ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
Public Member Functions | Protected Member Functions
ilRbacAdmin Class Reference
Services/AccessControl

Class ilRbacAdmin Core functions for role based access control. More...

+ Collaboration diagram for ilRbacAdmin:

Public Member Functions

 __construct ()
 Constructor @access public. More...
 
 setBlockedStatus ($a_role_id, $a_ref_id, $a_blocked_status)
 Set blocked status. More...
 
 removeUser ($a_usr_id)
 deletes a user from rbac_ua all user <-> role relations are deleted @access public More...
 
 deleteRole ($a_rol_id, $a_ref_id)
 Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa @access public. More...
 
 deleteTemplate ($a_obj_id)
 Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public. More...
 
 deleteLocalRole ($a_rol_id, $a_ref_id=0)
 Deletes a local role and entries in rbac_fa and rbac_templates @access public. More...
 
 assignUserLimited ($a_role_id, $a_usr_id, $a_limit, $a_limited_roles=array())
 Assign user limited. More...
 
 assignUser ($a_rol_id, $a_usr_id)
 Assigns an user to a role. More...
 
 deassignUser ($a_rol_id, $a_usr_id)
 Deassigns a user from a role. More...
 
 grantPermission ($a_rol_id, $a_ops, $a_ref_id)
 Grants a permission to an object and a specific role. More...
 
 revokePermission ($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
 Revokes permissions of an object of one role. More...
 
 revokeSubtreePermissions ($a_ref_id, $a_role_id)
 Revoke subtree permissions. More...
 
 deleteSubtreeTemplates ($a_ref_id, $a_rol_id)
 Delete all template permissions of subtree nodes. More...
 
 revokePermissionList ($a_ref_ids, $a_rol_id)
 Revokes permissions of a LIST of objects of ONE role. More...
 
 copyRolePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions and permission of one role to another. More...
 
 copyRoleTemplatePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions of one role to another. More...
 
 copyRolePermissionIntersection ($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
 Copies the intersection of the template permissions of two roles to a third role. More...
 
 copyRolePermissionUnion ( $a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_id, $a_dest_parent)
 @global <type> $ilDB More...
 
 copyRolePermissionSubtract ($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
 Subtract role permissions. More...
 
 deleteRolePermission ($a_rol_id, $a_ref_id, $a_type=false)
 Deletes all entries of a template. More...
 
 setRolePermission ($a_rol_id, $a_type, $a_ops, $a_ref_id)
 Inserts template permissions in rbac_templates for an specific object type. More...
 
 assignRoleToFolder ($a_rol_id, $a_parent, $a_assign="y")
 Assigns a role to an role folder A role folder is an object to store roles. More...
 
 assignOperationToObject ($a_type_id, $a_ops_id)
 Assign an existing operation to an object Update of rbac_ta. More...
 
 deassignOperationFromObject ($a_type_id, $a_ops_id)
 Deassign an existing operation from an object Update of rbac_ta @access public. More...
 
 setProtected ($a_ref_id, $a_role_id, $a_value)
 Set protected @global $ilDB. More...
 
 copyLocalRoles ($a_source_id, $a_target_id)
 Copy local roles This method creates a copy of all local role. More...
 
 initIntersectionPermissions ($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
 Init intersection permissions. More...
 
 adjustMovedObjectPermissions ($a_ref_id, $a_old_parent)
 Adjust permissions of moved objects. More...
 

Protected Member Functions

 addDesktopItem ($a_rol_id, $a_usr_id)
 Add desktop item. More...
 
 applyMovedObjectDidacticTemplates ($a_ref_id, $a_old_parent)
 Apply didactic templates after object movement. More...
 

Detailed Description

Class ilRbacAdmin Core functions for role based access control.

Creation and maintenance of Relations. The main relations of Rbac are user <-> role (UR) assignment relation and the permission <-> role (PR) assignment relation. This class contains methods to 'create' and 'delete' instances of the (UR) relation e.g.: assignUser(), deassignUser() Required methods for the PR relation are grantPermission(), revokePermission()

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
$Id$

Definition at line 18 of file class.ilRbacAdmin.php.

Constructor & Destructor Documentation

◆ __construct()

ilRbacAdmin::__construct ( )

Constructor @access public.

Definition at line 24 of file class.ilRbacAdmin.php.

25 {
26 global $DIC;
27
28 $ilDB = $DIC['ilDB'];
29 $ilErr = $DIC['ilErr'];
30 $ilias = $DIC['ilias'];
31
32 // set db & error handler
33 (isset($ilDB)) ? $this->ilDB = &$ilDB : $this->ilDB = &$ilias->db;
34
35 if (!isset($ilErr)) {
36 $ilErr = new ilErrorHandling();
37 $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK, array($ilErr,'errorHandler'));
38 } else {
39 $this->ilErr = &$ilErr;
40 }
41 }
PEAR_ERROR_CALLBACK
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
if
if(!file_exists(getcwd() . '/ilias.ini.php'))
registration confirmation script for ilias
Definition: confirmReg.php:12
$ilErr
$ilErr
Definition: raiseError.php:18
$DIC
global $DIC
Definition: saml.php:7
$ilDB
global $ilDB
Definition: storeScorm2004.php:19

References $DIC, $ilDB, $ilErr, if, and PEAR_ERROR_CALLBACK.

Member Function Documentation

◆ addDesktopItem()

ilRbacAdmin::addDesktopItem (   $a_rol_id,
  $a_usr_id 
)
protected

Add desktop item.

Parameters
type$a_rol_id
type$a_usr_id

Definition at line 262 of file class.ilRbacAdmin.php.

263 {
264 include_once 'Services/AccessControl/classes/class.ilRoleDesktopItem.php';
265 $role_desk_item_obj = new ilRoleDesktopItem($a_rol_id);
266 foreach ($role_desk_item_obj->getAll() as $item_data) {
267 include_once './Services/User/classes/class.ilObjUser.php';
268 ilObjUser::_addDesktopItem($a_usr_id, $item_data['item_id'], $item_data['item_type']);
269 }
270 }
ilObjUser\_addDesktopItem
static _addDesktopItem($a_usr_id, $a_item_id, $a_type, $a_par="")
add an item to user's personal desktop
Definition: class.ilObjUser.php:3139

References ilObjUser\_addDesktopItem().

Referenced by assignUser(), and assignUserLimited().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ adjustMovedObjectPermissions()

ilRbacAdmin::adjustMovedObjectPermissions (   $a_ref_id,
  $a_old_parent 
)

Adjust permissions of moved objects.

  • Delete permissions of parent roles that do not exist in new context
  • Delete role templates of parent roles that do not exist in new context
  • Add permissions for parent roles that did not exist in old context

@access public

Parameters
intref id of moved object
intref_id of old parent

Definition at line 1297 of file class.ilRbacAdmin.php.

1298 {
1299 global $DIC;
1300
1301 $rbacreview = $DIC['rbacreview'];
1302 $tree = $DIC['tree'];
1303 $ilLog = $DIC['ilLog'];
1304
1305 $new_parent = $tree->getParentId($a_ref_id);
1306 $old_context_roles = $rbacreview->getParentRoleIds($a_old_parent, false);
1307 $new_context_roles = $rbacreview->getParentRoleIds($new_parent, false);
1308
1309 $for_addition = $for_deletion = array();
1310 foreach ($new_context_roles as $new_role_id => $new_role) {
1311 if (!isset($old_context_roles[$new_role_id])) {
1312 $for_addition[$new_role_id] = $new_role;
1313 } elseif ($new_role['parent'] != $old_context_roles[$new_role_id]['parent']) {
1314 // handle stopped inheritance
1315 $for_deletion[$new_role_id] = $new_role;
1316 $for_addition[$new_role_id] = $new_role;
1317 }
1318 }
1319 foreach ($old_context_roles as $old_role_id => $old_role) {
1320 if (!isset($new_context_roles[$old_role_id])) {
1321 $for_deletion[$old_role_id] = $old_role;
1322 }
1323 }
1324
1325 if (!count($for_deletion) and !count($for_addition)) {
1326 $this->applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent);
1327 return true;
1328 }
1329
1330 include_once "Services/AccessControl/classes/class.ilRbacLog.php";
1331 $rbac_log_active = ilRbacLog::isActive();
1332 if ($rbac_log_active) {
1333 $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
1334 }
1335
1336 foreach ($nodes = $tree->getSubTree($tree->getNodeData($a_ref_id), true) as $node_data) {
1337 $node_id = $node_data['child'];
1338
1339 if ($rbac_log_active) {
1340 $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
1341 }
1342
1343 // If $node_data['type'] is not set, this means there is a tree entry without
1344 // object_reference and/or object_data entry
1345 // Continue in this case
1346 if (!$node_data['type']) {
1347 $ilLog->write(__METHOD__ . ': No type give. Choosing next tree entry.');
1348 continue;
1349 }
1350
1351 if (!$node_id) {
1352 $ilLog->write(__METHOD__ . ': Missing subtree node_id');
1353 continue;
1354 }
1355
1356 foreach ($for_deletion as $role_id => $role_data) {
1357 $this->deleteLocalRole($role_id, $node_id);
1358 $this->revokePermission($node_id, $role_id, false);
1359 //var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
1360 }
1361 foreach ($for_addition as $role_id => $role_data) {
1362 switch ($node_data['type']) {
1363 case 'grp':
1364 include_once './Modules/Group/classes/class.ilObjGroup.php';
1365 $tpl_id = ilObjGroup::lookupGroupStatusTemplateId($node_data['obj_id']);
1366 $this->initIntersectionPermissions(
1367 $node_data['child'],
1368 $role_id,
1369 $role_data['parent'],
1370 $tpl_id,
1371 ROLE_FOLDER_ID
1372 );
1373 break;
1374
1375 case 'crs':
1376 include_once './Modules/Course/classes/class.ilObjCourse.php';
1377 $tpl_id = ilObjCourse::lookupCourseNonMemberTemplatesId();
1378 $this->initIntersectionPermissions(
1379 $node_data['child'],
1380 $role_id,
1381 $role_data['parent'],
1382 $tpl_id,
1383 ROLE_FOLDER_ID
1384 );
1385 break;
1386
1387
1388 default:
1389 $this->grantPermission(
1390 $role_id,
1391 $ops = $rbacreview->getOperationsOfRole($role_id, $node_data['type'], $role_data['parent']),
1392 $node_id
1393 );
1394 break;
1395
1396
1397 }
1398
1399
1400 //var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
1401 }
1402
1403 if ($rbac_log_active) {
1404 $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
1405 $log = ilRbacLog::diffFaPa($log_old, $log_new);
1406 ilRbacLog::add(ilRbacLog::MOVE_OBJECT, $node_id, $log);
1407 }
1408 }
1409
1410 $this->applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent);
1411 }
ilObjCourse\lookupCourseNonMemberTemplatesId
static lookupCourseNonMemberTemplatesId()
Lookup course non member id.
Definition: class.ilObjCourse.php:1678
ilObjGroup\lookupGroupStatusTemplateId
static lookupGroupStatusTemplateId($a_obj_id)
@global $ilDB $ilDB
Definition: class.ilObjGroup.php:1342
ilRbacAdmin\revokePermission
revokePermission($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
Revokes permissions of an object of one role.
Definition: class.ilRbacAdmin.php:456
ilRbacAdmin\deleteLocalRole
deleteLocalRole($a_rol_id, $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates @access public.
Definition: class.ilRbacAdmin.php:174
ilRbacAdmin\initIntersectionPermissions
initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
Init intersection permissions.
Definition: class.ilRbacAdmin.php:1197
ilRbacAdmin\applyMovedObjectDidacticTemplates
applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent)
Apply didactic templates after object movement.
Definition: class.ilRbacAdmin.php:1267
ilRbacAdmin\grantPermission
grantPermission($a_rol_id, $a_ops, $a_ref_id)
Grants a permission to an object and a specific role.
Definition: class.ilRbacAdmin.php:389
ilRbacLog\MOVE_OBJECT
const MOVE_OBJECT
Definition: class.ilRbacLog.php:17
ilRbacLog\diffFaPa
static diffFaPa(array $a_old, array $a_new)
Definition: class.ilRbacLog.php:69
ilRbacLog\add
static add($a_action, $a_ref_id, array $a_diff, $a_source_ref_id=false)
Definition: class.ilRbacLog.php:137
ilRbacLog\gatherFaPa
static gatherFaPa($a_ref_id, array $a_role_ids, $a_add_action=false)
Definition: class.ilRbacLog.php:35
ilRbacLog\isActive
static isActive()
Definition: class.ilRbacLog.php:25
$ilLog
$ilLog
Definition: inc.setup_header.php:123
$log
$log
Definition: sabredav.php:21

References $DIC, $ilLog, $log, $nodes, $tree, ilRbacLog\add(), applyMovedObjectDidacticTemplates(), deleteLocalRole(), ilRbacLog\diffFaPa(), ilRbacLog\gatherFaPa(), grantPermission(), initIntersectionPermissions(), ilRbacLog\isActive(), ilObjCourse\lookupCourseNonMemberTemplatesId(), ilObjGroup\lookupGroupStatusTemplateId(), ilRbacLog\MOVE_OBJECT, and revokePermission().

+ Here is the call graph for this function:

◆ applyMovedObjectDidacticTemplates()

ilRbacAdmin::applyMovedObjectDidacticTemplates (   $a_ref_id,
  $a_old_parent 
)
protected

Apply didactic templates after object movement.

Parameters
int$a_ref_id
int$a_old_parent
Deprecated:
since version 5.1.0 will be removed with 5.4 and implemented using event handler

Definition at line 1267 of file class.ilRbacAdmin.php.

1268 {
1269 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateObjSettings.php';
1270 $tpl_id = ilDidacticTemplateObjSettings::lookupTemplateId($a_ref_id);
1271 if (!$tpl_id) {
1272 return;
1273 }
1274 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateActionFactory.php';
1275 foreach (ilDidacticTemplateActionFactory::getActionsByTemplateId($tpl_id) as $action) {
1276 if ($action instanceof ilDidacticTemplateLocalRoleAction) {
1277 continue;
1278 }
1279 $action->setRefId($a_ref_id);
1280 $action->apply();
1281 }
1282 return;
1283 }
ilDidacticTemplateActionFactory\getActionsByTemplateId
static getActionsByTemplateId($a_tpl_id)
Get actions of one template.
Definition: class.ilDidacticTemplateActionFactory.php:65
ilDidacticTemplateLocalRoleAction
represents a creation of local roles action
Definition: class.ilDidacticTemplateLocalRoleAction.php:13
ilDidacticTemplateObjSettings\lookupTemplateId
static lookupTemplateId($a_ref_id)
Lookup template id @global ilDB $ilDB.
Definition: class.ilDidacticTemplateObjSettings.php:19
$action
$action
Definition: consentAdmin.php:140

References $action, ilDidacticTemplateActionFactory\getActionsByTemplateId(), and ilDidacticTemplateObjSettings\lookupTemplateId().

Referenced by adjustMovedObjectPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ assignOperationToObject()

ilRbacAdmin::assignOperationToObject (   $a_type_id,
  $a_ops_id 
)

Assign an existing operation to an object Update of rbac_ta.

@access public

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 1068 of file class.ilRbacAdmin.php.

1069 {
1070 global $DIC;
1071
1072 $ilDB = $DIC['ilDB'];
1073
1074 if (!isset($a_type_id) or !isset($a_ops_id)) {
1075 $message = get_class($this) . "::assignOperationToObject(): Missing parameter!" .
1076 "type_id: " . $a_type_id .
1077 "ops_id: " . $a_ops_id;
1078 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
1079 }
1080
1081 $query = "INSERT INTO rbac_ta (typ_id, ops_id) " .
1082 "VALUES(" . $ilDB->quote($a_type_id, 'integer') . "," . $ilDB->quote($a_ops_id, 'integer') . ")";
1083 $res = $ilDB->manipulate($query);
1084 return true;
1085 }
$message
catch(Exception $e) $message
Definition: saml2-logout.php:34
$query
$query
Definition: proxy_ylocal.php:13
$res
foreach($_POST as $key=> $value) $res
Definition: save_question_post_data.php:15

References $DIC, $ilDB, $message, $query, and $res.

◆ assignRoleToFolder()

ilRbacAdmin::assignRoleToFolder (   $a_rol_id,
  $a_parent,
  $a_assign = "y" 
)

Assigns a role to an role folder A role folder is an object to store roles.

Every role is assigned to minimum one role folder If the inheritance of a role is stopped, a new role template will created, and the role is assigned to minimum two role folders. All roles with stopped inheritance need the flag '$a_assign = false'

@access public

Parameters
integerobject id of role
integerref_id of role folder
stringassignable('y','n'); default: 'y'
Returns
boolean

Definition at line 1012 of file class.ilRbacAdmin.php.

1013 {
1014 global $DIC;
1015
1016 $ilDB = $DIC['ilDB'];
1017 $rbacreview = $DIC['rbacreview'];
1018
1019 if (!isset($a_rol_id) or !isset($a_parent)) {
1020 $message = get_class($this) . "::assignRoleToFolder(): Missing Parameter!" .
1021 " role_id: " . $a_rol_id .
1022 " parent_id: " . $a_parent .
1023 " assign: " . $a_assign;
1024 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
1025 }
1026
1027 // exclude system role from rbac
1028 if ($a_rol_id == SYSTEM_ROLE_ID) {
1029 return true;
1030 }
1031
1032 // if a wrong value is passed, always set assign to "n"
1033 if ($a_assign != "y") {
1034 $a_assign = "n";
1035 }
1036
1037 // check if already assigned
1038 $query = 'SELECT rol_id FROM rbac_fa ' .
1039 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
1040 'AND parent = ' . $ilDB->quote($a_parent, 'integer');
1041 $res = $ilDB->query($query);
1042 if ($res->numRows()) {
1043 ilLoggerFactory::getLogger('ac')->info('Role already assigned to object');
1044 return false;
1045 }
1046
1047 $query = sprintf(
1048 'INSERT INTO rbac_fa (rol_id, parent, assign, protected) ' .
1049 'VALUES (%s,%s,%s,%s)',
1050 $ilDB->quote($a_rol_id, 'integer'),
1051 $ilDB->quote($a_parent, 'integer'),
1052 $ilDB->quote($a_assign, 'text'),
1053 $ilDB->quote('n', 'text')
1054 );
1055 $res = $ilDB->manipulate($query);
1056
1057 return true;
1058 }
ilLoggerFactory\getLogger
static getLogger($a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:74

References $DIC, $ilDB, $message, $query, $res, and ilLoggerFactory\getLogger().

Referenced by copyLocalRoles(), and initIntersectionPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ assignUser()

ilRbacAdmin::assignUser (   $a_rol_id,
  $a_usr_id 
)

Assigns an user to a role.

Update of table rbac_ua

Parameters
int$a_rol_idObject-ID of role
int$a_usr_idObject-ID of user
Returns
boolean

Definition at line 281 of file class.ilRbacAdmin.php.

282 {
283 global $DIC;
284
285 $ilDB = $DIC['ilDB'];
286 $rbacreview = $DIC['rbacreview'];
287
288 if (!isset($a_rol_id) or !isset($a_usr_id)) {
289 $message = get_class($this) . "::assignUser(): Missing parameter! role_id: " . $a_rol_id . " usr_id: " . $a_usr_id;
290 #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
291 }
292
293 // check if already assigned user id and role_id
294 $alreadyAssigned = $rbacreview->isAssigned($a_usr_id, $a_rol_id);
295
296 // enhanced: only if we haven't had this role for this user
297 if (!$alreadyAssigned) {
298 $query = "INSERT INTO rbac_ua (usr_id, rol_id) " .
299 "VALUES (" . $ilDB->quote($a_usr_id, 'integer') . "," . $ilDB->quote($a_rol_id, 'integer') . ")";
300 $res = $ilDB->manipulate($query);
301
302 $this->addDesktopItem($a_rol_id, $a_usr_id);
303
304 $rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, true);
305 }
306
307 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
308 $mapping = ilLDAPRoleGroupMapping::_getInstance();
309 $mapping->assign($a_rol_id, $a_usr_id);
310
311
312 $ref_id = $GLOBALS['DIC']['rbacreview']->getObjectReferenceOfRole($a_rol_id);
313 $obj_id = ilObject::_lookupObjId($ref_id);
314 $type = ilObject::_lookupType($obj_id);
315
316 if (!$alreadyAssigned) {
317 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event assign user');
318 $GLOBALS['DIC']['ilAppEventHandler']->raise(
319 'Services/AccessControl',
320 'assignUser',
321 array(
322 'obj_id' => $obj_id,
323 'usr_id' => $a_usr_id,
324 'role_id' => $a_rol_id,
325 'type' => $type
326 )
327 );
328 }
329 return true;
330 }
ilLDAPRoleGroupMapping\_getInstance
static _getInstance()
Get singleton instance of this class.
Definition: class.ilLDAPRoleGroupMapping.php:73
ilObject\_lookupObjId
static _lookupObjId($a_id)
Definition: class.ilObject.php:1107
ilObject\_lookupType
static _lookupType($a_id, $a_reference=false)
lookup object type
Definition: class.ilObject.php:1275
ilRbacAdmin\addDesktopItem
addDesktopItem($a_rol_id, $a_usr_id)
Add desktop item.
Definition: class.ilRbacAdmin.php:262
$GLOBALS
$GLOBALS['JPEG_Segment_Names']
Global Variable: XMP_tag_captions.
Definition: module.tag.xmp.php:702
$type
$type
Definition: proxy_ylocal.php:10

References $DIC, $GLOBALS, $ilDB, $message, $query, $res, $type, ilLDAPRoleGroupMapping\_getInstance(), ilObject\_lookupObjId(), ilObject\_lookupType(), addDesktopItem(), and ilLoggerFactory\getInstance().

+ Here is the call graph for this function:

◆ assignUserLimited()

ilRbacAdmin::assignUserLimited (   $a_role_id,
  $a_usr_id,
  $a_limit,
  $a_limited_roles = array() 
)

Assign user limited.

Parameters
type$a_role_id
type$a_usr_id
type$a_limit

Definition at line 212 of file class.ilRbacAdmin.php.

213 {
214 global $DIC;
215
216 $ilDB = $DIC['ilDB'];
217
218 $ilAtomQuery = $ilDB->buildAtomQuery();
219 $ilAtomQuery->addTableLock('rbac_ua');
220
221 $ilAtomQuery->addQueryCallable(
222 function (ilDBInterface $ilDB) use (&$ret, $a_role_id, $a_usr_id,$a_limit, $a_limited_roles) {
223 $ret = true;
224 $limit_query = 'SELECT COUNT(*) num FROM rbac_ua ' .
225 'WHERE ' . $ilDB->in('rol_id', (array) $a_limited_roles, false, 'integer');
226 $res = $ilDB->query($limit_query);
227 $row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT);
228 if ($row->num >= $a_limit) {
229 $ret = false;
230 return;
231 }
232
233 $query = "INSERT INTO rbac_ua (usr_id, rol_id) " .
234 "VALUES (" .
235 $ilDB->quote($a_usr_id, 'integer') . "," . $ilDB->quote($a_role_id, 'integer') .
236 ")";
237 $res = $ilDB->manipulate($query);
238 }
239 );
240
241 $ilAtomQuery->run();
242
243 if (!$ret) {
244 return false;
245 }
246
247 $GLOBALS['DIC']['rbacreview']->setAssignedCacheEntry($a_role_id, $a_usr_id, true);
248
249 $this->addDesktopItem($a_role_id, $a_usr_id);
250
251 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
252 $mapping = ilLDAPRoleGroupMapping::_getInstance();
253 $mapping->assign($a_role_id, $a_usr_id);
254 return true;
255 }
ilDBInterface
Interface ilDBInterface.
Definition: interface.ilDBInterface.php:10
$row
$row
Definition: migrateto20.php:360
$ret
$ret
Definition: parser.php:6

References $DIC, $GLOBALS, $ilDB, $query, $res, $ret, $row, ilLDAPRoleGroupMapping\_getInstance(), addDesktopItem(), and ilDBConstants\FETCHMODE_OBJECT.

+ Here is the call graph for this function:

◆ copyLocalRoles()

ilRbacAdmin::copyLocalRoles (   $a_source_id,
  $a_target_id 
)

Copy local roles This method creates a copy of all local role.

Note: auto generated roles are excluded

@access public

Parameters
intsource id of object (not role folder)
inttarget id of object

Definition at line 1149 of file class.ilRbacAdmin.php.

1150 {
1151 global $DIC;
1152
1153 $rbacreview = $DIC['rbacreview'];
1154 $ilLog = $DIC['ilLog'];
1155 $ilObjDataCache = $DIC['ilObjDataCache'];
1156
1157 $real_local = array();
1158 foreach ($rbacreview->getRolesOfRoleFolder($a_source_id, false) as $role_data) {
1159 $title = $ilObjDataCache->lookupTitle($role_data);
1160 if (substr($title, 0, 3) == 'il_') {
1161 continue;
1162 }
1163 $real_local[] = $role_data;
1164 }
1165 if (!count($real_local)) {
1166 return true;
1167 }
1168 // Create role folder
1169 foreach ($real_local as $role) {
1170 include_once("./Services/AccessControl/classes/class.ilObjRole.php");
1171 $orig = new ilObjRole($role);
1172 $orig->read();
1173
1174 $ilLog->write(__METHOD__ . ': Start copying of role ' . $orig->getTitle());
1175 $roleObj = new ilObjRole();
1176 $roleObj->setTitle($orig->getTitle());
1177 $roleObj->setDescription($orig->getDescription());
1178 $roleObj->setImportId($orig->getImportId());
1179 $roleObj->create();
1180
1181 $this->assignRoleToFolder($roleObj->getId(), $a_target_id, "y");
1182 $this->copyRolePermissions($role, $a_source_id, $a_target_id, $roleObj->getId(), true);
1183 $ilLog->write(__METHOD__ . ': Added new local role, id ' . $roleObj->getId());
1184 }
1185 }
ilObjRole
Class ilObjRole.
Definition: class.ilObjRole.php:17
ilRbacAdmin\copyRolePermissions
copyRolePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions and permission of one role to another.
Definition: class.ilRbacAdmin.php:638
ilRbacAdmin\assignRoleToFolder
assignRoleToFolder($a_rol_id, $a_parent, $a_assign="y")
Assigns a role to an role folder A role folder is an object to store roles.
Definition: class.ilRbacAdmin.php:1012

References $DIC, $ilLog, $title, assignRoleToFolder(), and copyRolePermissions().

+ Here is the call graph for this function:

◆ copyRolePermissionIntersection()

ilRbacAdmin::copyRolePermissionIntersection (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_parent,
  $a_dest_id 
)

Copies the intersection of the template permissions of two roles to a third role.

@access public

Parameters
integer$a_source1_idrole_id source
integer$a_source1_parentparent_id source
integer$a_source2_idrole_id source
integer$a_source2_parentparent_id source
integer$a_dest_idrole_id destination
integer$a_dest_parentparent_id destination
Returns
boolean

Definition at line 735 of file class.ilRbacAdmin.php.

736 {
737 global $DIC;
738
739 $rbacreview = $DIC['rbacreview'];
740 $ilDB = $DIC['ilDB'];
741
742 if (!isset($a_source1_id) or !isset($a_source1_parent)
743 or !isset($a_source2_id) or !isset($a_source2_parent)
744 or !isset($a_dest_id) or !isset($a_dest_parent)) {
745 $message = get_class($this) . "::copyRolePermissionIntersection(): Missing parameter! source1_id: " . $a_source1_id .
746 " source1_parent: " . $a_source1_parent .
747 " source2_id: " . $a_source2_id .
748 " source2_parent: " . $a_source2_parent .
749 " dest_id: " . $a_dest_id .
750 " dest_parent_id: " . $a_dest_parent;
751 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
752 }
753
754 // exclude system role from rbac
755 if ($a_dest_id == SYSTEM_ROLE_ID) {
756 ilLoggerFactory::getLogger('ac')->debug('Ignoring system role.');
757 return true;
758 }
759
760 if ($rbacreview->isProtected($a_source2_parent, $a_source2_id)) {
761 $GLOBALS['DIC']['ilLog']->write(__METHOD__ . ': Role is protected');
762 return true;
763 }
764
765 $query = "SELECT s1.type, s1.ops_id " .
766 "FROM rbac_templates s1, rbac_templates s2 " .
767 "WHERE s1.rol_id = " . $ilDB->quote($a_source1_id, 'integer') . " " .
768 "AND s1.parent = " . $ilDB->quote($a_source1_parent, 'integer') . " " .
769 "AND s2.rol_id = " . $ilDB->quote($a_source2_id, 'integer') . " " .
770 "AND s2.parent = " . $ilDB->quote($a_source2_parent, 'integer') . " " .
771 "AND s1.type = s2.type " .
772 "AND s1.ops_id = s2.ops_id";
773
774 ilLoggerFactory::getLogger('ac')->dump($query);
775
776 $res = $ilDB->query($query);
777 $operations = array();
778 $rowNum = 0;
779 while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
780 $operations[$rowNum]['type'] = $row->type;
781 $operations[$rowNum]['ops_id'] = $row->ops_id;
782
783 $rowNum++;
784 }
785
786 // Delete template permissions of target
787 $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
788 'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
789 $res = $ilDB->manipulate($query);
790
791 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
792 'VALUES (?,?,?,?)';
793 $sta = $ilDB->prepareManip($query, array('integer','text','integer','integer'));
794 foreach ($operations as $key => $set) {
795 $ilDB->execute($sta, array(
796 $a_dest_id,
797 $set['type'],
798 $set['ops_id'],
799 $a_dest_parent));
800 }
801 return true;
802 }
$key
$key
Definition: croninfo.php:18

References $DIC, $GLOBALS, $ilDB, $key, $message, $query, $res, $row, ilDBConstants\FETCHMODE_OBJECT, and ilLoggerFactory\getLogger().

Referenced by initIntersectionPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ copyRolePermissions()

ilRbacAdmin::copyRolePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions and permission of one role to another.

@access public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 638 of file class.ilRbacAdmin.php.

639 {
640 global $DIC;
641
642 $tree = $DIC['tree'];
643 $rbacreview = $DIC['rbacreview'];
644
645 // Copy template permissions
646 $this->copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected);
647
648 $ops = $rbacreview->getRoleOperationsOnObject($a_source_id, $a_source_parent);
649
650 $this->revokePermission($a_dest_parent, $a_dest_id);
651 $this->grantPermission($a_dest_id, $ops, $a_dest_parent);
652 return true;
653 }
ilRbacAdmin\copyRoleTemplatePermissions
copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions of one role to another.
Definition: class.ilRbacAdmin.php:665

References $DIC, $tree, copyRoleTemplatePermissions(), grantPermission(), and revokePermission().

Referenced by copyLocalRoles().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ copyRolePermissionSubtract()

ilRbacAdmin::copyRolePermissionSubtract (   $a_source_id,
  $a_source_parent,
  $a_dest_id,
  $a_dest_parent 
)

Subtract role permissions.

Parameters
type$a_source_id
type$a_source_parent
type$a_dest_id
type$a_dest_parent

Definition at line 878 of file class.ilRbacAdmin.php.

879 {
880 global $DIC;
881
882 $rbacreview = $DIC['rbacreview'];
883 $ilDB = $DIC['ilDB'];
884
885 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source_id, $a_source_parent);
886 $d_ops = $rbacreview->getAllOperationsOfRole($a_dest_id, $a_dest_parent);
887
888 foreach ($s1_ops as $type => $ops) {
889 foreach ($ops as $op) {
890 if (isset($d_ops[$type]) and in_array($op, $d_ops[$type])) {
891 $query = 'DELETE FROM rbac_templates ' .
892 'WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
893 'AND type = ' . $ilDB->quote($type, 'text') . ' ' .
894 'AND ops_id = ' . $ilDB->quote($op, 'integer') . ' ' .
895 'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
896 $ilDB->manipulate($query);
897 }
898 }
899 }
900 return true;
901 }

References $DIC, $ilDB, $query, and $type.

◆ copyRolePermissionUnion()

ilRbacAdmin::copyRolePermissionUnion (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_id,
  $a_dest_parent 
)

@global <type> $ilDB

Parameters
<type>$a_source1_id
<type>$a_source1_parent
<type>$a_source2_id
<type>$a_source2_parent
<type>$a_dest_id
<type>$a_dest_parent
Returns
<type>

Definition at line 815 of file class.ilRbacAdmin.php.

822 {
823 global $DIC;
824
825 $ilDB = $DIC['ilDB'];
826 $rbacreview = $DIC['rbacreview'];
827
828
829 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id, $a_source1_parent);
830 $s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id, $a_source2_parent);
831
832 $this->deleteRolePermission($a_dest_id, $a_dest_parent);
833
834 $GLOBALS['DIC']['ilLog']->write(__METHOD__ . ': ' . print_r($s1_ops, true));
835 $GLOBALS['DIC']['ilLog']->write(__METHOD__ . ': ' . print_r($s2_ops, true));
836
837 foreach ($s1_ops as $type => $ops) {
838 foreach ($ops as $op) {
839 // insert all permission of source 1
840 // #15469
841 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
842 'VALUES( ' .
843 $ilDB->quote($a_dest_id, 'integer') . ', ' .
844 $ilDB->quote($type, 'text') . ', ' .
845 $ilDB->quote($op, 'integer') . ', ' .
846 $ilDB->quote($a_dest_parent, 'integer') . ' ' .
847 ')';
848 $ilDB->manipulate($query);
849 }
850 }
851
852 // and the other direction...
853 foreach ($s2_ops as $type => $ops) {
854 foreach ($ops as $op) {
855 if (!isset($s1_ops[$type]) or !in_array($op, $s1_ops[$type])) {
856 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
857 'VALUES( ' .
858 $ilDB->quote($a_dest_id, 'integer') . ', ' .
859 $ilDB->quote($type, 'text') . ', ' .
860 $ilDB->quote($op, 'integer') . ', ' .
861 $ilDB->quote($a_dest_parent, 'integer') . ' ' .
862 ')';
863 $ilDB->manipulate($query);
864 }
865 }
866 }
867
868 return true;
869 }
ilRbacAdmin\deleteRolePermission
deleteRolePermission($a_rol_id, $a_ref_id, $a_type=false)
Deletes all entries of a template.
Definition: class.ilRbacAdmin.php:914

References $DIC, $GLOBALS, $ilDB, $query, $type, and deleteRolePermission().

+ Here is the call graph for this function:

◆ copyRoleTemplatePermissions()

ilRbacAdmin::copyRoleTemplatePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions of one role to another.

It's also possible to copy template permissions from/to RoleTemplateObject @access public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 665 of file class.ilRbacAdmin.php.

666 {
667 global $DIC;
668
669 $rbacreview = $DIC['rbacreview'];
670 $ilDB = $DIC['ilDB'];
671
672 if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent)) {
673 $message = __METHOD__ . ": Missing parameter! source_id: " . $a_source_id .
674 " source_parent_id: " . $a_source_parent .
675 " dest_id : " . $a_dest_id .
676 " dest_parent_id: " . $a_dest_parent;
677 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
678 }
679
680 // exclude system role from rbac
681 if ($a_dest_id == SYSTEM_ROLE_ID) {
682 return true;
683 }
684
685 // Read operations
686 $query = 'SELECT * FROM rbac_templates ' .
687 'WHERE rol_id = ' . $ilDB->quote($a_source_id, 'integer') . ' ' .
688 'AND parent = ' . $ilDB->quote($a_source_parent, 'integer');
689 $res = $ilDB->query($query);
690 $operations = array();
691 $rownum = 0;
692 while ($row = $ilDB->fetchObject($res)) {
693 $operations[$rownum]['type'] = $row->type;
694 $operations[$rownum]['ops_id'] = $row->ops_id;
695 $rownum++;
696 }
697
698 // Delete target permissions
699 $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
700 'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
701 $res = $ilDB->manipulate($query);
702
703 foreach ($operations as $row => $op) {
704 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
705 'VALUES (' .
706 $ilDB->quote($a_dest_id, 'integer') . "," .
707 $ilDB->quote($op['type'], 'text') . "," .
708 $ilDB->quote($op['ops_id'], 'integer') . "," .
709 $ilDB->quote($a_dest_parent, 'integer') . ")";
710 $ilDB->manipulate($query);
711 }
712
713 // copy also protection status if applicable
714 if ($a_consider_protected == true) {
715 if ($rbacreview->isProtected($a_source_parent, $a_source_id)) {
716 $this->setProtected($a_dest_parent, $a_dest_id, 'y');
717 }
718 }
719
720 return true;
721 }
ilRbacAdmin\setProtected
setProtected($a_ref_id, $a_role_id, $a_value)
Set protected @global $ilDB.
Definition: class.ilRbacAdmin.php:1124

References $DIC, $ilDB, $message, $query, $res, $row, and setProtected().

Referenced by copyRolePermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deassignOperationFromObject()

ilRbacAdmin::deassignOperationFromObject (   $a_type_id,
  $a_ops_id 
)

Deassign an existing operation from an object Update of rbac_ta @access public.

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 1095 of file class.ilRbacAdmin.php.

1096 {
1097 global $DIC;
1098
1099 $ilDB = $DIC['ilDB'];
1100
1101 if (!isset($a_type_id) or !isset($a_ops_id)) {
1102 $message = get_class($this) . "::deassignPermissionFromObject(): Missing parameter!" .
1103 "type_id: " . $a_type_id .
1104 "ops_id: " . $a_ops_id;
1105 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
1106 }
1107
1108 $query = "DELETE FROM rbac_ta " .
1109 "WHERE typ_id = " . $ilDB->quote($a_type_id, 'integer') . " " .
1110 "AND ops_id = " . $ilDB->quote($a_ops_id, 'integer');
1111 $res = $ilDB->manipulate($query);
1112
1113 return true;
1114 }

References $DIC, $ilDB, $message, $query, and $res.

◆ deassignUser()

ilRbacAdmin::deassignUser (   $a_rol_id,
  $a_usr_id 
)

Deassigns a user from a role.

Update of table rbac_ua

Parameters
int$a_rol_idObject-ID of role
int$a_usr_idObject-ID of user
Returns
boolean true on success

Definition at line 341 of file class.ilRbacAdmin.php.

342 {
343 global $DIC;
344
345 $ilDB = $DIC['ilDB'];
346 $rbacreview = $DIC->rbac()->review();
347
348 if (!isset($a_rol_id) or !isset($a_usr_id)) {
349 $message = get_class($this) . "::deassignUser(): Missing parameter! role_id: " . $a_rol_id . " usr_id: " . $a_usr_id;
350 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
351 }
352
353 $query = "DELETE FROM rbac_ua " .
354 "WHERE usr_id = " . $ilDB->quote($a_usr_id, 'integer') . " " .
355 "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
356 $res = $ilDB->manipulate($query);
357
358 $rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, false);
359
360 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
361 $mapping = ilLDAPRoleGroupMapping::_getInstance();
362 $mapping->deassign($a_rol_id, $a_usr_id);
363
364 if ($res) {
365 $ref_id = $GLOBALS['DIC']['rbacreview']->getObjectReferenceOfRole($a_rol_id);
366 $obj_id = ilObject::_lookupObjId($ref_id);
367 $type = ilObject::_lookupType($obj_id);
368
369 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event deassign user');
370 $GLOBALS['DIC']['ilAppEventHandler']->raise('Services/AccessControl', 'deassignUser', array(
371 'obj_id' => $obj_id,
372 'usr_id' => $a_usr_id,
373 'role_id' => $a_rol_id,
374 'type' => $type,
375 ));
376 }
377
378 return true;
379 }

References $DIC, $GLOBALS, $ilDB, $message, $query, $res, $type, ilLDAPRoleGroupMapping\_getInstance(), ilObject\_lookupObjId(), ilObject\_lookupType(), and ilLoggerFactory\getInstance().

Referenced by removeUser().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deleteLocalRole()

ilRbacAdmin::deleteLocalRole (   $a_rol_id,
  $a_ref_id = 0 
)

Deletes a local role and entries in rbac_fa and rbac_templates @access public.

Parameters
integerobject_id of role
integerref_id of role folder (optional)
Returns
boolean true on success

Definition at line 174 of file class.ilRbacAdmin.php.

175 {
176 global $DIC;
177
178 $ilDB = $DIC['ilDB'];
179
180 if (!isset($a_rol_id)) {
181 $message = get_class($this) . "::deleteLocalRole(): Missing parameter! role_id: '" . $a_rol_id . "'";
182 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
183 }
184
185 // exclude system role from rbac
186 if ($a_rol_id == SYSTEM_ROLE_ID) {
187 return true;
188 }
189
190 if ($a_ref_id != 0) {
191 $clause = 'AND parent = ' . $ilDB->quote($a_ref_id, 'integer') . ' ';
192 }
193
194 $query = 'DELETE FROM rbac_fa ' .
195 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
196 $clause;
197 $res = $ilDB->manipulate($query);
198
199 $query = 'DELETE FROM rbac_templates ' .
200 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
201 $clause;
202 $res = $ilDB->manipulate($query);
203 return true;
204 }

References $DIC, $ilDB, $message, $query, and $res.

Referenced by adjustMovedObjectPermissions(), and deleteRole().

+ Here is the caller graph for this function:

◆ deleteRole()

ilRbacAdmin::deleteRole (   $a_rol_id,
  $a_ref_id 
)

Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa @access public.

Parameters
integerobj_id of role (role_id)
integerref_id of role folder (ref_id)
Returns
boolean true on success

Definition at line 98 of file class.ilRbacAdmin.php.

99 {
100 global $DIC;
101
102 $lng = $DIC['lng'];
103 $ilDB = $DIC['ilDB'];
104
105 if (!isset($a_rol_id) or !isset($a_ref_id)) {
106 $message = get_class($this) . "::deleteRole(): Missing parameter! role_id: " . $a_rol_id . " ref_id of role folder: " . $a_ref_id;
107 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
108 }
109
110 // exclude system role from rbac
111 if ($a_rol_id == SYSTEM_ROLE_ID) {
112 $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"), $this->ilErr->MESSAGE);
113 }
114
115 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
116 $mapping = ilLDAPRoleGroupMapping::_getInstance();
117 $mapping->deleteRole($a_rol_id);
118
119
120 // TODO: check assigned users before deletion
121 // This is done in ilObjRole. Should be better moved to this place?
122
123 // delete user assignements
124 $query = "DELETE FROM rbac_ua " .
125 "WHERE rol_id = " . $ilDB->quote($a_rol_id, 'integer');
126 $res = $ilDB->manipulate($query);
127
128 // delete permission assignments
129 $query = "DELETE FROM rbac_pa " .
130 "WHERE rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
131 $res = $ilDB->manipulate($query);
132
133 //delete rbac_templates and rbac_fa
134 $this->deleteLocalRole($a_rol_id);
135
136 return true;
137 }
$lng
$lng
Definition: save_question_post_data.php:23

References $DIC, $ilDB, $lng, $message, $query, $res, ilLDAPRoleGroupMapping\_getInstance(), and deleteLocalRole().

+ Here is the call graph for this function:

◆ deleteRolePermission()

ilRbacAdmin::deleteRolePermission (   $a_rol_id,
  $a_ref_id,
  $a_type = false 
)

Deletes all entries of a template.

If an object type is given for third parameter only the entries for that object type are deleted Update of table rbac_templates. @access public

Parameters
integerobject id of role
integerref_id of role folder
stringobject type (optional)
Returns
boolean

Definition at line 914 of file class.ilRbacAdmin.php.

915 {
916 global $DIC;
917
918 $ilDB = $DIC['ilDB'];
919
920 if (!isset($a_rol_id) or !isset($a_ref_id)) {
921 $message = get_class($this) . "::deleteRolePermission(): Missing parameter! role_id: " . $a_rol_id . " ref_id: " . $a_ref_id;
922 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
923 }
924
925 // exclude system role from rbac
926 if ($a_rol_id == SYSTEM_ROLE_ID) {
927 return true;
928 }
929
930 if ($a_type !== false) {
931 $and_type = " AND type=" . $ilDB->quote($a_type, 'text') . " ";
932 }
933
934 $query = 'DELETE FROM rbac_templates ' .
935 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
936 'AND parent = ' . $ilDB->quote($a_ref_id, 'integer') . ' ' .
937 $and_type;
938
939 $res = $ilDB->manipulate($query);
940
941 return true;
942 }
$a_type
$a_type
Definition: workflow.php:92

References $a_type, $DIC, $ilDB, $message, $query, and $res.

Referenced by copyRolePermissionUnion().

+ Here is the caller graph for this function:

◆ deleteSubtreeTemplates()

ilRbacAdmin::deleteSubtreeTemplates (   $a_ref_id,
  $a_rol_id 
)

Delete all template permissions of subtree nodes.

Parameters
object$a_ref_id
object$a_rol_id
Returns

Definition at line 569 of file class.ilRbacAdmin.php.

570 {
571 global $DIC;
572
573 $ilDB = $DIC['ilDB'];
574
575 $query = 'DELETE FROM rbac_templates ' .
576 'WHERE parent IN ( ' .
577 $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
578 'AND rol_id = ' . $ilDB->quote($a_rol_id, 'integer');
579
580 $ilDB->manipulate($query);
581
582 $query = 'DELETE FROM rbac_fa ' .
583 'WHERE parent IN ( ' .
584 $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
585 'AND rol_id = ' . $ilDB->quote($a_rol_id, 'integer');
586
587 $ilDB->manipulate($query);
588
589 return true;
590 }

References $DIC, $GLOBALS, $ilDB, and $query.

◆ deleteTemplate()

ilRbacAdmin::deleteTemplate (   $a_obj_id)

Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public.

Parameters
integerobject_id of role template
Returns
boolean

Definition at line 145 of file class.ilRbacAdmin.php.

146 {
147 global $DIC;
148
149 $ilDB = $DIC['ilDB'];
150
151 if (!isset($a_obj_id)) {
152 $message = get_class($this) . "::deleteTemplate(): No obj_id given!";
153 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
154 }
155
156 $query = 'DELETE FROM rbac_templates ' .
157 'WHERE rol_id = ' . $ilDB->quote($a_obj_id, 'integer');
158 $res = $ilDB->manipulate($query);
159
160 $query = 'DELETE FROM rbac_fa ' .
161 'WHERE rol_id = ' . $ilDB->quote($a_obj_id, 'integer');
162 $res = $ilDB->manipulate($query);
163
164 return true;
165 }

References $DIC, $ilDB, $message, $query, and $res.

◆ grantPermission()

ilRbacAdmin::grantPermission (   $a_rol_id,
  $a_ops,
  $a_ref_id 
)

Grants a permission to an object and a specific role.

Update of table rbac_pa @access public

Parameters
integerobject id of role
arrayarray of operation ids
integerreference id of that object which is granted the permissions
Returns
boolean

Definition at line 389 of file class.ilRbacAdmin.php.

390 {
391 global $DIC;
392
393 $ilDB = $DIC['ilDB'];
394
395 if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id)) {
396 $this->ilErr->raiseError(get_class($this) . "::grantPermission(): Missing parameter! " .
397 "role_id: " . $a_rol_id . " ref_id: " . $a_ref_id . " operations: ", $this->ilErr->WARNING);
398 }
399
400 if (!is_array($a_ops)) {
401 $this->ilErr->raiseError(
402 get_class($this) . "::grantPermission(): Wrong datatype for operations!",
403 $this->ilErr->WARNING
404 );
405 }
406
407 /*
408 if (count($a_ops) == 0)
409 {
410 return false;
411 }
412 */
413 // exclude system role from rbac
414 if ($a_rol_id == SYSTEM_ROLE_ID) {
415 return true;
416 }
417
418 // convert all values to integer
419 foreach ($a_ops as $key => $operation) {
420 $a_ops[$key] = (int) $operation;
421 }
422
423 // Serialization des ops_id Arrays
424 $ops_ids = serialize($a_ops);
425
426 $query = 'DELETE FROM rbac_pa ' .
427 'WHERE rol_id = %s ' .
428 'AND ref_id = %s';
429 $res = $ilDB->queryF(
430 $query,
431 array('integer','integer'),
432 array($a_rol_id,$a_ref_id)
433 );
434
435 if (!count($a_ops)) {
436 return false;
437 }
438
439 $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) " .
440 "VALUES " .
441 "(" . $ilDB->quote($a_rol_id, 'integer') . "," . $ilDB->quote($ops_ids, 'text') . "," . $ilDB->quote($a_ref_id, 'integer') . ")";
442 $res = $ilDB->manipulate($query);
443
444 return true;
445 }

References $DIC, $ilDB, $key, $query, and $res.

Referenced by adjustMovedObjectPermissions(), copyRolePermissions(), and initIntersectionPermissions().

+ Here is the caller graph for this function:

◆ initIntersectionPermissions()

ilRbacAdmin::initIntersectionPermissions (   $a_ref_id,
  $a_role_id,
  $a_role_parent,
  $a_template_id,
  $a_template_parent 
)

Init intersection permissions.

@global type $rbacreview

Parameters
type$a_ref_id
type$a_role_id
type$a_role_parent
type$a_template_id
type$a_template_parent
Returns
type

Definition at line 1197 of file class.ilRbacAdmin.php.

1198 {
1199 global $DIC;
1200
1201 $rbacreview = $DIC['rbacreview'];
1202
1203 if ($rbacreview->isProtected($a_role_parent, $a_role_id)) {
1204 // Assign object permissions
1205 $new_ops = $rbacreview->getOperationsOfRole(
1206 $a_role_id,
1207 ilObject::_lookupType($a_ref_id, true),
1208 $a_role_parent
1209 );
1210
1211 // set new permissions for object
1212 $this->grantPermission(
1213 $a_role_id,
1214 (array) $new_ops,
1215 $a_ref_id
1216 );
1217 return;
1218 }
1219 if (!$a_template_id) {
1220 ilLoggerFactory::getLogger('ac')->info('No template id given. Aborting.');
1221 return;
1222 }
1223 // create template permission intersection
1224 $this->copyRolePermissionIntersection(
1225 $a_template_id,
1226 $a_template_parent,
1227 $a_role_id,
1228 $a_role_parent,
1229 $a_ref_id,
1230 $a_role_id
1231 );
1232
1233 // assign role to folder
1234 $this->assignRoleToFolder(
1235 $a_role_id,
1236 $a_ref_id,
1237 'n'
1238 );
1239
1240 // Assign object permissions
1241 $new_ops = $rbacreview->getOperationsOfRole(
1242 $a_role_id,
1243 ilObject::_lookupType($a_ref_id, true),
1244 $a_ref_id
1245 );
1246
1247 // revoke existing permissions
1248 $this->revokePermission($a_ref_id, $a_role_id);
1249
1250 // set new permissions for object
1251 $this->grantPermission(
1252 $a_role_id,
1253 (array) $new_ops,
1254 $a_ref_id
1255 );
1256
1257 return;
1258 }
ilRbacAdmin\copyRolePermissionIntersection
copyRolePermissionIntersection($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
Copies the intersection of the template permissions of two roles to a third role.
Definition: class.ilRbacAdmin.php:735

References $DIC, ilObject\_lookupType(), assignRoleToFolder(), copyRolePermissionIntersection(), ilLoggerFactory\getLogger(), grantPermission(), and revokePermission().

Referenced by adjustMovedObjectPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ removeUser()

ilRbacAdmin::removeUser (   $a_usr_id)

deletes a user from rbac_ua all user <-> role relations are deleted @access public

Parameters
intuser_id
Returns
boolean true on success

Definition at line 69 of file class.ilRbacAdmin.php.

70 {
71 global $DIC;
72
73 $ilDB = $DIC->database();
74 $review = $DIC->rbac()->review();
75
76 if (!isset($a_usr_id)) {
77 $message = get_class($this) . "::removeUser(): No usr_id given!";
78 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
79 }
80
81 foreach ($review->assignedRoles($a_usr_id) as $role_id) {
82 $this->deassignUser($role_id, $a_usr_id);
83 }
84
85 $query = "DELETE FROM rbac_ua WHERE usr_id = " . $ilDB->quote($a_usr_id, 'integer');
86 $res = $ilDB->manipulate($query);
87
88 return true;
89 }
ilRbacAdmin\deassignUser
deassignUser($a_rol_id, $a_usr_id)
Deassigns a user from a role.
Definition: class.ilRbacAdmin.php:341

References $DIC, $ilDB, $message, $query, $res, and deassignUser().

+ Here is the call graph for this function:

◆ revokePermission()

ilRbacAdmin::revokePermission (   $a_ref_id,
  $a_rol_id = 0,
  $a_keep_protected = true 
)

Revokes permissions of an object of one role.

Update of table rbac_pa. Revokes all permission for all roles for that object (with this reference). When a role_id is given this applies only to that role @access public

Parameters
integerreference id of object where permissions should be revoked
integerrole_id (optional: if you want to revoke permissions of object only for a specific role)
Returns
boolean

Definition at line 456 of file class.ilRbacAdmin.php.

457 {
458 global $DIC;
459
460 $rbacreview = $DIC['rbacreview'];
461 $log = $DIC['log'];
462 $ilDB = $DIC['ilDB'];
463 $ilLog = $DIC['ilLog'];
464
465 if (!isset($a_ref_id)) {
466 $ilLog->logStack();
467 $message = get_class($this) . "::revokePermission(): Missing parameter! ref_id: " . $a_ref_id;
468 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
469 }
470 #$log->write("ilRBACadmin::revokePermission(), 0");
471
472 // bypass protected status of roles
473 if ($a_keep_protected != true) {
474 // exclude system role from rbac
475 if ($a_rol_id == SYSTEM_ROLE_ID) {
476 return true;
477 }
478
479 if ($a_rol_id) {
480 $and1 = " AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
481 } else {
482 $and1 = "";
483 }
484
485 $query = "DELETE FROM rbac_pa " .
486 "WHERE ref_id = " . $ilDB->quote($a_ref_id, 'integer') .
487 $and1;
488
489 $res = $ilDB->manipulate($query);
490
491 return true;
492 }
493
494 // consider protected status of roles
495
496 // in any case, get all roles in scope first
497 $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
498
499 if (!$a_rol_id) {
500 #$log->write("ilRBACadmin::revokePermission(), 1");
501
502 $role_ids = array();
503
504 foreach ($roles_in_scope as $role) {
505 if ($role['protected'] == true) {
506 continue;
507 }
508
509 $role_ids[] = $role['obj_id'];
510 }
511
512 // return if no role in array
513 if (!$role_ids) {
514 return true;
515 }
516
517 $query = 'DELETE FROM rbac_pa ' .
518 'WHERE ' . $ilDB->in('rol_id', $role_ids, false, 'integer') . ' ' .
519 'AND ref_id = ' . $ilDB->quote($a_ref_id, 'integer');
520 $res = $ilDB->manipulate($query);
521 } else {
522 #$log->write("ilRBACadmin::revokePermission(), 2");
523 // exclude system role from rbac
524 if ($a_rol_id == SYSTEM_ROLE_ID) {
525 return true;
526 }
527
528 // exclude protected permission settings from revoking
529 if ($roles_in_scope[$a_rol_id]['protected'] == true) {
530 return true;
531 }
532
533 $query = "DELETE FROM rbac_pa " .
534 "WHERE ref_id = " . $ilDB->quote($a_ref_id, 'integer') . " " .
535 "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
536 $res = $ilDB->manipulate($query);
537 }
538
539 return true;
540 }

References $DIC, $ilDB, $ilLog, $log, $message, $query, and $res.

Referenced by adjustMovedObjectPermissions(), copyRolePermissions(), and initIntersectionPermissions().

+ Here is the caller graph for this function:

◆ revokePermissionList()

ilRbacAdmin::revokePermissionList (   $a_ref_ids,
  $a_rol_id 
)

Revokes permissions of a LIST of objects of ONE role.

Update of table rbac_pa. @access public

Parameters
arraylist of reference_ids to revoke permissions
integerrole_id
Returns
boolean

Definition at line 599 of file class.ilRbacAdmin.php.

600 {
601 global $DIC;
602
603 $ilDB = $DIC['ilDB'];
604
605 if (!isset($a_ref_ids) or !is_array($a_ref_ids)) {
606 $message = get_class($this) . "::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: " . var_dump($a_ref_ids);
607 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
608 }
609
610 if (!isset($a_rol_id)) {
611 $message = get_class($this) . "::revokePermissionList(): Missing parameter! rol_id: " . $a_rol_id;
612 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
613 }
614
615 // exclude system role from rbac
616 if ($a_rol_id == SYSTEM_ROLE_ID) {
617 return true;
618 }
619
620 $query = "DELETE FROM rbac_pa " .
621 "WHERE " . $ilDB->in('ref_id', $a_ref_ids, false, 'integer') . ' ' .
622 "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer');
623 $res = $ilDB->manipulate($query);
624
625 return true;
626 }

References $DIC, $ilDB, $message, $query, and $res.

◆ revokeSubtreePermissions()

ilRbacAdmin::revokeSubtreePermissions (   $a_ref_id,
  $a_role_id 
)

Revoke subtree permissions.

Parameters
object$a_ref_id
object$a_role_id
Returns

Definition at line 548 of file class.ilRbacAdmin.php.

549 {
550 global $DIC;
551
552 $ilDB = $DIC['ilDB'];
553
554 $query = 'DELETE FROM rbac_pa ' .
555 'WHERE ref_id IN ' .
556 '( ' . $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
557 'AND rol_id = ' . $ilDB->quote($a_role_id, 'integer');
558
559 $ilDB->manipulate($query);
560 return true;
561 }

References $DIC, $GLOBALS, $ilDB, and $query.

◆ setBlockedStatus()

ilRbacAdmin::setBlockedStatus (   $a_role_id,
  $a_ref_id,
  $a_blocked_status 
)

Set blocked status.

Parameters
type$a_role_id
type$a_ref_id
type$a_blocked_status

Definition at line 49 of file class.ilRbacAdmin.php.

50 {
51 global $DIC;
52
53 $ilDB = $DIC['ilDB'];
54
55 ilLoggerFactory::getLogger('crs')->logStack();
56 $query = 'UPDATE rbac_fa set blocked = ' . $ilDB->quote($a_blocked_status, 'integer') . ' ' .
57 'WHERE rol_id = ' . $ilDB->quote($a_role_id, 'integer') . ' ' .
58 'AND parent = ' . $ilDB->quote($a_ref_id, 'integer');
59 $ilDB->manipulate($query);
60 }

References $DIC, $ilDB, $query, and ilLoggerFactory\getLogger().

+ Here is the call graph for this function:

◆ setProtected()

ilRbacAdmin::setProtected (   $a_ref_id,
  $a_role_id,
  $a_value 
)

Set protected @global $ilDB.

Parameters
type$a_ref_id
type$a_role_id
type$a_valuey or n
Returns
boolean

Definition at line 1124 of file class.ilRbacAdmin.php.

1125 {
1126 global $DIC;
1127
1128 $ilDB = $DIC['ilDB'];
1129
1130 // ref_id not used yet. protected permission acts 'global' for each role,
1131 // regardless of any broken inheritance before
1132 $query = 'UPDATE rbac_fa ' .
1133 'SET protected = ' . $ilDB->quote($a_value, 'text') . ' ' .
1134 'WHERE rol_id = ' . $ilDB->quote($a_role_id, 'integer');
1135 $res = $ilDB->manipulate($query);
1136 return true;
1137 }

References $DIC, $ilDB, $query, and $res.

Referenced by copyRoleTemplatePermissions().

+ Here is the caller graph for this function:

◆ setRolePermission()

ilRbacAdmin::setRolePermission (   $a_rol_id,
  $a_type,
  $a_ops,
  $a_ref_id 
)

Inserts template permissions in rbac_templates for an specific object type.

Update of table rbac_templates @access public

Parameters
integerrole_id
stringobject type
arrayoperation_ids
integerref_id of role folder object
Returns
boolean

Definition at line 954 of file class.ilRbacAdmin.php.

955 {
956 global $DIC;
957
958 $ilDB = $DIC['ilDB'];
959
960 if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id)) {
961 $message = get_class($this) . "::setRolePermission(): Missing parameter!" .
962 " role_id: " . $a_rol_id .
963 " type: " . $a_type .
964 " operations: " . $a_ops .
965 " ref_id: " . $a_ref_id;
966 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
967 }
968
969 if (!is_string($a_type) or empty($a_type)) {
970 $message = get_class($this) . "::setRolePermission(): a_type is no string or empty!";
971 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
972 }
973
974 if (!is_array($a_ops) or empty($a_ops)) {
975 $message = get_class($this) . "::setRolePermission(): a_ops is no array or empty!";
976 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
977 }
978
979 // exclude system role from rbac
980 if ($a_rol_id == SYSTEM_ROLE_ID) {
981 return true;
982 }
983
984 foreach ($a_ops as $op) {
985 $ilDB->replace(
986 'rbac_templates',
987 [
988 'rol_id' => ['integer', $a_rol_id],
989 'type' => ['text', $a_type],
990 'ops_id' => ['integer', $op],
991 'parent' => ['integer', $a_ref_id]
992 ],
993 []
994 );
995 }
996 return true;
997 }

References $a_type, $DIC, $ilDB, and $message.

The documentation for this class was generated from the following file: