ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
class.ilRbacAdmin.php
Go to the documentation of this file.
1<?php
2/* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
3
4
19{
24 public function __construct()
25 {
26 global $DIC;
27
28 $ilDB = $DIC['ilDB'];
29 $ilErr = $DIC['ilErr'];
30 $ilias = $DIC['ilias'];
31
32 // set db & error handler
33 (isset($ilDB)) ? $this->ilDB = &$ilDB : $this->ilDB = &$ilias->db;
34
35 if (!isset($ilErr)) {
36 $ilErr = new ilErrorHandling();
37 $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK, array($ilErr,'errorHandler'));
38 } else {
39 $this->ilErr = &$ilErr;
40 }
41 }
42
49 public function setBlockedStatus($a_role_id, $a_ref_id, $a_blocked_status)
50 {
51 global $DIC;
52
53 $ilDB = $DIC['ilDB'];
54
55 ilLoggerFactory::getLogger('crs')->logStack();
56 $query = 'UPDATE rbac_fa set blocked = ' . $ilDB->quote($a_blocked_status, 'integer') . ' ' .
57 'WHERE rol_id = ' . $ilDB->quote($a_role_id, 'integer') . ' ' .
58 'AND parent = ' . $ilDB->quote($a_ref_id, 'integer');
59 $ilDB->manipulate($query);
60 }
61
69 public function removeUser($a_usr_id)
70 {
71 global $DIC;
72
73 $ilDB = $DIC->database();
74 $review = $DIC->rbac()->review();
75
76 if (!isset($a_usr_id)) {
77 $message = get_class($this) . "::removeUser(): No usr_id given!";
78 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
79 }
80
81 foreach ($review->assignedRoles($a_usr_id) as $role_id) {
82 $this->deassignUser($role_id, $a_usr_id);
83 }
84
85 $query = "DELETE FROM rbac_ua WHERE usr_id = " . $ilDB->quote($a_usr_id, 'integer');
86 $res = $ilDB->manipulate($query);
87
88 return true;
89 }
90
98 public function deleteRole($a_rol_id, $a_ref_id)
99 {
100 global $DIC;
101
102 $lng = $DIC['lng'];
103 $ilDB = $DIC['ilDB'];
104
105 if (!isset($a_rol_id) or !isset($a_ref_id)) {
106 $message = get_class($this) . "::deleteRole(): Missing parameter! role_id: " . $a_rol_id . " ref_id of role folder: " . $a_ref_id;
107 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
108 }
109
110 // exclude system role from rbac
111 if ($a_rol_id == SYSTEM_ROLE_ID) {
112 $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"), $this->ilErr->MESSAGE);
113 }
114
115 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
117 $mapping->deleteRole($a_rol_id);
118
119
120 // TODO: check assigned users before deletion
121 // This is done in ilObjRole. Should be better moved to this place?
122
123 // delete user assignements
124 $query = "DELETE FROM rbac_ua " .
125 "WHERE rol_id = " . $ilDB->quote($a_rol_id, 'integer');
126 $res = $ilDB->manipulate($query);
127
128 // delete permission assignments
129 $query = "DELETE FROM rbac_pa " .
130 "WHERE rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
131 $res = $ilDB->manipulate($query);
132
133 //delete rbac_templates and rbac_fa
134 $this->deleteLocalRole($a_rol_id);
135
136 return true;
137 }
138
145 public function deleteTemplate($a_obj_id)
146 {
147 global $DIC;
148
149 $ilDB = $DIC['ilDB'];
150
151 if (!isset($a_obj_id)) {
152 $message = get_class($this) . "::deleteTemplate(): No obj_id given!";
153 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
154 }
155
156 $query = 'DELETE FROM rbac_templates ' .
157 'WHERE rol_id = ' . $ilDB->quote($a_obj_id, 'integer');
158 $res = $ilDB->manipulate($query);
159
160 $query = 'DELETE FROM rbac_fa ' .
161 'WHERE rol_id = ' . $ilDB->quote($a_obj_id, 'integer');
162 $res = $ilDB->manipulate($query);
163
164 return true;
165 }
166
174 public function deleteLocalRole($a_rol_id, $a_ref_id = 0)
175 {
176 global $DIC;
177
178 $ilDB = $DIC['ilDB'];
179
180 if (!isset($a_rol_id)) {
181 $message = get_class($this) . "::deleteLocalRole(): Missing parameter! role_id: '" . $a_rol_id . "'";
182 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
183 }
184
185 // exclude system role from rbac
186 if ($a_rol_id == SYSTEM_ROLE_ID) {
187 return true;
188 }
189
190 if ($a_ref_id != 0) {
191 $clause = 'AND parent = ' . $ilDB->quote($a_ref_id, 'integer') . ' ';
192 }
193
194 $query = 'DELETE FROM rbac_fa ' .
195 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
196 $clause;
197 $res = $ilDB->manipulate($query);
198
199 $query = 'DELETE FROM rbac_templates ' .
200 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
201 $clause;
202 $res = $ilDB->manipulate($query);
203 return true;
204 }
205
212 public function assignUserLimited($a_role_id, $a_usr_id, $a_limit, $a_limited_roles = array())
213 {
214 global $DIC;
215
216 $ilDB = $DIC['ilDB'];
217
218 $ilAtomQuery = $ilDB->buildAtomQuery();
219 $ilAtomQuery->addTableLock('rbac_ua');
220
221 $ilAtomQuery->addQueryCallable(
222 function (ilDBInterface $ilDB) use (&$ret, $a_role_id, $a_usr_id,$a_limit, $a_limited_roles) {
223 $ret = true;
224 $limit_query = 'SELECT COUNT(*) num FROM rbac_ua ' .
225 'WHERE ' . $ilDB->in('rol_id', (array) $a_limited_roles, false, 'integer');
226 $res = $ilDB->query($limit_query);
228 if ($row->num >= $a_limit) {
229 $ret = false;
230 return;
231 }
232
233 $query = "INSERT INTO rbac_ua (usr_id, rol_id) " .
234 "VALUES (" .
235 $ilDB->quote($a_usr_id, 'integer') . "," . $ilDB->quote($a_role_id, 'integer') .
236 ")";
237 $res = $ilDB->manipulate($query);
238 }
239 );
240
241 $ilAtomQuery->run();
242
243 if (!$ret) {
244 return false;
245 }
246
247 $GLOBALS['DIC']['rbacreview']->setAssignedCacheEntry($a_role_id, $a_usr_id, true);
248
249 $this->addDesktopItem($a_role_id, $a_usr_id);
250
251 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
253 $mapping->assign($a_role_id, $a_usr_id);
254 return true;
255 }
256
262 protected function addDesktopItem($a_rol_id, $a_usr_id)
263 {
264 include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
265 $role_desk_item_obj = new ilRoleDesktopItem($a_rol_id);
266 foreach ($role_desk_item_obj->getAll() as $item_data) {
267 include_once './Services/User/classes/class.ilObjUser.php';
268 ilObjUser::_addDesktopItem($a_usr_id, $item_data['item_id'], $item_data['item_type']);
269 }
270 }
271
272
281 public function assignUser($a_rol_id, $a_usr_id)
282 {
283 global $DIC;
284
285 $ilDB = $DIC['ilDB'];
286 $rbacreview = $DIC['rbacreview'];
287
288 if (!isset($a_rol_id) or !isset($a_usr_id)) {
289 $message = get_class($this) . "::assignUser(): Missing parameter! role_id: " . $a_rol_id . " usr_id: " . $a_usr_id;
290 #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
291 }
292
293 // check if already assigned user id and role_id
294 $alreadyAssigned = $rbacreview->isAssigned($a_usr_id, $a_rol_id);
295
296 // enhanced: only if we haven't had this role for this user
297 if (!$alreadyAssigned) {
298 $query = "INSERT INTO rbac_ua (usr_id, rol_id) " .
299 "VALUES (" . $ilDB->quote($a_usr_id, 'integer') . "," . $ilDB->quote($a_rol_id, 'integer') . ")";
300 $res = $ilDB->manipulate($query);
301
302 $this->addDesktopItem($a_rol_id, $a_usr_id);
303
304 $rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, true);
305 }
306
307 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
309 $mapping->assign($a_rol_id, $a_usr_id);
310
311
312 $ref_id = $GLOBALS['DIC']['rbacreview']->getObjectReferenceOfRole($a_rol_id);
313 $obj_id = ilObject::_lookupObjId($ref_id);
314 $type = ilObject::_lookupType($obj_id);
315
316 if (!$alreadyAssigned) {
317 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event assign user');
318 $GLOBALS['DIC']['ilAppEventHandler']->raise(
319 'Services/AccessControl',
320 'assignUser',
321 array(
322 'obj_id' => $obj_id,
323 'usr_id' => $a_usr_id,
324 'role_id' => $a_rol_id,
325 'type' => $type
326 )
327 );
328 }
329 return true;
330 }
331
332
341 public function deassignUser($a_rol_id, $a_usr_id)
342 {
343 global $DIC;
344
345 $ilDB = $DIC['ilDB'];
346 $rbacreview = $DIC->rbac()->review();
347
348 if (!isset($a_rol_id) or !isset($a_usr_id)) {
349 $message = get_class($this) . "::deassignUser(): Missing parameter! role_id: " . $a_rol_id . " usr_id: " . $a_usr_id;
350 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
351 }
352
353 $query = "DELETE FROM rbac_ua " .
354 "WHERE usr_id = " . $ilDB->quote($a_usr_id, 'integer') . " " .
355 "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
356 $res = $ilDB->manipulate($query);
357
358 $rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, false);
359
360 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
362 $mapping->deassign($a_rol_id, $a_usr_id);
363
364 if ($res) {
365 $ref_id = $GLOBALS['DIC']['rbacreview']->getObjectReferenceOfRole($a_rol_id);
366 $obj_id = ilObject::_lookupObjId($ref_id);
367 $type = ilObject::_lookupType($obj_id);
368
369 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event deassign user');
370 $GLOBALS['DIC']['ilAppEventHandler']->raise('Services/AccessControl', 'deassignUser', array(
371 'obj_id' => $obj_id,
372 'usr_id' => $a_usr_id,
373 'role_id' => $a_rol_id,
374 'type' => $type,
375 ));
376 }
377
378 return true;
379 }
380
389 public function grantPermission($a_rol_id, $a_ops, $a_ref_id)
390 {
391 global $DIC;
392
393 $ilDB = $DIC['ilDB'];
394
395 if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id)) {
396 $this->ilErr->raiseError(get_class($this) . "::grantPermission(): Missing parameter! " .
397 "role_id: " . $a_rol_id . " ref_id: " . $a_ref_id . " operations: ", $this->ilErr->WARNING);
398 }
399
400 if (!is_array($a_ops)) {
401 $this->ilErr->raiseError(
402 get_class($this) . "::grantPermission(): Wrong datatype for operations!",
403 $this->ilErr->WARNING
404 );
405 }
406
407 /*
408 if (count($a_ops) == 0)
409 {
410 return false;
411 }
412 */
413 // exclude system role from rbac
414 if ($a_rol_id == SYSTEM_ROLE_ID) {
415 return true;
416 }
417
418 // convert all values to integer
419 foreach ($a_ops as $key => $operation) {
420 $a_ops[$key] = (int) $operation;
421 }
422
423 // Serialization des ops_id Arrays
424 $ops_ids = serialize($a_ops);
425
426 $query = 'DELETE FROM rbac_pa ' .
427 'WHERE rol_id = %s ' .
428 'AND ref_id = %s';
429 $res = $ilDB->queryF(
430 $query,
431 array('integer','integer'),
432 array($a_rol_id,$a_ref_id)
433 );
434
435 if (!count($a_ops)) {
436 return false;
437 }
438
439 $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) " .
440 "VALUES " .
441 "(" . $ilDB->quote($a_rol_id, 'integer') . "," . $ilDB->quote($ops_ids, 'text') . "," . $ilDB->quote($a_ref_id, 'integer') . ")";
442 $res = $ilDB->manipulate($query);
443
444 return true;
445 }
446
456 public function revokePermission($a_ref_id, $a_rol_id = 0, $a_keep_protected = true)
457 {
458 global $DIC;
459
460 $rbacreview = $DIC['rbacreview'];
461 $log = $DIC['log'];
462 $ilDB = $DIC['ilDB'];
463 $ilLog = $DIC['ilLog'];
464
465 if (!isset($a_ref_id)) {
466 $ilLog->logStack();
467 $message = get_class($this) . "::revokePermission(): Missing parameter! ref_id: " . $a_ref_id;
468 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
469 }
470 #$log->write("ilRBACadmin::revokePermission(), 0");
471
472 // bypass protected status of roles
473 if ($a_keep_protected != true) {
474 // exclude system role from rbac
475 if ($a_rol_id == SYSTEM_ROLE_ID) {
476 return true;
477 }
478
479 if ($a_rol_id) {
480 $and1 = " AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
481 } else {
482 $and1 = "";
483 }
484
485 $query = "DELETE FROM rbac_pa " .
486 "WHERE ref_id = " . $ilDB->quote($a_ref_id, 'integer') .
487 $and1;
488
489 $res = $ilDB->manipulate($query);
490
491 return true;
492 }
493
494 // consider protected status of roles
495
496 // in any case, get all roles in scope first
497 $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
498
499 if (!$a_rol_id) {
500 #$log->write("ilRBACadmin::revokePermission(), 1");
501
502 $role_ids = array();
503
504 foreach ($roles_in_scope as $role) {
505 if ($role['protected'] == true) {
506 continue;
507 }
508
509 $role_ids[] = $role['obj_id'];
510 }
511
512 // return if no role in array
513 if (!$role_ids) {
514 return true;
515 }
516
517 $query = 'DELETE FROM rbac_pa ' .
518 'WHERE ' . $ilDB->in('rol_id', $role_ids, false, 'integer') . ' ' .
519 'AND ref_id = ' . $ilDB->quote($a_ref_id, 'integer');
520 $res = $ilDB->manipulate($query);
521 } else {
522 #$log->write("ilRBACadmin::revokePermission(), 2");
523 // exclude system role from rbac
524 if ($a_rol_id == SYSTEM_ROLE_ID) {
525 return true;
526 }
527
528 // exclude protected permission settings from revoking
529 if ($roles_in_scope[$a_rol_id]['protected'] == true) {
530 return true;
531 }
532
533 $query = "DELETE FROM rbac_pa " .
534 "WHERE ref_id = " . $ilDB->quote($a_ref_id, 'integer') . " " .
535 "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
536 $res = $ilDB->manipulate($query);
537 }
538
539 return true;
540 }
541
548 public function revokeSubtreePermissions($a_ref_id, $a_role_id)
549 {
550 global $DIC;
551
552 $ilDB = $DIC['ilDB'];
553
554 $query = 'DELETE FROM rbac_pa ' .
555 'WHERE ref_id IN ' .
556 '( ' . $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
557 'AND rol_id = ' . $ilDB->quote($a_role_id, 'integer');
558
559 $ilDB->manipulate($query);
560 return true;
561 }
562
569 public function deleteSubtreeTemplates($a_ref_id, $a_rol_id)
570 {
571 global $DIC;
572
573 $ilDB = $DIC['ilDB'];
574
575 $query = 'DELETE FROM rbac_templates ' .
576 'WHERE parent IN ( ' .
577 $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
578 'AND rol_id = ' . $ilDB->quote($a_rol_id, 'integer');
579
580 $ilDB->manipulate($query);
581
582 $query = 'DELETE FROM rbac_fa ' .
583 'WHERE parent IN ( ' .
584 $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
585 'AND rol_id = ' . $ilDB->quote($a_rol_id, 'integer');
586
587 $ilDB->manipulate($query);
588
589 return true;
590 }
591
599 public function revokePermissionList($a_ref_ids, $a_rol_id)
600 {
601 global $DIC;
602
603 $ilDB = $DIC['ilDB'];
604
605 if (!isset($a_ref_ids) or !is_array($a_ref_ids)) {
606 $message = get_class($this) . "::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: " . var_dump($a_ref_ids);
607 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
608 }
609
610 if (!isset($a_rol_id)) {
611 $message = get_class($this) . "::revokePermissionList(): Missing parameter! rol_id: " . $a_rol_id;
612 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
613 }
614
615 // exclude system role from rbac
616 if ($a_rol_id == SYSTEM_ROLE_ID) {
617 return true;
618 }
619
620 $query = "DELETE FROM rbac_pa " .
621 "WHERE " . $ilDB->in('ref_id', $a_ref_ids, false, 'integer') . ' ' .
622 "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer');
623 $res = $ilDB->manipulate($query);
624
625 return true;
626 }
627
638 public function copyRolePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected = true)
639 {
640 global $DIC;
641
642 $tree = $DIC['tree'];
643 $rbacreview = $DIC['rbacreview'];
644
645 // Copy template permissions
646 $this->copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected);
647
648 $ops = $rbacreview->getRoleOperationsOnObject($a_source_id, $a_source_parent);
649
650 $this->revokePermission($a_dest_parent, $a_dest_id);
651 $this->grantPermission($a_dest_id, $ops, $a_dest_parent);
652 return true;
653 }
654
665 public function copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected = true)
666 {
667 global $DIC;
668
669 $rbacreview = $DIC['rbacreview'];
670 $ilDB = $DIC['ilDB'];
671
672 if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent)) {
673 $message = __METHOD__ . ": Missing parameter! source_id: " . $a_source_id .
674 " source_parent_id: " . $a_source_parent .
675 " dest_id : " . $a_dest_id .
676 " dest_parent_id: " . $a_dest_parent;
677 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
678 }
679
680 // exclude system role from rbac
681 if ($a_dest_id == SYSTEM_ROLE_ID) {
682 return true;
683 }
684
685 // Read operations
686 $query = 'SELECT * FROM rbac_templates ' .
687 'WHERE rol_id = ' . $ilDB->quote($a_source_id, 'integer') . ' ' .
688 'AND parent = ' . $ilDB->quote($a_source_parent, 'integer');
689 $res = $ilDB->query($query);
690 $operations = array();
691 $rownum = 0;
692 while ($row = $ilDB->fetchObject($res)) {
693 $operations[$rownum]['type'] = $row->type;
694 $operations[$rownum]['ops_id'] = $row->ops_id;
695 $rownum++;
696 }
697
698 // Delete target permissions
699 $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
700 'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
701 $res = $ilDB->manipulate($query);
702
703 foreach ($operations as $row => $op) {
704 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
705 'VALUES (' .
706 $ilDB->quote($a_dest_id, 'integer') . "," .
707 $ilDB->quote($op['type'], 'text') . "," .
708 $ilDB->quote($op['ops_id'], 'integer') . "," .
709 $ilDB->quote($a_dest_parent, 'integer') . ")";
710 $ilDB->manipulate($query);
711 }
712
713 // copy also protection status if applicable
714 if ($a_consider_protected == true) {
715 if ($rbacreview->isProtected($a_source_parent, $a_source_id)) {
716 $this->setProtected($a_dest_parent, $a_dest_id, 'y');
717 }
718 }
719
720 return true;
721 }
735 public function copyRolePermissionIntersection($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
736 {
737 global $DIC;
738
739 $rbacreview = $DIC['rbacreview'];
740 $ilDB = $DIC['ilDB'];
741
742 if (!isset($a_source1_id) or !isset($a_source1_parent)
743 or !isset($a_source2_id) or !isset($a_source2_parent)
744 or !isset($a_dest_id) or !isset($a_dest_parent)) {
745 $message = get_class($this) . "::copyRolePermissionIntersection(): Missing parameter! source1_id: " . $a_source1_id .
746 " source1_parent: " . $a_source1_parent .
747 " source2_id: " . $a_source2_id .
748 " source2_parent: " . $a_source2_parent .
749 " dest_id: " . $a_dest_id .
750 " dest_parent_id: " . $a_dest_parent;
751 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
752 }
753
754 // exclude system role from rbac
755 if ($a_dest_id == SYSTEM_ROLE_ID) {
756 ilLoggerFactory::getLogger('ac')->debug('Ignoring system role.');
757 return true;
758 }
759
760 if ($rbacreview->isProtected($a_source2_parent, $a_source2_id)) {
761 $GLOBALS['DIC']['ilLog']->write(__METHOD__ . ': Role is protected');
762 return true;
763 }
764
765 $query = "SELECT s1.type, s1.ops_id " .
766 "FROM rbac_templates s1, rbac_templates s2 " .
767 "WHERE s1.rol_id = " . $ilDB->quote($a_source1_id, 'integer') . " " .
768 "AND s1.parent = " . $ilDB->quote($a_source1_parent, 'integer') . " " .
769 "AND s2.rol_id = " . $ilDB->quote($a_source2_id, 'integer') . " " .
770 "AND s2.parent = " . $ilDB->quote($a_source2_parent, 'integer') . " " .
771 "AND s1.type = s2.type " .
772 "AND s1.ops_id = s2.ops_id";
773
775
776 $res = $ilDB->query($query);
777 $operations = array();
778 $rowNum = 0;
779 while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
780 $operations[$rowNum]['type'] = $row->type;
781 $operations[$rowNum]['ops_id'] = $row->ops_id;
782
783 $rowNum++;
784 }
785
786 // Delete template permissions of target
787 $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
788 'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
789 $res = $ilDB->manipulate($query);
790
791 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
792 'VALUES (?,?,?,?)';
793 $sta = $ilDB->prepareManip($query, array('integer','text','integer','integer'));
794 foreach ($operations as $key => $set) {
795 $ilDB->execute($sta, array(
796 $a_dest_id,
797 $set['type'],
798 $set['ops_id'],
799 $a_dest_parent));
800 }
801 return true;
802 }
803
815 public function copyRolePermissionUnion(
816 $a_source1_id,
817 $a_source1_parent,
818 $a_source2_id,
819 $a_source2_parent,
820 $a_dest_id,
821 $a_dest_parent
822 ) {
823 global $DIC;
824
825 $ilDB = $DIC['ilDB'];
826 $rbacreview = $DIC['rbacreview'];
827
828
829 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id, $a_source1_parent);
830 $s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id, $a_source2_parent);
831
832 $this->deleteRolePermission($a_dest_id, $a_dest_parent);
833
834 $GLOBALS['DIC']['ilLog']->write(__METHOD__ . ': ' . print_r($s1_ops, true));
835 $GLOBALS['DIC']['ilLog']->write(__METHOD__ . ': ' . print_r($s2_ops, true));
836
837 foreach ($s1_ops as $type => $ops) {
838 foreach ($ops as $op) {
839 // insert all permission of source 1
840 // #15469
841 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
842 'VALUES( ' .
843 $ilDB->quote($a_dest_id, 'integer') . ', ' .
844 $ilDB->quote($type, 'text') . ', ' .
845 $ilDB->quote($op, 'integer') . ', ' .
846 $ilDB->quote($a_dest_parent, 'integer') . ' ' .
847 ')';
848 $ilDB->manipulate($query);
849 }
850 }
851
852 // and the other direction...
853 foreach ($s2_ops as $type => $ops) {
854 foreach ($ops as $op) {
855 if (!isset($s1_ops[$type]) or !in_array($op, $s1_ops[$type])) {
856 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
857 'VALUES( ' .
858 $ilDB->quote($a_dest_id, 'integer') . ', ' .
859 $ilDB->quote($type, 'text') . ', ' .
860 $ilDB->quote($op, 'integer') . ', ' .
861 $ilDB->quote($a_dest_parent, 'integer') . ' ' .
862 ')';
863 $ilDB->manipulate($query);
864 }
865 }
866 }
867
868 return true;
869 }
870
878 public function copyRolePermissionSubtract($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
879 {
880 global $DIC;
881
882 $rbacreview = $DIC['rbacreview'];
883 $ilDB = $DIC['ilDB'];
884
885 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source_id, $a_source_parent);
886 $d_ops = $rbacreview->getAllOperationsOfRole($a_dest_id, $a_dest_parent);
887
888 foreach ($s1_ops as $type => $ops) {
889 foreach ($ops as $op) {
890 if (isset($d_ops[$type]) and in_array($op, $d_ops[$type])) {
891 $query = 'DELETE FROM rbac_templates ' .
892 'WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
893 'AND type = ' . $ilDB->quote($type, 'text') . ' ' .
894 'AND ops_id = ' . $ilDB->quote($op, 'integer') . ' ' .
895 'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
896 $ilDB->manipulate($query);
897 }
898 }
899 }
900 return true;
901 }
902
903
914 public function deleteRolePermission($a_rol_id, $a_ref_id, $a_type = false)
915 {
916 global $DIC;
917
918 $ilDB = $DIC['ilDB'];
919
920 if (!isset($a_rol_id) or !isset($a_ref_id)) {
921 $message = get_class($this) . "::deleteRolePermission(): Missing parameter! role_id: " . $a_rol_id . " ref_id: " . $a_ref_id;
922 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
923 }
924
925 // exclude system role from rbac
926 if ($a_rol_id == SYSTEM_ROLE_ID) {
927 return true;
928 }
929
930 if ($a_type !== false) {
931 $and_type = " AND type=" . $ilDB->quote($a_type, 'text') . " ";
932 }
933
934 $query = 'DELETE FROM rbac_templates ' .
935 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
936 'AND parent = ' . $ilDB->quote($a_ref_id, 'integer') . ' ' .
937 $and_type;
938
939 $res = $ilDB->manipulate($query);
940
941 return true;
942 }
943
954 public function setRolePermission($a_rol_id, $a_type, $a_ops, $a_ref_id)
955 {
956 global $DIC;
957
958 $ilDB = $DIC['ilDB'];
959
960 if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id)) {
961 $message = get_class($this) . "::setRolePermission(): Missing parameter!" .
962 " role_id: " . $a_rol_id .
963 " type: " . $a_type .
964 " operations: " . $a_ops .
965 " ref_id: " . $a_ref_id;
966 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
967 }
968
969 if (!is_string($a_type) or empty($a_type)) {
970 $message = get_class($this) . "::setRolePermission(): a_type is no string or empty!";
971 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
972 }
973
974 if (!is_array($a_ops) or empty($a_ops)) {
975 $message = get_class($this) . "::setRolePermission(): a_ops is no array or empty!";
976 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
977 }
978
979 // exclude system role from rbac
980 if ($a_rol_id == SYSTEM_ROLE_ID) {
981 return true;
982 }
983
984 foreach ($a_ops as $op) {
985 $ilDB->replace(
986 'rbac_templates',
987 [
988 'rol_id' => ['integer', $a_rol_id],
989 'type' => ['text', $a_type],
990 'ops_id' => ['integer', $op],
991 'parent' => ['integer', $a_ref_id]
992 ],
993 []
994 );
995 }
996 return true;
997 }
998
1012 public function assignRoleToFolder($a_rol_id, $a_parent, $a_assign = "y")
1013 {
1014 global $DIC;
1015
1016 $ilDB = $DIC['ilDB'];
1017 $rbacreview = $DIC['rbacreview'];
1018
1019 if (!isset($a_rol_id) or !isset($a_parent)) {
1020 $message = get_class($this) . "::assignRoleToFolder(): Missing Parameter!" .
1021 " role_id: " . $a_rol_id .
1022 " parent_id: " . $a_parent .
1023 " assign: " . $a_assign;
1024 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
1025 }
1026
1027 // exclude system role from rbac
1028 if ($a_rol_id == SYSTEM_ROLE_ID) {
1029 return true;
1030 }
1031
1032 // if a wrong value is passed, always set assign to "n"
1033 if ($a_assign != "y") {
1034 $a_assign = "n";
1035 }
1036
1037 // check if already assigned
1038 $query = 'SELECT rol_id FROM rbac_fa ' .
1039 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
1040 'AND parent = ' . $ilDB->quote($a_parent, 'integer');
1041 $res = $ilDB->query($query);
1042 if ($res->numRows()) {
1043 ilLoggerFactory::getLogger('ac')->info('Role already assigned to object');
1044 return false;
1045 }
1046
1047 $query = sprintf(
1048 'INSERT INTO rbac_fa (rol_id, parent, assign, protected) ' .
1049 'VALUES (%s,%s,%s,%s)',
1050 $ilDB->quote($a_rol_id, 'integer'),
1051 $ilDB->quote($a_parent, 'integer'),
1052 $ilDB->quote($a_assign, 'text'),
1053 $ilDB->quote('n', 'text')
1054 );
1055 $res = $ilDB->manipulate($query);
1056
1057 return true;
1058 }
1059
1068 public function assignOperationToObject($a_type_id, $a_ops_id)
1069 {
1070 global $DIC;
1071
1072 $ilDB = $DIC['ilDB'];
1073
1074 if (!isset($a_type_id) or !isset($a_ops_id)) {
1075 $message = get_class($this) . "::assignOperationToObject(): Missing parameter!" .
1076 "type_id: " . $a_type_id .
1077 "ops_id: " . $a_ops_id;
1078 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
1079 }
1080
1081 $query = "INSERT INTO rbac_ta (typ_id, ops_id) " .
1082 "VALUES(" . $ilDB->quote($a_type_id, 'integer') . "," . $ilDB->quote($a_ops_id, 'integer') . ")";
1083 $res = $ilDB->manipulate($query);
1084 return true;
1085 }
1086
1095 public function deassignOperationFromObject($a_type_id, $a_ops_id)
1096 {
1097 global $DIC;
1098
1099 $ilDB = $DIC['ilDB'];
1100
1101 if (!isset($a_type_id) or !isset($a_ops_id)) {
1102 $message = get_class($this) . "::deassignPermissionFromObject(): Missing parameter!" .
1103 "type_id: " . $a_type_id .
1104 "ops_id: " . $a_ops_id;
1105 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
1106 }
1107
1108 $query = "DELETE FROM rbac_ta " .
1109 "WHERE typ_id = " . $ilDB->quote($a_type_id, 'integer') . " " .
1110 "AND ops_id = " . $ilDB->quote($a_ops_id, 'integer');
1111 $res = $ilDB->manipulate($query);
1112
1113 return true;
1114 }
1115
1124 public function setProtected($a_ref_id, $a_role_id, $a_value)
1125 {
1126 global $DIC;
1127
1128 $ilDB = $DIC['ilDB'];
1129
1130 // ref_id not used yet. protected permission acts 'global' for each role,
1131 // regardless of any broken inheritance before
1132 $query = 'UPDATE rbac_fa ' .
1133 'SET protected = ' . $ilDB->quote($a_value, 'text') . ' ' .
1134 'WHERE rol_id = ' . $ilDB->quote($a_role_id, 'integer');
1135 $res = $ilDB->manipulate($query);
1136 return true;
1137 }
1138
1149 public function copyLocalRoles($a_source_id, $a_target_id)
1150 {
1151 global $DIC;
1152
1153 $rbacreview = $DIC['rbacreview'];
1154 $ilLog = $DIC['ilLog'];
1155 $ilObjDataCache = $DIC['ilObjDataCache'];
1156
1157 $real_local = array();
1158 foreach ($rbacreview->getRolesOfRoleFolder($a_source_id, false) as $role_data) {
1159 $title = $ilObjDataCache->lookupTitle($role_data);
1160 if (substr($title, 0, 3) == 'il_') {
1161 continue;
1162 }
1163 $real_local[] = $role_data;
1164 }
1165 if (!count($real_local)) {
1166 return true;
1167 }
1168 // Create role folder
1169 foreach ($real_local as $role) {
1170 include_once("./Services/AccessControl/classes/class.ilObjRole.php");
1171 $orig = new ilObjRole($role);
1172 $orig->read();
1173
1174 $ilLog->write(__METHOD__ . ': Start copying of role ' . $orig->getTitle());
1175 $roleObj = new ilObjRole();
1176 $roleObj->setTitle($orig->getTitle());
1177 $roleObj->setDescription($orig->getDescription());
1178 $roleObj->setImportId($orig->getImportId());
1179 $roleObj->create();
1180
1181 $this->assignRoleToFolder($roleObj->getId(), $a_target_id, "y");
1182 $this->copyRolePermissions($role, $a_source_id, $a_target_id, $roleObj->getId(), true);
1183 $ilLog->write(__METHOD__ . ': Added new local role, id ' . $roleObj->getId());
1184 }
1185 }
1186
1197 public function initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
1198 {
1199 global $DIC;
1200
1201 $rbacreview = $DIC['rbacreview'];
1202
1203 if ($rbacreview->isProtected($a_role_parent, $a_role_id)) {
1204 // Assign object permissions
1205 $new_ops = $rbacreview->getOperationsOfRole(
1206 $a_role_id,
1207 ilObject::_lookupType($a_ref_id, true),
1208 $a_role_parent
1209 );
1210
1211 // set new permissions for object
1212 $this->grantPermission(
1213 $a_role_id,
1214 (array) $new_ops,
1215 $a_ref_id
1216 );
1217 return;
1218 }
1219 if (!$a_template_id) {
1220 ilLoggerFactory::getLogger('ac')->info('No template id given. Aborting.');
1221 return;
1222 }
1223 // create template permission intersection
1225 $a_template_id,
1226 $a_template_parent,
1227 $a_role_id,
1228 $a_role_parent,
1229 $a_ref_id,
1230 $a_role_id
1231 );
1232
1233 // assign role to folder
1234 $this->assignRoleToFolder(
1235 $a_role_id,
1236 $a_ref_id,
1237 'n'
1238 );
1239
1240 // Assign object permissions
1241 $new_ops = $rbacreview->getOperationsOfRole(
1242 $a_role_id,
1243 ilObject::_lookupType($a_ref_id, true),
1244 $a_ref_id
1245 );
1246
1247 // revoke existing permissions
1248 $this->revokePermission($a_ref_id, $a_role_id);
1249
1250 // set new permissions for object
1251 $this->grantPermission(
1252 $a_role_id,
1253 (array) $new_ops,
1254 $a_ref_id
1255 );
1256
1257 return;
1258 }
1259
1267 protected function applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent)
1268 {
1269 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateObjSettings.php';
1271 if (!$tpl_id) {
1272 return;
1273 }
1274 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateActionFactory.php';
1277 continue;
1278 }
1279 $action->setRefId($a_ref_id);
1280 $action->apply();
1281 }
1282 return;
1283 }
1284
1285
1297 public function adjustMovedObjectPermissions($a_ref_id, $a_old_parent)
1298 {
1299 global $DIC;
1300
1301 $rbacreview = $DIC['rbacreview'];
1302 $tree = $DIC['tree'];
1303 $ilLog = $DIC['ilLog'];
1304
1305 $new_parent = $tree->getParentId($a_ref_id);
1306 $old_context_roles = $rbacreview->getParentRoleIds($a_old_parent, false);
1307 $new_context_roles = $rbacreview->getParentRoleIds($new_parent, false);
1308
1309 $for_addition = $for_deletion = array();
1310 foreach ($new_context_roles as $new_role_id => $new_role) {
1311 if (!isset($old_context_roles[$new_role_id])) {
1312 $for_addition[$new_role_id] = $new_role;
1313 } elseif ($new_role['parent'] != $old_context_roles[$new_role_id]['parent']) {
1314 // handle stopped inheritance
1315 $for_deletion[$new_role_id] = $new_role;
1316 $for_addition[$new_role_id] = $new_role;
1317 }
1318 }
1319 foreach ($old_context_roles as $old_role_id => $old_role) {
1320 if (!isset($new_context_roles[$old_role_id])) {
1321 $for_deletion[$old_role_id] = $old_role;
1322 }
1323 }
1324
1325 if (!count($for_deletion) and !count($for_addition)) {
1326 $this->applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent);
1327 return true;
1328 }
1329
1330 include_once "Services/AccessControl/classes/class.ilRbacLog.php";
1331 $rbac_log_active = ilRbacLog::isActive();
1332 if ($rbac_log_active) {
1333 $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
1334 }
1335
1336 foreach ($nodes = $tree->getSubTree($tree->getNodeData($a_ref_id), true) as $node_data) {
1337 $node_id = $node_data['child'];
1338
1339 if ($rbac_log_active) {
1340 $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
1341 }
1342
1343 // If $node_data['type'] is not set, this means there is a tree entry without
1344 // object_reference and/or object_data entry
1345 // Continue in this case
1346 if (!$node_data['type']) {
1347 $ilLog->write(__METHOD__ . ': No type give. Choosing next tree entry.');
1348 continue;
1349 }
1350
1351 if (!$node_id) {
1352 $ilLog->write(__METHOD__ . ': Missing subtree node_id');
1353 continue;
1354 }
1355
1356 foreach ($for_deletion as $role_id => $role_data) {
1357 $this->deleteLocalRole($role_id, $node_id);
1358 $this->revokePermission($node_id, $role_id, false);
1359 //var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
1360 }
1361 foreach ($for_addition as $role_id => $role_data) {
1362 switch ($node_data['type']) {
1363 case 'grp':
1364 include_once './Modules/Group/classes/class.ilObjGroup.php';
1365 $tpl_id = ilObjGroup::lookupGroupStatusTemplateId($node_data['obj_id']);
1367 $node_data['child'],
1368 $role_id,
1369 $role_data['parent'],
1370 $tpl_id,
1371 ROLE_FOLDER_ID
1372 );
1373 break;
1374
1375 case 'crs':
1376 include_once './Modules/Course/classes/class.ilObjCourse.php';
1379 $node_data['child'],
1380 $role_id,
1381 $role_data['parent'],
1382 $tpl_id,
1383 ROLE_FOLDER_ID
1384 );
1385 break;
1386
1387
1388 default:
1389 $this->grantPermission(
1390 $role_id,
1391 $ops = $rbacreview->getOperationsOfRole($role_id, $node_data['type'], $role_data['parent']),
1392 $node_id
1393 );
1394 break;
1395
1396
1397 }
1398
1399
1400 //var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
1401 }
1402
1403 if ($rbac_log_active) {
1404 $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
1405 $log = ilRbacLog::diffFaPa($log_old, $log_new);
1407 }
1408 }
1409
1410 $this->applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent);
1411 }
1412} // END class.ilRbacAdmin
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
An exception for terminatinating execution or to throw for unit testing.
static getActionsByTemplateId($a_tpl_id)
Get actions of one template.
represents a creation of local roles action
static lookupTemplateId($a_ref_id)
Lookup template id @global ilDB $ilDB.
static _getInstance()
Get singleton instance of this class.
static getLogger($a_component_id)
Get component logger.
static lookupCourseNonMemberTemplatesId()
Lookup course non member id.
static lookupGroupStatusTemplateId($a_obj_id)
@global $ilDB $ilDB
Class ilObjRole.
static _addDesktopItem($a_usr_id, $a_item_id, $a_type, $a_par="")
add an item to user's personal desktop
static _lookupObjId($a_id)
static _lookupType($a_id, $a_reference=false)
lookup object type
Class ilRbacAdmin Core functions for role based access control.
setProtected($a_ref_id, $a_role_id, $a_value)
Set protected @global $ilDB.
revokePermission($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
Revokes permissions of an object of one role.
deleteRole($a_rol_id, $a_ref_id)
Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua,...
deleteSubtreeTemplates($a_ref_id, $a_rol_id)
Delete all template permissions of subtree nodes.
__construct()
Constructor @access public.
copyRolePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions and permission of one role to another.
deassignOperationFromObject($a_type_id, $a_ops_id)
Deassign an existing operation from an object Update of rbac_ta @access public.
adjustMovedObjectPermissions($a_ref_id, $a_old_parent)
Adjust permissions of moved objects.
assignUser($a_rol_id, $a_usr_id)
Assigns an user to a role.
assignRoleToFolder($a_rol_id, $a_parent, $a_assign="y")
Assigns a role to an role folder A role folder is an object to store roles.
removeUser($a_usr_id)
deletes a user from rbac_ua all user <-> role relations are deleted @access public
assignUserLimited($a_role_id, $a_usr_id, $a_limit, $a_limited_roles=array())
Assign user limited.
deleteLocalRole($a_rol_id, $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates @access public.
copyLocalRoles($a_source_id, $a_target_id)
Copy local roles This method creates a copy of all local role.
revokePermissionList($a_ref_ids, $a_rol_id)
Revokes permissions of a LIST of objects of ONE role.
setRolePermission($a_rol_id, $a_type, $a_ops, $a_ref_id)
Inserts template permissions in rbac_templates for an specific object type.
initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
Init intersection permissions.
copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions of one role to another.
applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent)
Apply didactic templates after object movement.
copyRolePermissionUnion( $a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_id, $a_dest_parent)
@global <type> $ilDB
deassignUser($a_rol_id, $a_usr_id)
Deassigns a user from a role.
setBlockedStatus($a_role_id, $a_ref_id, $a_blocked_status)
Set blocked status.
revokeSubtreePermissions($a_ref_id, $a_role_id)
Revoke subtree permissions.
copyRolePermissionIntersection($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
Copies the intersection of the template permissions of two roles to a third role.
assignOperationToObject($a_type_id, $a_ops_id)
Assign an existing operation to an object Update of rbac_ta.
deleteTemplate($a_obj_id)
Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public...
grantPermission($a_rol_id, $a_ops, $a_ref_id)
Grants a permission to an object and a specific role.
deleteRolePermission($a_rol_id, $a_ref_id, $a_type=false)
Deletes all entries of a template.
addDesktopItem($a_rol_id, $a_usr_id)
Add desktop item.
copyRolePermissionSubtract($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
Subtract role permissions.
const MOVE_OBJECT
static diffFaPa(array $a_old, array $a_new)
static add($a_action, $a_ref_id, array $a_diff, $a_source_ref_id=false)
static gatherFaPa($a_ref_id, array $a_role_ids, $a_add_action=false)
static isActive()
if(!file_exists(getcwd() . '/ilias.ini.php'))
registration confirmation script for ilias
Definition: confirmReg.php:12
$action
$key
Definition: croninfo.php:18
Interface ilDBInterface.
catch(Exception $e) $message
$row
$GLOBALS['JPEG_Segment_Names']
Global Variable: XMP_tag_captions.
$ret
Definition: parser.php:6
$query
$type
$ilErr
Definition: raiseError.php:18
$log
Definition: sabredav.php:21
global $DIC
Definition: saml.php:7
$lng
foreach($_POST as $key=> $value) $res
global $ilDB
$a_type
Definition: workflow.php:92