherwise false

Definition at line 93 of file class.ilRbacSystem.php.

References $a_type, $DIC, $ilBench, $ilUser, $result, and checkAccessOfUser().

Referenced by initMemberView().

94  {
95  global $DIC;
96 
97  $ilUser = $DIC['ilUser'];
98  $ilBench = $DIC['ilBench'];
99 
100  $ilBench->start("RBAC", "system_checkAccess");
101 
102  $result = $this->checkAccessOfUser($ilUser->getId(), $a_operations, $a_ref_id, $a_type);
103 
104  $ilBench->stop("RBAC", "system_checkAccess");
105 
106  return $result;
107  }
$result
$result
Definition: CleanUpTest.php:463
$DIC
global $DIC
Definition: saml.php:7
$a_type
$a_type
Definition: workflow.php:92
$ilUser
$ilUser
Definition: imgupload.php:18
ilRbacSystem\checkAccessOfUser
checkAccessOfUser($a_user_id, $a_operations, $a_ref_id, $a_type="")
Definition: class.ilRbacSystem.php:109
$ilBench
global $ilBench
Definition: ilias.php:18
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ checkAccessOfUser()

ilRbacSystem::checkAccessOfUser (   $a_user_id,
  $a_operations,
  $a_ref_id,
  $a_type = "" 
)

Definition at line 109 of file class.ilRbacSystem.php.

References $a_type, $DIC, $GLOBALS, $ilDB, $ilLog, $ilUser, $r, $row, __filterOwnerPermissions(), ilRbacReview\_getOperationIdByName(), fetchAssignedRoles(), and ilDBConstants\FETCHMODE_OBJECT.

Referenced by checkAccess().

110  {
111  global $DIC;
112 
113  $ilUser = $DIC['ilUser'];
114  $rbacreview = $DIC['rbacreview'];
115  $ilObjDataCache = $DIC['ilObjDataCache'];
116  $ilDB = $DIC['ilDB'];
117  $ilLog = $DIC['ilLog'];
118 
119  // Create the user cache key
120  $cacheKey = $a_user_id . ':' . $a_operations . ':' . $a_ref_id . ':' . $a_type;
121 
122  // Create the cache if it does not yet exist
123  if (!is_array(self::$_checkAccessOfUserCache)) {
124  self::$_checkAccessOfUserCache = array();
125  }
126 
127  // Try to return result from cache
128  if (array_key_exists($cacheKey, self::$_checkAccessOfUserCache)) {
129  return self::$_checkAccessOfUserCache[$cacheKey];
130  }
131 
132 
133  // DISABLED
134  // Check For owner
135  // Owners do always have full access to their objects
136  // Excluded are the permissions create and perm
137  // This method call return all operations that are NOT granted by the owner status
138  if (!$a_operations = $this->__filterOwnerPermissions($a_user_id, $a_operations, $a_ref_id)) {
139  // Store positive outcome in cache.
140  // Note: we only cache up to 1000 results to avoid memory overflows
141  if (count(self::$_checkAccessOfUserCache) < 1000) {
142  self::$_checkAccessOfUserCache[$cacheKey] = true;
143  }
144  return true;
145  }
146 
147 
148  // get roles using role cache
149  $roles = $this->fetchAssignedRoles($a_user_id, $a_ref_id);
150 
151  // exclude system role from rbac
152  if (in_array(SYSTEM_ROLE_ID, $roles)) {
153  // Store positive outcome in cache.
154  // Note: we only cache up to 1000 results to avoid memory overflows
155  if (count(self::$_checkAccessOfUserCache) < 1000) {
156  self::$_checkAccessOfUserCache[$cacheKey] = true;
157  }
158  return true;
159  }
160 
161  if (!isset($a_operations) or !isset($a_ref_id)) {
162  $GLOBALS['DIC']['ilLog']->logStack();
163  $this->ilErr->raiseError(get_class($this) . "::checkAccess(): Missing parameter! " .
164  "ref_id: " . $a_ref_id . " operations: " . $a_operations, $this->ilErr->WARNING);
165  }
166 
167  if (!is_string($a_operations)) {
168  $GLOBALS['DIC']['ilLog']->logStack();
169  $this->ilErr->raiseError(get_class($this) . "::checkAccess(): Wrong datatype for operations!", $this->ilErr->WARNING);
170  }
171 
172  // Create the PA cache if it does not exist yet
173  $paCacheKey = $a_user_id . ':' . $a_ref_id;
174  if (!is_array(self::$_paCache)) {
175  self::$_paCache = array();
176  }
177 
178  if (array_key_exists($paCacheKey, self::$_paCache)) {
179  // Return result from PA cache
180  $ops = self::$_paCache[$paCacheKey];
181  } else {
182  // Data is not in PA cache, perform database query
183  $q = "SELECT * FROM rbac_pa " .
184  "WHERE ref_id = " . $ilDB->quote($a_ref_id, 'integer');
185 
186  $r = $this->ilDB->query($q);
187 
188  $ops = array();
189 
190  while ($row = $r->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
191  if (in_array($row->rol_id, $roles)) {
192  $ops = array_merge($ops, unserialize(stripslashes($row->ops_id)));
193  }
194  }
195  // Cache up to 1000 entries in the PA cache
196  if (count(self::$_paCache) < 1000) {
197  self::$_paCache[$paCacheKey] = $ops;
198  }
199  }
200 
201  $operations = explode(",", $a_operations);
202  foreach ($operations as $operation) {
203  if ($operation == "create") {
204  if (empty($a_type)) {
205  $this->ilErr->raiseError(
206  get_class($this) . "::CheckAccess(): Expect a type definition for checking a 'create' permission",
207  $this->ilErr->WARNING
208  );
209  }
210 
211  $ops_id = ilRbacReview::_getOperationIdByName($operation . "_" . $a_type);
212  } else {
213  $ops_id = ilRbacReview::_getOperationIdByName($operation);
214  }
215  if (!in_array($ops_id, (array) $ops)) {
216  //$ilLog->write('PERMISSION: '.$a_ref_id.' -> '.$a_ops_id.' failed');
217  // Store negative outcome in cache.
218  // Note: we only cache up to 1000 results to avoid memory overflows
219  if (count(self::$_checkAccessOfUserCache) < 1000) {
220  self::$_checkAccessOfUserCache[$cacheKey] = false;
221  }
222  return false;
223  }
224  }
225 
226  // Store positive outcome in cache.
227  // Note: we only cache up to 1000 results to avoid memory overflows
228  if (count(self::$_checkAccessOfUserCache) < 1000) {
229  //$ilLog->write('PERMISSION: '.$a_ref_id.' -> '.$ops_id.' granted');
230  self::$_checkAccessOfUserCache[$cacheKey] = true;
231  }
232  return true;
233  }
$DIC
global $DIC
Definition: saml.php:7
ilRbacSystem\fetchAssignedRoles
fetchAssignedRoles($a_usr_id, $a_ref_id)
Fetch assigned roles This method caches the assigned roles per user.
Definition: class.ilRbacSystem.php:359
$a_type
$a_type
Definition: workflow.php:92
$r
$r
Definition: example_031.php:79
$ilUser
$ilUser
Definition: imgupload.php:18
$ilLog
$ilLog
Definition: inc.setup_header.php:123
$row
$row
Definition: migrateto20.php:360
ilRbacReview\_getOperationIdByName
static _getOperationIdByName($a_operation)
get operation id by name of operation public static
Definition: class.ilRbacReview.php:1315
$ilDB
global $ilDB
Definition: storeScorm2004.php:16
ilRbacSystem\__filterOwnerPermissions
__filterOwnerPermissions($a_user_id, $a_operations, $a_ref_id)
Definition: class.ilRbacSystem.php:319
$GLOBALS
$GLOBALS['JPEG_Segment_Names']
Global Variable: XMP_tag_captions.
Definition: module.tag.xmp.php:702
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ checkPermission()

ilRbacSystem::checkPermission (   $a_ref_id,
  $a_rol_id,
  $a_operation 
)

check if a specific role has the permission '$a_operation' of an object public

Parameters
integerreference id of object
integerrole id
stringthe permission to check
Returns
boolean

Definition at line 293 of file class.ilRbacSystem.php.

References $DIC, $ilDB, $query, $res, and $row.

294  {
295  global $DIC;
296 
297  $ilDB = $DIC['ilDB'];
298 
299  $ops = array();
300 
301  $query = 'SELECT ops_id FROM rbac_operations ' .
302  'WHERE operation = ' . $ilDB->quote($a_operation, 'text');
303  $res = $ilDB->query($query);
304  while ($row = $ilDB->fetchObject($res)) {
305  $ops_id = $row->ops_id;
306  }
307 
308  $query = "SELECT * FROM rbac_pa " .
309  "WHERE rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " " .
310  "AND ref_id = " . $ilDB->quote($a_ref_id, 'integer') . " ";
311  $res = $ilDB->query($query);
312 
313  while ($row = $ilDB->fetchObject($res)) {
314  $ops = array_merge($ops, unserialize($row->ops_id));
315  }
316  return in_array($ops_id, $ops);
317  }
$DIC
global $DIC
Definition: saml.php:7
$res
foreach($_POST as $key=> $value) $res
Definition: save_question_post_data.php:15
$query
$query
Definition: proxy_ylocal.php:13
$row
$row
Definition: migrateto20.php:360
$ilDB
global $ilDB
Definition: storeScorm2004.php:16

◆ fetchAssignedRoles()

ilRbacSystem::fetchAssignedRoles (   $a_usr_id,
  $a_ref_id 
)
private

Fetch assigned roles This method caches the assigned roles per user.

private

Parameters
intuser id

Definition at line 359 of file class.ilRbacSystem.php.

References $DIC, and $ilUser.

Referenced by checkAccessOfUser(), and preloadRbacPaCache().

360  {
361  global $DIC;
362 
363  $ilUser = $DIC['ilUser'];
364  $rbacreview = $DIC['rbacreview'];
365 
366  // Member view constraints
367  if ($this->mem_view['active'] and $a_usr_id == $ilUser->getId()) {
368  // check if current ref_id is subitem of active container
369  if (in_array($a_ref_id, $this->mem_view['items']) and $this->mem_view['role']) {
370  // Return default member role
371  return array($this->mem_view['role']);
372  }
373  }
374 
375  if (isset(self::$user_role_cache[$a_usr_id]) and is_array(self::$user_role_cache)) {
376  return self::$user_role_cache[$a_usr_id];
377  }
378 
379 
380 
381  return self::$user_role_cache[$a_usr_id] = $rbacreview->assignedRoles($a_usr_id);
382  }
$DIC
global $DIC
Definition: saml.php:7
$ilUser
$ilUser
Definition: imgupload.php:18
+ Here is the caller graph for this function:

◆ getInstance()

static ilRbacSystem::getInstance ( )
static

Definition at line 56 of file class.ilRbacSystem.php.

Referenced by ilInitialisation\initAccessHandling().

57  {
58  if (self::$instance) {
59  return self::$instance;
60  }
61  return self::$instance = new ilRbacSystem();
62  }
ilRbacSystem
class ilRbacSystem system function like checkAccess, addActiveRole ...
Definition: class.ilRbacSystem.php:16
+ Here is the caller graph for this function:

◆ initMemberView()

ilRbacSystem::initMemberView ( )

Init member view.

Returns

Definition at line 388 of file class.ilRbacSystem.php.

References $_GET, $DIC, $tree, checkAccess(), ilParticipants\getDefaultMemberRole(), and ilMemberViewSettings\getInstance().

389  {
390  include_once './Services/Container/classes/class.ilMemberViewSettings.php';
391  $settings = ilMemberViewSettings::getInstance();
392 
393  // disable member view
394  if (
395  isset($_GET['mv']) &&
396  $_GET['mv'] == 0
397  ) {
398  // force deactivation
399  $settings->toggleActivation((int) $_GET['ref_id'], false);
400  }
401  if (
402  isset($_GET['mv']) &&
403  $_GET['mv'] == 1
404  ) {
405  if ($this->checkAccess('write', (int) $_GET['ref_id'])) {
406  $settings->toggleActivation((int) $_GET['ref_id'], true);
407  // reset caches
408  self::resetCaches();
409  }
410  }
411 
412  if (!$settings->isActive()) {
413  $this->mem_view['active'] = false;
414  $this->mem_view['items'] = array();
415  $this->mem_view['role'] = 0;
416  } else {
417  global $DIC;
418 
419  $tree = $DIC['tree'];
420 
421  $this->mem_view['active'] = true;
422  $this->mem_view['items'] = $tree->getSubTreeIds($settings->getContainer());
423  $this->mem_view['items'] = array_merge($this->mem_view['items'], array($settings->getContainer()));
424 
425  include_once './Services/Membership/classes/class.ilParticipants.php';
426  $this->mem_view['role'] = ilParticipants::getDefaultMemberRole($settings->getContainer());
427  }
428  return true;
429  }
$DIC
global $DIC
Definition: saml.php:7
$_GET
$_GET["client_id"]
Definition: cfg.phpunit.template.php:12
ilParticipants\getDefaultMemberRole
static getDefaultMemberRole($a_ref_id)
Definition: class.ilParticipants.php:481
ilRbacSystem\checkAccess
checkAccess($a_operations, $a_ref_id, $a_type="")
checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this ...
Definition: class.ilRbacSystem.php:93
ilMemberViewSettings\getInstance
static getInstance()
Get instance.
Definition: class.ilMemberViewSettings.php:67
+ Here is the call graph for this function:

◆ preloadRbacPaCache()

ilRbacSystem::preloadRbacPaCache (   $a_ref_ids,
  $a_user_id 
)

Preload rbac_pa cache.

Parameters

Definition at line 241 of file class.ilRbacSystem.php.

References $DIC, $ilDB, $r, $row, fetchAssignedRoles(), and ilDBConstants\FETCHMODE_OBJECT.

242  {
243  global $DIC;
244 
245  $ilDB = $DIC['ilDB'];
246 
247  if (!is_array($a_ref_ids)) {
248  return;
249  }
250 
251  $ref_ids = array();
252  foreach ($a_ref_ids as $ref_id) {
253  if (!isset(self::$_paCache[$a_user_id . ":" . $ref_id])) {
254  $roles[$ref_id] = $this->fetchAssignedRoles($a_user_id, $ref_id);
255  $ops[$ref_id] = array();
256  $ref_ids[] = $ref_id;
257  }
258  }
259 
260  if (count($ref_ids) > 0) {
261 
262  // Data is not in PA cache, perform database query
263  $q = "SELECT * FROM rbac_pa " .
264  "WHERE " . $ilDB->in("ref_id", $ref_ids, false, "integer");
265 
266  $r = $this->ilDB->query($q);
267 
268  while ($row = $r->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
269  if (in_array($row->rol_id, $roles[$row->ref_id])) {
270  $ops[$row->ref_id] = array_merge(
271  $ops[$row->ref_id],
272  unserialize(stripslashes($row->ops_id))
273  );
274  }
275  }
276  foreach ($a_ref_ids as $ref_id) {
277  // #11313
278  if (!isset(self::$_paCache[$a_user_id . ":" . $ref_id])) {
279  self::$_paCache[$a_user_id . ":" . $ref_id] = $ops[$ref_id];
280  }
281  }
282  }
283  }
$DIC
global $DIC
Definition: saml.php:7
ilRbacSystem\fetchAssignedRoles
fetchAssignedRoles($a_usr_id, $a_ref_id)
Fetch assigned roles This method caches the assigned roles per user.
Definition: class.ilRbacSystem.php:359
$r
$r
Definition: example_031.php:79
$row
$row
Definition: migrateto20.php:360
$ilDB
global $ilDB
Definition: storeScorm2004.php:16
+ Here is the call graph for this function:

◆ resetCaches()

static ilRbacSystem::resetCaches ( )
static

Reset internal caches.

Definition at line 67 of file class.ilRbacSystem.php.

Referenced by ilObjSessionGUI\unregisterObject().

68  {
69  self::$user_role_cache = array();
70  self::$_paCache = null;
71  self::$_checkAccessOfUserCache = null;
72  }
+ Here is the caller graph for this function:

◆ resetPACache()

ilRbacSystem::resetPACache (   $a_usr_id,
  $a_ref_id 
)

Definition at line 438 of file class.ilRbacSystem.php.

439  {
440  $paCacheKey = $a_usr_id . ':' . $a_ref_id;
441  unset(self::$_paCache[$paCacheKey]);
442  }

Field Documentation

◆ $_checkAccessOfUserCache

ilRbacSystem::$_checkAccessOfUserCache = null
staticprivate

Definition at line 29 of file class.ilRbacSystem.php.

◆ $_paCache

ilRbacSystem::$_paCache = null
staticprivate

Definition at line 26 of file class.ilRbacSystem.php.

◆ $ilias

ilRbacSystem::$ilias

Definition at line 23 of file class.ilRbacSystem.php.

Referenced by __construct().

◆ $instance

ilRbacSystem::$instance = null
staticprotected

Definition at line 18 of file class.ilRbacSystem.php.

◆ $mem_view

ilRbacSystem::$mem_view
protected

Definition at line 20 of file class.ilRbacSystem.php.

◆ $user_role_cache

ilRbacSystem::$user_role_cache = array()
staticprotected

Definition at line 22 of file class.ilRbacSystem.php.

The documentation for this class was generated from the following file: