ILIAS  release_6 Revision v6.24-5-g0c8bfefb3b8
Public Member Functions | Protected Member Functions
ilRbacAdmin Class Reference

Class ilRbacAdmin Core functions for role based access control. More...

+ Collaboration diagram for ilRbacAdmin:

Public Member Functions

 __construct ()
 Constructor @access public. More...
 
 setBlockedStatus ($a_role_id, $a_ref_id, $a_blocked_status)
 Set blocked status. More...
 
 removeUser ($a_usr_id)
 deletes a user from rbac_ua all user <-> role relations are deleted @access public More...
 
 deleteRole ($a_rol_id, $a_ref_id)
 Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa @access public. More...
 
 deleteTemplate ($a_obj_id)
 Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public. More...
 
 deleteLocalRole ($a_rol_id, $a_ref_id=0)
 Deletes a local role and entries in rbac_fa and rbac_templates @access public. More...
 
 assignUserLimited ($a_role_id, $a_usr_id, $a_limit, $a_limited_roles=array())
 Assign user limited. More...
 
 assignUser ($a_rol_id, $a_usr_id)
 Assigns an user to a role. More...
 
 deassignUser ($a_rol_id, $a_usr_id)
 Deassigns a user from a role. More...
 
 grantPermission ($a_rol_id, $a_ops, $a_ref_id)
 Grants a permission to an object and a specific role. More...
 
 revokePermission ($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
 Revokes permissions of an object of one role. More...
 
 revokeSubtreePermissions ($a_ref_id, $a_role_id)
 Revoke subtree permissions. More...
 
 deleteSubtreeTemplates ($a_ref_id, $a_rol_id)
 Delete all template permissions of subtree nodes. More...
 
 revokePermissionList ($a_ref_ids, $a_rol_id)
 Revokes permissions of a LIST of objects of ONE role. More...
 
 copyRolePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions and permission of one role to another. More...
 
 copyRoleTemplatePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions of one role to another. More...
 
 copyRolePermissionIntersection ($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
 Copies the intersection of the template permissions of two roles to a third role. More...
 
 copyRolePermissionUnion ( $a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_id, $a_dest_parent)
 @global <type> $ilDB More...
 
 copyRolePermissionSubtract ($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
 Subtract role permissions. More...
 
 deleteRolePermission ($a_rol_id, $a_ref_id, $a_type=false)
 Deletes all entries of a template. More...
 
 setRolePermission ($a_rol_id, $a_type, $a_ops, $a_ref_id)
 Inserts template permissions in rbac_templates for an specific object type. More...
 
 assignRoleToFolder ($a_rol_id, $a_parent, $a_assign="y")
 Assigns a role to an role folder A role folder is an object to store roles. More...
 
 assignOperationToObject ($a_type_id, $a_ops_id)
 Assign an existing operation to an object Update of rbac_ta. More...
 
 deassignOperationFromObject ($a_type_id, $a_ops_id)
 Deassign an existing operation from an object Update of rbac_ta @access public. More...
 
 setProtected ($a_ref_id, $a_role_id, $a_value)
 Set protected @global $ilDB. More...
 
 copyLocalRoles ($a_source_id, $a_target_id)
 Copy local roles This method creates a copy of all local role. More...
 
 initIntersectionPermissions ($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
 Init intersection permissions. More...
 
 adjustMovedObjectPermissions ($a_ref_id, $a_old_parent)
 Adjust permissions of moved objects. More...
 

Protected Member Functions

 applyMovedObjectDidacticTemplates ($a_ref_id, $a_old_parent)
 Apply didactic templates after object movement. More...
 

Detailed Description

Class ilRbacAdmin Core functions for role based access control.

Creation and maintenance of Relations. The main relations of Rbac are user <-> role (UR) assignment relation and the permission <-> role (PR) assignment relation. This class contains methods to 'create' and 'delete' instances of the (UR) relation e.g.: assignUser(), deassignUser() Required methods for the PR relation are grantPermission(), revokePermission()

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
$Id$

Definition at line 18 of file class.ilRbacAdmin.php.

Constructor & Destructor Documentation

◆ __construct()

ilRbacAdmin::__construct ( )

Constructor @access public.

Definition at line 24 of file class.ilRbacAdmin.php.

25 {
26 global $DIC;
27
28 $ilDB = $DIC['ilDB'];
29 $ilErr = $DIC['ilErr'];
30 $ilias = $DIC['ilias'];
31
32 // set db & error handler
33 (isset($ilDB)) ? $this->ilDB = &$ilDB : $this->ilDB = &$ilias->db;
34
35 if (!isset($ilErr)) {
36 $ilErr = new ilErrorHandling();
37 $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK, array($ilErr,'errorHandler'));
38 } else {
39 $this->ilErr = &$ilErr;
40 }
41 }
PEAR_ERROR_CALLBACK
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
if
if(!file_exists(getcwd() . '/ilias.ini.php'))
registration confirmation script for ilias
Definition: confirmReg.php:12
$ilErr
$ilErr
Definition: raiseError.php:18
$ilDB
global $ilDB
Definition: storeScorm2004.php:19
$DIC
$DIC
Definition: xapitoken.php:46

References $DIC, $ilDB, $ilErr, if, and PEAR_ERROR_CALLBACK.

Member Function Documentation

◆ adjustMovedObjectPermissions()

ilRbacAdmin::adjustMovedObjectPermissions (   $a_ref_id,
  $a_old_parent 
)

Adjust permissions of moved objects.

  • Delete permissions of parent roles that do not exist in new context
  • Delete role templates of parent roles that do not exist in new context
  • Add permissions for parent roles that did not exist in old context

@access public

Parameters
intref id of moved object
intref_id of old parent

Definition at line 1278 of file class.ilRbacAdmin.php.

1279 {
1280 global $DIC;
1281
1282 $rbacreview = $DIC['rbacreview'];
1283 $tree = $DIC['tree'];
1284 $ilLog = $DIC['ilLog'];
1285
1286 $new_parent = $tree->getParentId($a_ref_id);
1287 $old_context_roles = $rbacreview->getParentRoleIds($a_old_parent, false);
1288 $new_context_roles = $rbacreview->getParentRoleIds($new_parent, false);
1289
1290 $for_addition = $for_deletion = array();
1291 foreach ($new_context_roles as $new_role_id => $new_role) {
1292 if (!isset($old_context_roles[$new_role_id])) {
1293 $for_addition[$new_role_id] = $new_role;
1294 } elseif ($new_role['parent'] != $old_context_roles[$new_role_id]['parent']) {
1295 // handle stopped inheritance
1296 $for_deletion[$new_role_id] = $new_role;
1297 $for_addition[$new_role_id] = $new_role;
1298 }
1299 }
1300 foreach ($old_context_roles as $old_role_id => $old_role) {
1301 if (!isset($new_context_roles[$old_role_id])) {
1302 $for_deletion[$old_role_id] = $old_role;
1303 }
1304 }
1305
1306 if (!count($for_deletion) and !count($for_addition)) {
1307 $this->applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent);
1308 return true;
1309 }
1310
1311 include_once "Services/AccessControl/classes/class.ilRbacLog.php";
1312 $rbac_log_active = ilRbacLog::isActive();
1313 if ($rbac_log_active) {
1314 $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
1315 }
1316
1317 foreach ($nodes = $tree->getSubTree($tree->getNodeData($a_ref_id), true) as $node_data) {
1318 $node_id = $node_data['child'];
1319
1320 if ($rbac_log_active) {
1321 $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
1322 }
1323
1324 // If $node_data['type'] is not set, this means there is a tree entry without
1325 // object_reference and/or object_data entry
1326 // Continue in this case
1327 if (!$node_data['type']) {
1328 $ilLog->write(__METHOD__ . ': No type give. Choosing next tree entry.');
1329 continue;
1330 }
1331
1332 if (!$node_id) {
1333 $ilLog->write(__METHOD__ . ': Missing subtree node_id');
1334 continue;
1335 }
1336
1337 foreach ($for_deletion as $role_id => $role_data) {
1338 $this->deleteLocalRole($role_id, $node_id);
1339 $this->revokePermission($node_id, $role_id, false);
1340 //var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
1341 }
1342 foreach ($for_addition as $role_id => $role_data) {
1343 switch ($node_data['type']) {
1344 case 'grp':
1345 include_once './Modules/Group/classes/class.ilObjGroup.php';
1346 $tpl_id = ilObjGroup::lookupGroupStatusTemplateId($node_data['obj_id']);
1347 $this->initIntersectionPermissions(
1348 $node_data['child'],
1349 $role_id,
1350 $role_data['parent'],
1351 $tpl_id,
1352 ROLE_FOLDER_ID
1353 );
1354 break;
1355
1356 case 'crs':
1357 include_once './Modules/Course/classes/class.ilObjCourse.php';
1358 $tpl_id = ilObjCourse::lookupCourseNonMemberTemplatesId();
1359 $this->initIntersectionPermissions(
1360 $node_data['child'],
1361 $role_id,
1362 $role_data['parent'],
1363 $tpl_id,
1364 ROLE_FOLDER_ID
1365 );
1366 break;
1367
1368
1369 default:
1370 $this->grantPermission(
1371 $role_id,
1372 $ops = $rbacreview->getOperationsOfRole($role_id, $node_data['type'], $role_data['parent']),
1373 $node_id
1374 );
1375 break;
1376
1377
1378 }
1379
1380
1381 //var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
1382 }
1383
1384 if ($rbac_log_active) {
1385 $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
1386 $log = ilRbacLog::diffFaPa($log_old, $log_new);
1387 ilRbacLog::add(ilRbacLog::MOVE_OBJECT, $node_id, $log);
1388 }
1389 }
1390
1391 $this->applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent);
1392 }
ilObjCourse\lookupCourseNonMemberTemplatesId
static lookupCourseNonMemberTemplatesId()
Lookup course non member id.
Definition: class.ilObjCourse.php:1796
ilObjGroup\lookupGroupStatusTemplateId
static lookupGroupStatusTemplateId($a_obj_id)
@global $ilDB $ilDB
Definition: class.ilObjGroup.php:1427
ilRbacAdmin\revokePermission
revokePermission($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
Revokes permissions of an object of one role.
Definition: class.ilRbacAdmin.php:437
ilRbacAdmin\deleteLocalRole
deleteLocalRole($a_rol_id, $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates @access public.
Definition: class.ilRbacAdmin.php:174
ilRbacAdmin\initIntersectionPermissions
initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
Init intersection permissions.
Definition: class.ilRbacAdmin.php:1178
ilRbacAdmin\applyMovedObjectDidacticTemplates
applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent)
Apply didactic templates after object movement.
Definition: class.ilRbacAdmin.php:1248
ilRbacAdmin\grantPermission
grantPermission($a_rol_id, $a_ops, $a_ref_id)
Grants a permission to an object and a specific role.
Definition: class.ilRbacAdmin.php:370
ilRbacLog\MOVE_OBJECT
const MOVE_OBJECT
Definition: class.ilRbacLog.php:17
ilRbacLog\diffFaPa
static diffFaPa(array $a_old, array $a_new)
Definition: class.ilRbacLog.php:69
ilRbacLog\add
static add($a_action, $a_ref_id, array $a_diff, $a_source_ref_id=false)
Definition: class.ilRbacLog.php:137
ilRbacLog\gatherFaPa
static gatherFaPa($a_ref_id, array $a_role_ids, $a_add_action=false)
Definition: class.ilRbacLog.php:35
ilRbacLog\isActive
static isActive()
Definition: class.ilRbacLog.php:25
$ilLog
$ilLog
Definition: inc.setup_header.php:123
$log
$log
Definition: result.php:15

References $DIC, $ilLog, $log, ilRbacLog\add(), applyMovedObjectDidacticTemplates(), deleteLocalRole(), ilRbacLog\diffFaPa(), ilRbacLog\gatherFaPa(), grantPermission(), initIntersectionPermissions(), ilRbacLog\isActive(), ilObjCourse\lookupCourseNonMemberTemplatesId(), ilObjGroup\lookupGroupStatusTemplateId(), ilRbacLog\MOVE_OBJECT, and revokePermission().

+ Here is the call graph for this function:

◆ applyMovedObjectDidacticTemplates()

ilRbacAdmin::applyMovedObjectDidacticTemplates (   $a_ref_id,
  $a_old_parent 
)
protected

Apply didactic templates after object movement.

Parameters
int$a_ref_id
int$a_old_parent
Deprecated:
since version 5.1.0 will be removed with 5.4 and implemented using event handler

Definition at line 1248 of file class.ilRbacAdmin.php.

1249 {
1250 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateObjSettings.php';
1251 $tpl_id = ilDidacticTemplateObjSettings::lookupTemplateId($a_ref_id);
1252 if (!$tpl_id) {
1253 return;
1254 }
1255 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateActionFactory.php';
1256 foreach (ilDidacticTemplateActionFactory::getActionsByTemplateId($tpl_id) as $action) {
1257 if ($action instanceof ilDidacticTemplateLocalRoleAction) {
1258 continue;
1259 }
1260 $action->setRefId($a_ref_id);
1261 $action->apply();
1262 }
1263 return;
1264 }
ilDidacticTemplateActionFactory\getActionsByTemplateId
static getActionsByTemplateId($a_tpl_id)
Get actions of one template.
Definition: class.ilDidacticTemplateActionFactory.php:65
ilDidacticTemplateLocalRoleAction
represents a creation of local roles action
Definition: class.ilDidacticTemplateLocalRoleAction.php:13
ilDidacticTemplateObjSettings\lookupTemplateId
static lookupTemplateId($a_ref_id)
Lookup template id @global ilDB $ilDB.
Definition: class.ilDidacticTemplateObjSettings.php:19

References ilDidacticTemplateActionFactory\getActionsByTemplateId(), and ilDidacticTemplateObjSettings\lookupTemplateId().

Referenced by adjustMovedObjectPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ assignOperationToObject()

ilRbacAdmin::assignOperationToObject (   $a_type_id,
  $a_ops_id 
)

Assign an existing operation to an object Update of rbac_ta.

@access public

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 1049 of file class.ilRbacAdmin.php.

1050 {
1051 global $DIC;
1052
1053 $ilDB = $DIC['ilDB'];
1054
1055 if (!isset($a_type_id) or !isset($a_ops_id)) {
1056 $message = get_class($this) . "::assignOperationToObject(): Missing parameter!" .
1057 "type_id: " . $a_type_id .
1058 "ops_id: " . $a_ops_id;
1059 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
1060 }
1061
1062 $query = "INSERT INTO rbac_ta (typ_id, ops_id) " .
1063 "VALUES(" . $ilDB->quote($a_type_id, 'integer') . "," . $ilDB->quote($a_ops_id, 'integer') . ")";
1064 $res = $ilDB->manipulate($query);
1065 return true;
1066 }
$query
$query
Definition: proxy_ylocal.php:13
$res
foreach($_POST as $key=> $value) $res
Definition: save_question_post_data.php:15
$message
$message
Definition: xapiexit.php:14

References $DIC, $ilDB, $message, $query, and $res.

◆ assignRoleToFolder()

ilRbacAdmin::assignRoleToFolder (   $a_rol_id,
  $a_parent,
  $a_assign = "y" 
)

Assigns a role to an role folder A role folder is an object to store roles.

Every role is assigned to minimum one role folder If the inheritance of a role is stopped, a new role template will created, and the role is assigned to minimum two role folders. All roles with stopped inheritance need the flag '$a_assign = false'

@access public

Parameters
integerobject id of role
integerref_id of role folder
stringassignable('y','n'); default: 'y'
Returns
boolean

Definition at line 993 of file class.ilRbacAdmin.php.

994 {
995 global $DIC;
996
997 $ilDB = $DIC['ilDB'];
998 $rbacreview = $DIC['rbacreview'];
999
1000 if (!isset($a_rol_id) or !isset($a_parent)) {
1001 $message = get_class($this) . "::assignRoleToFolder(): Missing Parameter!" .
1002 " role_id: " . $a_rol_id .
1003 " parent_id: " . $a_parent .
1004 " assign: " . $a_assign;
1005 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
1006 }
1007
1008 // exclude system role from rbac
1009 if ($a_rol_id == SYSTEM_ROLE_ID) {
1010 return true;
1011 }
1012
1013 // if a wrong value is passed, always set assign to "n"
1014 if ($a_assign != "y") {
1015 $a_assign = "n";
1016 }
1017
1018 // check if already assigned
1019 $query = 'SELECT rol_id FROM rbac_fa ' .
1020 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
1021 'AND parent = ' . $ilDB->quote($a_parent, 'integer');
1022 $res = $ilDB->query($query);
1023 if ($res->numRows()) {
1024 ilLoggerFactory::getLogger('ac')->info('Role already assigned to object');
1025 return false;
1026 }
1027
1028 $query = sprintf(
1029 'INSERT INTO rbac_fa (rol_id, parent, assign, protected) ' .
1030 'VALUES (%s,%s,%s,%s)',
1031 $ilDB->quote($a_rol_id, 'integer'),
1032 $ilDB->quote($a_parent, 'integer'),
1033 $ilDB->quote($a_assign, 'text'),
1034 $ilDB->quote('n', 'text')
1035 );
1036 $res = $ilDB->manipulate($query);
1037
1038 return true;
1039 }
ilLoggerFactory\getLogger
static getLogger($a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:74

References $DIC, $ilDB, $message, $query, $res, and ilLoggerFactory\getLogger().

Referenced by copyLocalRoles(), and initIntersectionPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ assignUser()

ilRbacAdmin::assignUser (   $a_rol_id,
  $a_usr_id 
)

Assigns an user to a role.

Update of table rbac_ua

Parameters
int$a_rol_idObject-ID of role
int$a_usr_idObject-ID of user
Returns
boolean

Definition at line 264 of file class.ilRbacAdmin.php.

265 {
266 global $DIC;
267
268 $ilDB = $DIC['ilDB'];
269 $rbacreview = $DIC['rbacreview'];
270
271 if (!isset($a_rol_id) or !isset($a_usr_id)) {
272 $message = get_class($this) . "::assignUser(): Missing parameter! role_id: " . $a_rol_id . " usr_id: " . $a_usr_id;
273 #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
274 }
275
276 // check if already assigned user id and role_id
277 $alreadyAssigned = $rbacreview->isAssigned($a_usr_id, $a_rol_id);
278
279 // enhanced: only if we haven't had this role for this user
280 if (!$alreadyAssigned) {
281 $query = "INSERT INTO rbac_ua (usr_id, rol_id) " .
282 "VALUES (" . $ilDB->quote($a_usr_id, 'integer') . "," . $ilDB->quote($a_rol_id, 'integer') . ")";
283 $res = $ilDB->manipulate($query);
284
285 $rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, true);
286 }
287
288 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
289 $mapping = ilLDAPRoleGroupMapping::_getInstance();
290 $mapping->assign($a_rol_id, $a_usr_id);
291
292
293 $ref_id = $GLOBALS['DIC']['rbacreview']->getObjectReferenceOfRole($a_rol_id);
294 $obj_id = ilObject::_lookupObjId($ref_id);
295 $type = ilObject::_lookupType($obj_id);
296
297 if (!$alreadyAssigned) {
298 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event assign user');
299 $GLOBALS['DIC']['ilAppEventHandler']->raise(
300 'Services/AccessControl',
301 'assignUser',
302 array(
303 'obj_id' => $obj_id,
304 'usr_id' => $a_usr_id,
305 'role_id' => $a_rol_id,
306 'type' => $type
307 )
308 );
309 }
310 return true;
311 }
$GLOBALS
if(!defined('PATH_SEPARATOR')) $GLOBALS['_PEAR_default_error_mode']
Definition: PEAR.php:64
ilLDAPRoleGroupMapping\_getInstance
static _getInstance()
Get singleton instance of this class.
Definition: class.ilLDAPRoleGroupMapping.php:73
ilObject\_lookupObjId
static _lookupObjId($a_id)
Definition: class.ilObject.php:1107
ilObject\_lookupType
static _lookupType($a_id, $a_reference=false)
lookup object type
Definition: class.ilObject.php:1278
$type
$type
Definition: proxy_ylocal.php:10

References $DIC, $GLOBALS, $ilDB, $message, $query, $res, $type, ilLDAPRoleGroupMapping\_getInstance(), ilObject\_lookupObjId(), ilObject\_lookupType(), and ilLoggerFactory\getInstance().

+ Here is the call graph for this function:

◆ assignUserLimited()

ilRbacAdmin::assignUserLimited (   $a_role_id,
  $a_usr_id,
  $a_limit,
  $a_limited_roles = array() 
)

Assign user limited.

Parameters
type$a_role_id
type$a_usr_id
type$a_limit

Definition at line 212 of file class.ilRbacAdmin.php.

213 {
214 global $DIC;
215
216 $ilDB = $DIC['ilDB'];
217
218 $ilAtomQuery = $ilDB->buildAtomQuery();
219 $ilAtomQuery->addTableLock('rbac_ua');
220
221 $ilAtomQuery->addQueryCallable(
222 function (ilDBInterface $ilDB) use (&$ret, $a_role_id, $a_usr_id,$a_limit, $a_limited_roles) {
223 $ret = true;
224 $limit_query = 'SELECT COUNT(*) num FROM rbac_ua ' .
225 'WHERE ' . $ilDB->in('rol_id', (array) $a_limited_roles, false, 'integer');
226 $res = $ilDB->query($limit_query);
227 $row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT);
228 if ($row->num >= $a_limit) {
229 $ret = false;
230 return;
231 }
232
233 $query = "INSERT INTO rbac_ua (usr_id, rol_id) " .
234 "VALUES (" .
235 $ilDB->quote($a_usr_id, 'integer') . "," . $ilDB->quote($a_role_id, 'integer') .
236 ")";
237 $res = $ilDB->manipulate($query);
238 }
239 );
240
241 $ilAtomQuery->run();
242
243 if (!$ret) {
244 return false;
245 }
246
247 $GLOBALS['DIC']['rbacreview']->setAssignedCacheEntry($a_role_id, $a_usr_id, true);
248
249 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
250 $mapping = ilLDAPRoleGroupMapping::_getInstance();
251 $mapping->assign($a_role_id, $a_usr_id);
252 return true;
253 }
ilDBInterface
Interface ilDBInterface.
Definition: interface.ilDBInterface.php:10
$ret
$ret
Definition: parser.php:6

References $DIC, $GLOBALS, $ilDB, $query, $res, $ret, ilLDAPRoleGroupMapping\_getInstance(), and ilDBConstants\FETCHMODE_OBJECT.

+ Here is the call graph for this function:

◆ copyLocalRoles()

ilRbacAdmin::copyLocalRoles (   $a_source_id,
  $a_target_id 
)

Copy local roles This method creates a copy of all local role.

Note: auto generated roles are excluded

@access public

Parameters
intsource id of object (not role folder)
inttarget id of object

Definition at line 1130 of file class.ilRbacAdmin.php.

1131 {
1132 global $DIC;
1133
1134 $rbacreview = $DIC['rbacreview'];
1135 $ilLog = $DIC['ilLog'];
1136 $ilObjDataCache = $DIC['ilObjDataCache'];
1137
1138 $real_local = array();
1139 foreach ($rbacreview->getRolesOfRoleFolder($a_source_id, false) as $role_data) {
1140 $title = $ilObjDataCache->lookupTitle($role_data);
1141 if (substr($title, 0, 3) == 'il_') {
1142 continue;
1143 }
1144 $real_local[] = $role_data;
1145 }
1146 if (!count($real_local)) {
1147 return true;
1148 }
1149 // Create role folder
1150 foreach ($real_local as $role) {
1151 include_once("./Services/AccessControl/classes/class.ilObjRole.php");
1152 $orig = new ilObjRole($role);
1153 $orig->read();
1154
1155 $ilLog->write(__METHOD__ . ': Start copying of role ' . $orig->getTitle());
1156 $roleObj = new ilObjRole();
1157 $roleObj->setTitle($orig->getTitle());
1158 $roleObj->setDescription($orig->getDescription());
1159 $roleObj->setImportId($orig->getImportId());
1160 $roleObj->create();
1161
1162 $this->assignRoleToFolder($roleObj->getId(), $a_target_id, "y");
1163 $this->copyRolePermissions($role, $a_source_id, $a_target_id, $roleObj->getId(), true);
1164 $ilLog->write(__METHOD__ . ': Added new local role, id ' . $roleObj->getId());
1165 }
1166 }
ilObjRole
Class ilObjRole.
Definition: class.ilObjRole.php:17
ilRbacAdmin\copyRolePermissions
copyRolePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions and permission of one role to another.
Definition: class.ilRbacAdmin.php:619
ilRbacAdmin\assignRoleToFolder
assignRoleToFolder($a_rol_id, $a_parent, $a_assign="y")
Assigns a role to an role folder A role folder is an object to store roles.
Definition: class.ilRbacAdmin.php:993

References $DIC, $ilLog, assignRoleToFolder(), and copyRolePermissions().

+ Here is the call graph for this function:

◆ copyRolePermissionIntersection()

ilRbacAdmin::copyRolePermissionIntersection (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_parent,
  $a_dest_id 
)

Copies the intersection of the template permissions of two roles to a third role.

@access public

Parameters
integer$a_source1_idrole_id source
integer$a_source1_parentparent_id source
integer$a_source2_idrole_id source
integer$a_source2_parentparent_id source
integer$a_dest_idrole_id destination
integer$a_dest_parentparent_id destination
Returns
boolean

Definition at line 716 of file class.ilRbacAdmin.php.

717 {
718 global $DIC;
719
720 $rbacreview = $DIC['rbacreview'];
721 $ilDB = $DIC['ilDB'];
722
723 if (!isset($a_source1_id) or !isset($a_source1_parent)
724 or !isset($a_source2_id) or !isset($a_source2_parent)
725 or !isset($a_dest_id) or !isset($a_dest_parent)) {
726 $message = get_class($this) . "::copyRolePermissionIntersection(): Missing parameter! source1_id: " . $a_source1_id .
727 " source1_parent: " . $a_source1_parent .
728 " source2_id: " . $a_source2_id .
729 " source2_parent: " . $a_source2_parent .
730 " dest_id: " . $a_dest_id .
731 " dest_parent_id: " . $a_dest_parent;
732 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
733 }
734
735 // exclude system role from rbac
736 if ($a_dest_id == SYSTEM_ROLE_ID) {
737 ilLoggerFactory::getLogger('ac')->debug('Ignoring system role.');
738 return true;
739 }
740
741 if ($rbacreview->isProtected($a_source2_parent, $a_source2_id)) {
742 $GLOBALS['DIC']['ilLog']->write(__METHOD__ . ': Role is protected');
743 return true;
744 }
745
746 $query = "SELECT s1.type, s1.ops_id " .
747 "FROM rbac_templates s1, rbac_templates s2 " .
748 "WHERE s1.rol_id = " . $ilDB->quote($a_source1_id, 'integer') . " " .
749 "AND s1.parent = " . $ilDB->quote($a_source1_parent, 'integer') . " " .
750 "AND s2.rol_id = " . $ilDB->quote($a_source2_id, 'integer') . " " .
751 "AND s2.parent = " . $ilDB->quote($a_source2_parent, 'integer') . " " .
752 "AND s1.type = s2.type " .
753 "AND s1.ops_id = s2.ops_id";
754
755 ilLoggerFactory::getLogger('ac')->dump($query);
756
757 $res = $ilDB->query($query);
758 $operations = array();
759 $rowNum = 0;
760 while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
761 $operations[$rowNum]['type'] = $row->type;
762 $operations[$rowNum]['ops_id'] = $row->ops_id;
763
764 $rowNum++;
765 }
766
767 // Delete template permissions of target
768 $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
769 'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
770 $res = $ilDB->manipulate($query);
771
772 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
773 'VALUES (?,?,?,?)';
774 $sta = $ilDB->prepareManip($query, array('integer','text','integer','integer'));
775 foreach ($operations as $key => $set) {
776 $ilDB->execute($sta, array(
777 $a_dest_id,
778 $set['type'],
779 $set['ops_id'],
780 $a_dest_parent));
781 }
782 return true;
783 }

References $DIC, $GLOBALS, $ilDB, $message, $query, $res, ilDBConstants\FETCHMODE_OBJECT, and ilLoggerFactory\getLogger().

Referenced by initIntersectionPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ copyRolePermissions()

ilRbacAdmin::copyRolePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions and permission of one role to another.

@access public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 619 of file class.ilRbacAdmin.php.

620 {
621 global $DIC;
622
623 $tree = $DIC['tree'];
624 $rbacreview = $DIC['rbacreview'];
625
626 // Copy template permissions
627 $this->copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected);
628
629 $ops = $rbacreview->getRoleOperationsOnObject($a_source_id, $a_source_parent);
630
631 $this->revokePermission($a_dest_parent, $a_dest_id);
632 $this->grantPermission($a_dest_id, $ops, $a_dest_parent);
633 return true;
634 }
ilRbacAdmin\copyRoleTemplatePermissions
copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions of one role to another.
Definition: class.ilRbacAdmin.php:646

References $DIC, copyRoleTemplatePermissions(), grantPermission(), and revokePermission().

Referenced by copyLocalRoles().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ copyRolePermissionSubtract()

ilRbacAdmin::copyRolePermissionSubtract (   $a_source_id,
  $a_source_parent,
  $a_dest_id,
  $a_dest_parent 
)

Subtract role permissions.

Parameters
type$a_source_id
type$a_source_parent
type$a_dest_id
type$a_dest_parent

Definition at line 859 of file class.ilRbacAdmin.php.

860 {
861 global $DIC;
862
863 $rbacreview = $DIC['rbacreview'];
864 $ilDB = $DIC['ilDB'];
865
866 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source_id, $a_source_parent);
867 $d_ops = $rbacreview->getAllOperationsOfRole($a_dest_id, $a_dest_parent);
868
869 foreach ($s1_ops as $type => $ops) {
870 foreach ($ops as $op) {
871 if (isset($d_ops[$type]) and in_array($op, $d_ops[$type])) {
872 $query = 'DELETE FROM rbac_templates ' .
873 'WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
874 'AND type = ' . $ilDB->quote($type, 'text') . ' ' .
875 'AND ops_id = ' . $ilDB->quote($op, 'integer') . ' ' .
876 'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
877 $ilDB->manipulate($query);
878 }
879 }
880 }
881 return true;
882 }

References $DIC, $ilDB, $query, and $type.

◆ copyRolePermissionUnion()

ilRbacAdmin::copyRolePermissionUnion (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_id,
  $a_dest_parent 
)

@global <type> $ilDB

Parameters
<type>$a_source1_id
<type>$a_source1_parent
<type>$a_source2_id
<type>$a_source2_parent
<type>$a_dest_id
<type>$a_dest_parent
Returns
<type>

Definition at line 796 of file class.ilRbacAdmin.php.

803 {
804 global $DIC;
805
806 $ilDB = $DIC['ilDB'];
807 $rbacreview = $DIC['rbacreview'];
808
809
810 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id, $a_source1_parent);
811 $s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id, $a_source2_parent);
812
813 $this->deleteRolePermission($a_dest_id, $a_dest_parent);
814
815 $GLOBALS['DIC']['ilLog']->write(__METHOD__ . ': ' . print_r($s1_ops, true));
816 $GLOBALS['DIC']['ilLog']->write(__METHOD__ . ': ' . print_r($s2_ops, true));
817
818 foreach ($s1_ops as $type => $ops) {
819 foreach ($ops as $op) {
820 // insert all permission of source 1
821 // #15469
822 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
823 'VALUES( ' .
824 $ilDB->quote($a_dest_id, 'integer') . ', ' .
825 $ilDB->quote($type, 'text') . ', ' .
826 $ilDB->quote($op, 'integer') . ', ' .
827 $ilDB->quote($a_dest_parent, 'integer') . ' ' .
828 ')';
829 $ilDB->manipulate($query);
830 }
831 }
832
833 // and the other direction...
834 foreach ($s2_ops as $type => $ops) {
835 foreach ($ops as $op) {
836 if (!isset($s1_ops[$type]) or !in_array($op, $s1_ops[$type])) {
837 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
838 'VALUES( ' .
839 $ilDB->quote($a_dest_id, 'integer') . ', ' .
840 $ilDB->quote($type, 'text') . ', ' .
841 $ilDB->quote($op, 'integer') . ', ' .
842 $ilDB->quote($a_dest_parent, 'integer') . ' ' .
843 ')';
844 $ilDB->manipulate($query);
845 }
846 }
847 }
848
849 return true;
850 }
ilRbacAdmin\deleteRolePermission
deleteRolePermission($a_rol_id, $a_ref_id, $a_type=false)
Deletes all entries of a template.
Definition: class.ilRbacAdmin.php:895

References $DIC, $GLOBALS, $ilDB, $query, $type, and deleteRolePermission().

+ Here is the call graph for this function:

◆ copyRoleTemplatePermissions()

ilRbacAdmin::copyRoleTemplatePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions of one role to another.

It's also possible to copy template permissions from/to RoleTemplateObject @access public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 646 of file class.ilRbacAdmin.php.

647 {
648 global $DIC;
649
650 $rbacreview = $DIC['rbacreview'];
651 $ilDB = $DIC['ilDB'];
652
653 if (!isset($a_source_id) or !isset($a_source_parent) or !isset($a_dest_id) or !isset($a_dest_parent)) {
654 $message = __METHOD__ . ": Missing parameter! source_id: " . $a_source_id .
655 " source_parent_id: " . $a_source_parent .
656 " dest_id : " . $a_dest_id .
657 " dest_parent_id: " . $a_dest_parent;
658 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
659 }
660
661 // exclude system role from rbac
662 if ($a_dest_id == SYSTEM_ROLE_ID) {
663 return true;
664 }
665
666 // Read operations
667 $query = 'SELECT * FROM rbac_templates ' .
668 'WHERE rol_id = ' . $ilDB->quote($a_source_id, 'integer') . ' ' .
669 'AND parent = ' . $ilDB->quote($a_source_parent, 'integer');
670 $res = $ilDB->query($query);
671 $operations = array();
672 $rownum = 0;
673 while ($row = $ilDB->fetchObject($res)) {
674 $operations[$rownum]['type'] = $row->type;
675 $operations[$rownum]['ops_id'] = $row->ops_id;
676 $rownum++;
677 }
678
679 // Delete target permissions
680 $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
681 'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
682 $res = $ilDB->manipulate($query);
683
684 foreach ($operations as $row => $op) {
685 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
686 'VALUES (' .
687 $ilDB->quote($a_dest_id, 'integer') . "," .
688 $ilDB->quote($op['type'], 'text') . "," .
689 $ilDB->quote($op['ops_id'], 'integer') . "," .
690 $ilDB->quote($a_dest_parent, 'integer') . ")";
691 $ilDB->manipulate($query);
692 }
693
694 // copy also protection status if applicable
695 if ($a_consider_protected == true) {
696 if ($rbacreview->isProtected($a_source_parent, $a_source_id)) {
697 $this->setProtected($a_dest_parent, $a_dest_id, 'y');
698 }
699 }
700
701 return true;
702 }
ilRbacAdmin\setProtected
setProtected($a_ref_id, $a_role_id, $a_value)
Set protected @global $ilDB.
Definition: class.ilRbacAdmin.php:1105

References $DIC, $ilDB, $message, $query, $res, and setProtected().

Referenced by copyRolePermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deassignOperationFromObject()

ilRbacAdmin::deassignOperationFromObject (   $a_type_id,
  $a_ops_id 
)

Deassign an existing operation from an object Update of rbac_ta @access public.

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 1076 of file class.ilRbacAdmin.php.

1077 {
1078 global $DIC;
1079
1080 $ilDB = $DIC['ilDB'];
1081
1082 if (!isset($a_type_id) or !isset($a_ops_id)) {
1083 $message = get_class($this) . "::deassignPermissionFromObject(): Missing parameter!" .
1084 "type_id: " . $a_type_id .
1085 "ops_id: " . $a_ops_id;
1086 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
1087 }
1088
1089 $query = "DELETE FROM rbac_ta " .
1090 "WHERE typ_id = " . $ilDB->quote($a_type_id, 'integer') . " " .
1091 "AND ops_id = " . $ilDB->quote($a_ops_id, 'integer');
1092 $res = $ilDB->manipulate($query);
1093
1094 return true;
1095 }

References $DIC, $ilDB, $message, $query, and $res.

◆ deassignUser()

ilRbacAdmin::deassignUser (   $a_rol_id,
  $a_usr_id 
)

Deassigns a user from a role.

Update of table rbac_ua

Parameters
int$a_rol_idObject-ID of role
int$a_usr_idObject-ID of user
Returns
boolean true on success

Definition at line 322 of file class.ilRbacAdmin.php.

323 {
324 global $DIC;
325
326 $ilDB = $DIC['ilDB'];
327 $rbacreview = $DIC->rbac()->review();
328
329 if (!isset($a_rol_id) or !isset($a_usr_id)) {
330 $message = get_class($this) . "::deassignUser(): Missing parameter! role_id: " . $a_rol_id . " usr_id: " . $a_usr_id;
331 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
332 }
333
334 $query = "DELETE FROM rbac_ua " .
335 "WHERE usr_id = " . $ilDB->quote($a_usr_id, 'integer') . " " .
336 "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
337 $res = $ilDB->manipulate($query);
338
339 $rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, false);
340
341 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
342 $mapping = ilLDAPRoleGroupMapping::_getInstance();
343 $mapping->deassign($a_rol_id, $a_usr_id);
344
345 if ($res) {
346 $ref_id = $GLOBALS['DIC']['rbacreview']->getObjectReferenceOfRole($a_rol_id);
347 $obj_id = ilObject::_lookupObjId($ref_id);
348 $type = ilObject::_lookupType($obj_id);
349
350 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event deassign user');
351 $GLOBALS['DIC']['ilAppEventHandler']->raise('Services/AccessControl', 'deassignUser', array(
352 'obj_id' => $obj_id,
353 'usr_id' => $a_usr_id,
354 'role_id' => $a_rol_id,
355 'type' => $type,
356 ));
357 }
358
359 return true;
360 }

References $DIC, $GLOBALS, $ilDB, $message, $query, $res, $type, ilLDAPRoleGroupMapping\_getInstance(), ilObject\_lookupObjId(), ilObject\_lookupType(), and ilLoggerFactory\getInstance().

Referenced by removeUser().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deleteLocalRole()

ilRbacAdmin::deleteLocalRole (   $a_rol_id,
  $a_ref_id = 0 
)

Deletes a local role and entries in rbac_fa and rbac_templates @access public.

Parameters
integerobject_id of role
integerref_id of role folder (optional)
Returns
boolean true on success

Definition at line 174 of file class.ilRbacAdmin.php.

175 {
176 global $DIC;
177
178 $ilDB = $DIC['ilDB'];
179
180 if (!isset($a_rol_id)) {
181 $message = get_class($this) . "::deleteLocalRole(): Missing parameter! role_id: '" . $a_rol_id . "'";
182 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
183 }
184
185 // exclude system role from rbac
186 if ($a_rol_id == SYSTEM_ROLE_ID) {
187 return true;
188 }
189
190 if ($a_ref_id != 0) {
191 $clause = 'AND parent = ' . $ilDB->quote($a_ref_id, 'integer') . ' ';
192 }
193
194 $query = 'DELETE FROM rbac_fa ' .
195 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
196 $clause;
197 $res = $ilDB->manipulate($query);
198
199 $query = 'DELETE FROM rbac_templates ' .
200 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
201 $clause;
202 $res = $ilDB->manipulate($query);
203 return true;
204 }

References $DIC, $ilDB, $message, $query, and $res.

Referenced by adjustMovedObjectPermissions(), and deleteRole().

+ Here is the caller graph for this function:

◆ deleteRole()

ilRbacAdmin::deleteRole (   $a_rol_id,
  $a_ref_id 
)

Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa @access public.

Parameters
integerobj_id of role (role_id)
integerref_id of role folder (ref_id)
Returns
boolean true on success

Definition at line 98 of file class.ilRbacAdmin.php.

99 {
100 global $DIC;
101
102 $lng = $DIC['lng'];
103 $ilDB = $DIC['ilDB'];
104
105 if (!isset($a_rol_id) or !isset($a_ref_id)) {
106 $message = get_class($this) . "::deleteRole(): Missing parameter! role_id: " . $a_rol_id . " ref_id of role folder: " . $a_ref_id;
107 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
108 }
109
110 // exclude system role from rbac
111 if ($a_rol_id == SYSTEM_ROLE_ID) {
112 $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"), $this->ilErr->MESSAGE);
113 }
114
115 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
116 $mapping = ilLDAPRoleGroupMapping::_getInstance();
117 $mapping->deleteRole($a_rol_id);
118
119
120 // TODO: check assigned users before deletion
121 // This is done in ilObjRole. Should be better moved to this place?
122
123 // delete user assignements
124 $query = "DELETE FROM rbac_ua " .
125 "WHERE rol_id = " . $ilDB->quote($a_rol_id, 'integer');
126 $res = $ilDB->manipulate($query);
127
128 // delete permission assignments
129 $query = "DELETE FROM rbac_pa " .
130 "WHERE rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
131 $res = $ilDB->manipulate($query);
132
133 //delete rbac_templates and rbac_fa
134 $this->deleteLocalRole($a_rol_id);
135
136 return true;
137 }
$lng
$lng
Definition: save_question_post_data.php:23

References $DIC, $ilDB, $lng, $message, $query, $res, ilLDAPRoleGroupMapping\_getInstance(), and deleteLocalRole().

+ Here is the call graph for this function:

◆ deleteRolePermission()

ilRbacAdmin::deleteRolePermission (   $a_rol_id,
  $a_ref_id,
  $a_type = false 
)

Deletes all entries of a template.

If an object type is given for third parameter only the entries for that object type are deleted Update of table rbac_templates. @access public

Parameters
integerobject id of role
integerref_id of role folder
stringobject type (optional)
Returns
boolean

Definition at line 895 of file class.ilRbacAdmin.php.

896 {
897 global $DIC;
898
899 $ilDB = $DIC['ilDB'];
900
901 if (!isset($a_rol_id) or !isset($a_ref_id)) {
902 $message = get_class($this) . "::deleteRolePermission(): Missing parameter! role_id: " . $a_rol_id . " ref_id: " . $a_ref_id;
903 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
904 }
905
906 // exclude system role from rbac
907 if ($a_rol_id == SYSTEM_ROLE_ID) {
908 return true;
909 }
910
911 if ($a_type !== false) {
912 $and_type = " AND type=" . $ilDB->quote($a_type, 'text') . " ";
913 }
914
915 $query = 'DELETE FROM rbac_templates ' .
916 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
917 'AND parent = ' . $ilDB->quote($a_ref_id, 'integer') . ' ' .
918 $and_type;
919
920 $res = $ilDB->manipulate($query);
921
922 return true;
923 }
$a_type
$a_type
Definition: workflow.php:92

References $a_type, $DIC, $ilDB, $message, $query, and $res.

Referenced by copyRolePermissionUnion().

+ Here is the caller graph for this function:

◆ deleteSubtreeTemplates()

ilRbacAdmin::deleteSubtreeTemplates (   $a_ref_id,
  $a_rol_id 
)

Delete all template permissions of subtree nodes.

Parameters
object$a_ref_id
object$a_rol_id
Returns

Definition at line 550 of file class.ilRbacAdmin.php.

551 {
552 global $DIC;
553
554 $ilDB = $DIC['ilDB'];
555
556 $query = 'DELETE FROM rbac_templates ' .
557 'WHERE parent IN ( ' .
558 $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
559 'AND rol_id = ' . $ilDB->quote($a_rol_id, 'integer');
560
561 $ilDB->manipulate($query);
562
563 $query = 'DELETE FROM rbac_fa ' .
564 'WHERE parent IN ( ' .
565 $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
566 'AND rol_id = ' . $ilDB->quote($a_rol_id, 'integer');
567
568 $ilDB->manipulate($query);
569
570 return true;
571 }

References $DIC, $GLOBALS, $ilDB, and $query.

◆ deleteTemplate()

ilRbacAdmin::deleteTemplate (   $a_obj_id)

Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public.

Parameters
integerobject_id of role template
Returns
boolean

Definition at line 145 of file class.ilRbacAdmin.php.

146 {
147 global $DIC;
148
149 $ilDB = $DIC['ilDB'];
150
151 if (!isset($a_obj_id)) {
152 $message = get_class($this) . "::deleteTemplate(): No obj_id given!";
153 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
154 }
155
156 $query = 'DELETE FROM rbac_templates ' .
157 'WHERE rol_id = ' . $ilDB->quote($a_obj_id, 'integer');
158 $res = $ilDB->manipulate($query);
159
160 $query = 'DELETE FROM rbac_fa ' .
161 'WHERE rol_id = ' . $ilDB->quote($a_obj_id, 'integer');
162 $res = $ilDB->manipulate($query);
163
164 return true;
165 }

References $DIC, $ilDB, $message, $query, and $res.

◆ grantPermission()

ilRbacAdmin::grantPermission (   $a_rol_id,
  $a_ops,
  $a_ref_id 
)

Grants a permission to an object and a specific role.

Update of table rbac_pa @access public

Parameters
integerobject id of role
arrayarray of operation ids
integerreference id of that object which is granted the permissions
Returns
boolean

Definition at line 370 of file class.ilRbacAdmin.php.

371 {
372 global $DIC;
373
374 $ilDB = $DIC['ilDB'];
375
376 if (!isset($a_rol_id) or !isset($a_ops) or !isset($a_ref_id)) {
377 $this->ilErr->raiseError(get_class($this) . "::grantPermission(): Missing parameter! " .
378 "role_id: " . $a_rol_id . " ref_id: " . $a_ref_id . " operations: ", $this->ilErr->WARNING);
379 }
380
381 if (!is_array($a_ops)) {
382 $this->ilErr->raiseError(
383 get_class($this) . "::grantPermission(): Wrong datatype for operations!",
384 $this->ilErr->WARNING
385 );
386 }
387
388 /*
389 if (count($a_ops) == 0)
390 {
391 return false;
392 }
393 */
394 // exclude system role from rbac
395 if ($a_rol_id == SYSTEM_ROLE_ID) {
396 return true;
397 }
398
399 // convert all values to integer
400 foreach ($a_ops as $key => $operation) {
401 $a_ops[$key] = (int) $operation;
402 }
403
404 // Serialization des ops_id Arrays
405 $ops_ids = serialize($a_ops);
406
407 $query = 'DELETE FROM rbac_pa ' .
408 'WHERE rol_id = %s ' .
409 'AND ref_id = %s';
410 $res = $ilDB->queryF(
411 $query,
412 array('integer','integer'),
413 array($a_rol_id,$a_ref_id)
414 );
415
416 if (!count($a_ops)) {
417 return false;
418 }
419
420 $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) " .
421 "VALUES " .
422 "(" . $ilDB->quote($a_rol_id, 'integer') . "," . $ilDB->quote($ops_ids, 'text') . "," . $ilDB->quote($a_ref_id, 'integer') . ")";
423 $res = $ilDB->manipulate($query);
424
425 return true;
426 }

References $DIC, $ilDB, $query, and $res.

Referenced by adjustMovedObjectPermissions(), copyRolePermissions(), and initIntersectionPermissions().

+ Here is the caller graph for this function:

◆ initIntersectionPermissions()

ilRbacAdmin::initIntersectionPermissions (   $a_ref_id,
  $a_role_id,
  $a_role_parent,
  $a_template_id,
  $a_template_parent 
)

Init intersection permissions.

@global type $rbacreview

Parameters
type$a_ref_id
type$a_role_id
type$a_role_parent
type$a_template_id
type$a_template_parent
Returns
type

Definition at line 1178 of file class.ilRbacAdmin.php.

1179 {
1180 global $DIC;
1181
1182 $rbacreview = $DIC['rbacreview'];
1183
1184 if ($rbacreview->isProtected($a_role_parent, $a_role_id)) {
1185 // Assign object permissions
1186 $new_ops = $rbacreview->getOperationsOfRole(
1187 $a_role_id,
1188 ilObject::_lookupType($a_ref_id, true),
1189 $a_role_parent
1190 );
1191
1192 // set new permissions for object
1193 $this->grantPermission(
1194 $a_role_id,
1195 (array) $new_ops,
1196 $a_ref_id
1197 );
1198 return;
1199 }
1200 if (!$a_template_id) {
1201 ilLoggerFactory::getLogger('ac')->info('No template id given. Aborting.');
1202 return;
1203 }
1204 // create template permission intersection
1205 $this->copyRolePermissionIntersection(
1206 $a_template_id,
1207 $a_template_parent,
1208 $a_role_id,
1209 $a_role_parent,
1210 $a_ref_id,
1211 $a_role_id
1212 );
1213
1214 // assign role to folder
1215 $this->assignRoleToFolder(
1216 $a_role_id,
1217 $a_ref_id,
1218 'n'
1219 );
1220
1221 // Assign object permissions
1222 $new_ops = $rbacreview->getOperationsOfRole(
1223 $a_role_id,
1224 ilObject::_lookupType($a_ref_id, true),
1225 $a_ref_id
1226 );
1227
1228 // revoke existing permissions
1229 $this->revokePermission($a_ref_id, $a_role_id);
1230
1231 // set new permissions for object
1232 $this->grantPermission(
1233 $a_role_id,
1234 (array) $new_ops,
1235 $a_ref_id
1236 );
1237
1238 return;
1239 }
ilRbacAdmin\copyRolePermissionIntersection
copyRolePermissionIntersection($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
Copies the intersection of the template permissions of two roles to a third role.
Definition: class.ilRbacAdmin.php:716

References $DIC, ilObject\_lookupType(), assignRoleToFolder(), copyRolePermissionIntersection(), ilLoggerFactory\getLogger(), grantPermission(), and revokePermission().

Referenced by adjustMovedObjectPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ removeUser()

ilRbacAdmin::removeUser (   $a_usr_id)

deletes a user from rbac_ua all user <-> role relations are deleted @access public

Parameters
intuser_id
Returns
boolean true on success

Definition at line 69 of file class.ilRbacAdmin.php.

70 {
71 global $DIC;
72
73 $ilDB = $DIC->database();
74 $review = $DIC->rbac()->review();
75
76 if (!isset($a_usr_id)) {
77 $message = get_class($this) . "::removeUser(): No usr_id given!";
78 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
79 }
80
81 foreach ($review->assignedRoles($a_usr_id) as $role_id) {
82 $this->deassignUser($role_id, $a_usr_id);
83 }
84
85 $query = "DELETE FROM rbac_ua WHERE usr_id = " . $ilDB->quote($a_usr_id, 'integer');
86 $res = $ilDB->manipulate($query);
87
88 return true;
89 }
ilRbacAdmin\deassignUser
deassignUser($a_rol_id, $a_usr_id)
Deassigns a user from a role.
Definition: class.ilRbacAdmin.php:322

References $DIC, $ilDB, $message, $query, $res, and deassignUser().

+ Here is the call graph for this function:

◆ revokePermission()

ilRbacAdmin::revokePermission (   $a_ref_id,
  $a_rol_id = 0,
  $a_keep_protected = true 
)

Revokes permissions of an object of one role.

Update of table rbac_pa. Revokes all permission for all roles for that object (with this reference). When a role_id is given this applies only to that role @access public

Parameters
integerreference id of object where permissions should be revoked
integerrole_id (optional: if you want to revoke permissions of object only for a specific role)
Returns
boolean

Definition at line 437 of file class.ilRbacAdmin.php.

438 {
439 global $DIC;
440
441 $rbacreview = $DIC['rbacreview'];
442 $log = $DIC['log'];
443 $ilDB = $DIC['ilDB'];
444 $ilLog = $DIC['ilLog'];
445
446 if (!isset($a_ref_id)) {
447 $ilLog->logStack();
448 $message = get_class($this) . "::revokePermission(): Missing parameter! ref_id: " . $a_ref_id;
449 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
450 }
451 #$log->write("ilRBACadmin::revokePermission(), 0");
452
453 // bypass protected status of roles
454 if ($a_keep_protected != true) {
455 // exclude system role from rbac
456 if ($a_rol_id == SYSTEM_ROLE_ID) {
457 return true;
458 }
459
460 if ($a_rol_id) {
461 $and1 = " AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
462 } else {
463 $and1 = "";
464 }
465
466 $query = "DELETE FROM rbac_pa " .
467 "WHERE ref_id = " . $ilDB->quote($a_ref_id, 'integer') .
468 $and1;
469
470 $res = $ilDB->manipulate($query);
471
472 return true;
473 }
474
475 // consider protected status of roles
476
477 // in any case, get all roles in scope first
478 $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
479
480 if (!$a_rol_id) {
481 #$log->write("ilRBACadmin::revokePermission(), 1");
482
483 $role_ids = array();
484
485 foreach ($roles_in_scope as $role) {
486 if ($role['protected'] == true) {
487 continue;
488 }
489
490 $role_ids[] = $role['obj_id'];
491 }
492
493 // return if no role in array
494 if (!$role_ids) {
495 return true;
496 }
497
498 $query = 'DELETE FROM rbac_pa ' .
499 'WHERE ' . $ilDB->in('rol_id', $role_ids, false, 'integer') . ' ' .
500 'AND ref_id = ' . $ilDB->quote($a_ref_id, 'integer');
501 $res = $ilDB->manipulate($query);
502 } else {
503 #$log->write("ilRBACadmin::revokePermission(), 2");
504 // exclude system role from rbac
505 if ($a_rol_id == SYSTEM_ROLE_ID) {
506 return true;
507 }
508
509 // exclude protected permission settings from revoking
510 if ($roles_in_scope[$a_rol_id]['protected'] == true) {
511 return true;
512 }
513
514 $query = "DELETE FROM rbac_pa " .
515 "WHERE ref_id = " . $ilDB->quote($a_ref_id, 'integer') . " " .
516 "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
517 $res = $ilDB->manipulate($query);
518 }
519
520 return true;
521 }

References $DIC, $ilDB, $ilLog, $log, $message, $query, and $res.

Referenced by adjustMovedObjectPermissions(), copyRolePermissions(), and initIntersectionPermissions().

+ Here is the caller graph for this function:

◆ revokePermissionList()

ilRbacAdmin::revokePermissionList (   $a_ref_ids,
  $a_rol_id 
)

Revokes permissions of a LIST of objects of ONE role.

Update of table rbac_pa. @access public

Parameters
arraylist of reference_ids to revoke permissions
integerrole_id
Returns
boolean

Definition at line 580 of file class.ilRbacAdmin.php.

581 {
582 global $DIC;
583
584 $ilDB = $DIC['ilDB'];
585
586 if (!isset($a_ref_ids) or !is_array($a_ref_ids)) {
587 $message = get_class($this) . "::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: " . var_dump($a_ref_ids);
588 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
589 }
590
591 if (!isset($a_rol_id)) {
592 $message = get_class($this) . "::revokePermissionList(): Missing parameter! rol_id: " . $a_rol_id;
593 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
594 }
595
596 // exclude system role from rbac
597 if ($a_rol_id == SYSTEM_ROLE_ID) {
598 return true;
599 }
600
601 $query = "DELETE FROM rbac_pa " .
602 "WHERE " . $ilDB->in('ref_id', $a_ref_ids, false, 'integer') . ' ' .
603 "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer');
604 $res = $ilDB->manipulate($query);
605
606 return true;
607 }

References $DIC, $ilDB, $message, $query, and $res.

◆ revokeSubtreePermissions()

ilRbacAdmin::revokeSubtreePermissions (   $a_ref_id,
  $a_role_id 
)

Revoke subtree permissions.

Parameters
object$a_ref_id
object$a_role_id
Returns

Definition at line 529 of file class.ilRbacAdmin.php.

530 {
531 global $DIC;
532
533 $ilDB = $DIC['ilDB'];
534
535 $query = 'DELETE FROM rbac_pa ' .
536 'WHERE ref_id IN ' .
537 '( ' . $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
538 'AND rol_id = ' . $ilDB->quote($a_role_id, 'integer');
539
540 $ilDB->manipulate($query);
541 return true;
542 }

References $DIC, $GLOBALS, $ilDB, and $query.

◆ setBlockedStatus()

ilRbacAdmin::setBlockedStatus (   $a_role_id,
  $a_ref_id,
  $a_blocked_status 
)

Set blocked status.

Parameters
type$a_role_id
type$a_ref_id
type$a_blocked_status

Definition at line 49 of file class.ilRbacAdmin.php.

50 {
51 global $DIC;
52
53 $ilDB = $DIC['ilDB'];
54
55 ilLoggerFactory::getLogger('crs')->logStack();
56 $query = 'UPDATE rbac_fa set blocked = ' . $ilDB->quote($a_blocked_status, 'integer') . ' ' .
57 'WHERE rol_id = ' . $ilDB->quote($a_role_id, 'integer') . ' ' .
58 'AND parent = ' . $ilDB->quote($a_ref_id, 'integer');
59 $ilDB->manipulate($query);
60 }

References $DIC, $ilDB, $query, and ilLoggerFactory\getLogger().

+ Here is the call graph for this function:

◆ setProtected()

ilRbacAdmin::setProtected (   $a_ref_id,
  $a_role_id,
  $a_value 
)

Set protected @global $ilDB.

Parameters
type$a_ref_id
type$a_role_id
type$a_valuey or n
Returns
boolean

Definition at line 1105 of file class.ilRbacAdmin.php.

1106 {
1107 global $DIC;
1108
1109 $ilDB = $DIC['ilDB'];
1110
1111 // ref_id not used yet. protected permission acts 'global' for each role,
1112 // regardless of any broken inheritance before
1113 $query = 'UPDATE rbac_fa ' .
1114 'SET protected = ' . $ilDB->quote($a_value, 'text') . ' ' .
1115 'WHERE rol_id = ' . $ilDB->quote($a_role_id, 'integer');
1116 $res = $ilDB->manipulate($query);
1117 return true;
1118 }

References $DIC, $ilDB, $query, and $res.

Referenced by copyRoleTemplatePermissions().

+ Here is the caller graph for this function:

◆ setRolePermission()

ilRbacAdmin::setRolePermission (   $a_rol_id,
  $a_type,
  $a_ops,
  $a_ref_id 
)

Inserts template permissions in rbac_templates for an specific object type.

Update of table rbac_templates @access public

Parameters
integerrole_id
stringobject type
arrayoperation_ids
integerref_id of role folder object
Returns
boolean

Definition at line 935 of file class.ilRbacAdmin.php.

936 {
937 global $DIC;
938
939 $ilDB = $DIC['ilDB'];
940
941 if (!isset($a_rol_id) or !isset($a_type) or !isset($a_ops) or !isset($a_ref_id)) {
942 $message = get_class($this) . "::setRolePermission(): Missing parameter!" .
943 " role_id: " . $a_rol_id .
944 " type: " . $a_type .
945 " operations: " . $a_ops .
946 " ref_id: " . $a_ref_id;
947 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
948 }
949
950 if (!is_string($a_type) or empty($a_type)) {
951 $message = get_class($this) . "::setRolePermission(): a_type is no string or empty!";
952 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
953 }
954
955 if (!is_array($a_ops) or empty($a_ops)) {
956 $message = get_class($this) . "::setRolePermission(): a_ops is no array or empty!";
957 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
958 }
959
960 // exclude system role from rbac
961 if ($a_rol_id == SYSTEM_ROLE_ID) {
962 return true;
963 }
964
965 foreach ($a_ops as $op) {
966 $ilDB->replace(
967 'rbac_templates',
968 [
969 'rol_id' => ['integer', $a_rol_id],
970 'type' => ['text', $a_type],
971 'ops_id' => ['integer', $op],
972 'parent' => ['integer', $a_ref_id]
973 ],
974 []
975 );
976 }
977 return true;
978 }

References $a_type, $DIC, $ilDB, and $message.

The documentation for this class was generated from the following file: