ILIAS  release_7 Revision v7.30-3-g800a261c036
class.ilObjRole.php
Go to the documentation of this file.
1<?php
2
3/* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
4
5require_once "./Services/Object/classes/class.ilObject.php";
6require_once('./Services/Repository/classes/class.ilObjectPlugin.php');
7
16class ilObjRole extends ilObject
17{
18 const MODE_PROTECTED_DELETE_LOCAL_POLICIES = 1;
19 const MODE_PROTECTED_KEEP_LOCAL_POLICIES = 2;
20 const MODE_UNPROTECTED_DELETE_LOCAL_POLICIES = 3;
21 const MODE_UNPROTECTED_KEEP_LOCAL_POLICIES = 4;
22
23 public const MODE_ADD_OPERATIONS = 1;
24 public const MODE_READ_OPERATIONS = 2;
25 public const MODE_REMOVE_OPERATIONS = 3;
26
30 private $logger = null;
31
39 public $parent;
40
41 public $allow_register;
42 public $assign_users;
43
50 public function __construct($a_id = 0, $a_call_by_reference = false)
51 {
52 global $DIC;
53
54 $this->logger = $DIC->logger()->ac();
55 $this->type = "role";
56 parent::__construct($a_id, $a_call_by_reference);
57 }
58
67 public static function createDefaultRole($a_title, $a_description, $a_tpl_name, $a_ref_id)
68 {
69 global $DIC;
70
71 $ilDB = $DIC['ilDB'];
72
73 // SET PERMISSION TEMPLATE OF NEW LOCAL CONTRIBUTOR ROLE
74 $res = $ilDB->query("SELECT obj_id FROM object_data " .
75 " WHERE type=" . $ilDB->quote("rolt", "text") .
76 " AND title=" . $ilDB->quote($a_tpl_name, "text"));
77 while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
78 $tpl_id = $row->obj_id;
79 }
80
81 if (!$tpl_id) {
82 return null;
83 }
84
85 include_once './Services/AccessControl/classes/class.ilObjRole.php';
86 $role = new ilObjRole();
87 $role->setTitle($a_title);
88 $role->setDescription($a_description);
89 $role->create();
90
91 $GLOBALS['DIC']['rbacadmin']->assignRoleToFolder($role->getId(), $a_ref_id, 'y');
92
93 $GLOBALS['DIC']['rbacadmin']->copyRoleTemplatePermissions(
94 $tpl_id,
95 ROLE_FOLDER_ID,
96 $a_ref_id,
97 $role->getId()
98 );
99
100 $ops = $GLOBALS['DIC']['rbacreview']->getOperationsOfRole(
101 $role->getId(),
102 ilObject::_lookupType($a_ref_id, true),
103 $a_ref_id
104 );
105 $GLOBALS['DIC']['rbacadmin']->grantPermission(
106 $role->getId(),
107 $ops,
108 $a_ref_id
109 );
110 return $role;
111 }
112
113
118 public function validate()
119 {
120 global $DIC;
121
122 $ilErr = $DIC['ilErr'];
123
124 if (substr($this->getTitle(), 0, 3) == 'il_') {
125 $ilErr->setMessage('msg_role_reserved_prefix');
126 return false;
127 }
128 return true;
129 }
130
135 public function getPresentationTitle() : string
136 {
137 $r = ilObjRole::_getTranslation($this->getTitle());
138
139 if ($r === $this->getUntranslatedTitle()) {
140 return $r;
141 }
142
143 return $r . ' (' . $this->getUntranslatedTitle() . ')';
144 }
145
146 public function toggleAssignUsersStatus($a_assign_users)
147 {
148 $this->assign_users = (int) $a_assign_users;
149 }
150 public function getAssignUsersStatus()
151 {
152 return $this->assign_users ? $this->assign_users : 0;
153 }
154 // Same method (static)
155 public static function _getAssignUsersStatus($a_role_id)
156 {
157 global $DIC;
158
159 $ilDB = $DIC['ilDB'];
160
161 $query = "SELECT assign_users FROM role_data WHERE role_id = " . $ilDB->quote($a_role_id, 'integer') . " ";
162 $res = $ilDB->query($query);
163 while ($row = $ilDB->fetchObject($res)) {
164 return $row->assign_users ? true : false;
165 }
166 return false;
167 }
168
173 public function read()
174 {
175 global $DIC;
176
177 $ilDB = $DIC['ilDB'];
178
179 $query = "SELECT * FROM role_data WHERE role_id= " . $ilDB->quote($this->id, 'integer') . " ";
180
181 $res = $ilDB->query($query);
182 if ($res->numRows() > 0) {
183 $data = $ilDB->fetchAssoc($res);
184
185 // fill member vars in one shot
186 $this->assignData($data);
187 } else {
188 $this->ilias->raiseError("<b>Error: There is no dataset with id " . $this->id . "!</b><br />class: " . get_class($this) . "<br />Script: " . __FILE__ . "<br />Line: " . __LINE__, $this->ilias->FATAL);
189 }
190
191 parent::read();
192 }
193
199 public function assignData($a_data)
200 {
201 $this->setTitle(ilUtil::stripSlashes($a_data["title"]));
202 $this->setDescription(ilUtil::stripslashes($a_data["desc"]));
203 $this->setAllowRegister($a_data["allow_register"]);
204 $this->toggleAssignUsersStatus($a_data['assign_users']);
205 }
206
211 public function update()
212 {
213 global $DIC;
214
215 $ilDB = $DIC['ilDB'];
216
217 $query = "UPDATE role_data SET " .
218 "allow_register= " . $ilDB->quote($this->allow_register, 'integer') . ", " .
219 "assign_users = " . $ilDB->quote($this->getAssignUsersStatus(), 'integer') . " " .
220 "WHERE role_id= " . $ilDB->quote($this->id, 'integer') . " ";
221 $res = $ilDB->manipulate($query);
222
223 parent::update();
224
225 $this->read();
226
227 return true;
228 }
229
237 public function create()
238 {
239 global $DIC;
240
241 $ilDB = $DIC['ilDB'];
242
243 $this->id = parent::create();
244
245 $query = "INSERT INTO role_data " .
246 "(role_id,allow_register,assign_users) " .
247 "VALUES " .
248 "(" . $ilDB->quote($this->id, 'integer') . "," .
249 $ilDB->quote($this->getAllowRegister(), 'integer') . "," .
250 $ilDB->quote($this->getAssignUsersStatus(), 'integer') . ")"
251 ;
252 $res = $ilDB->query($query);
253
254 return $this->id;
255 }
256
263 public function setAllowRegister($a_allow_register)
264 {
265 if (empty($a_allow_register)) {
266 $a_allow_register == 0;
267 }
268
269 $this->allow_register = (int) $a_allow_register;
270 }
271
278 public function getAllowRegister()
279 {
280 return $this->allow_register ? $this->allow_register : false;
281 }
282
289 public static function _lookupRegisterAllowed()
290 {
291 global $DIC;
292
293 $ilDB = $DIC['ilDB'];
294
295 $query = "SELECT * FROM role_data " .
296 "JOIN object_data ON object_data.obj_id = role_data.role_id " .
297 "WHERE allow_register = 1";
298 $res = $ilDB->query($query);
299
300 $roles = array();
301 while ($role = $ilDB->fetchAssoc($res)) {
302 $roles[] = array("id" => $role["obj_id"],
303 "title" => $role["title"],
304 "auth_mode" => $role['auth_mode']);
305 }
306
307 return $roles;
308 }
309
316 public static function _lookupAllowRegister($a_role_id)
317 {
318 global $DIC;
319
320 $ilDB = $DIC['ilDB'];
321
322 $query = "SELECT * FROM role_data " .
323 " WHERE role_id =" . $ilDB->quote($a_role_id, 'integer');
324
325 $res = $ilDB->query($query);
326 if ($role_rec = $ilDB->fetchAssoc($res)) {
327 if ($role_rec["allow_register"]) {
328 return true;
329 }
330 }
331 return false;
332 }
333
341 public function setParent($a_parent_ref)
342 {
343 $this->parent = $a_parent_ref;
344 }
345
352 public function getParent()
353 {
354 return $this->parent;
355 }
356
357
364 public function delete()
365 {
366 global $DIC;
367
368 $rbacadmin = $DIC['rbacadmin'];
369 $rbacreview = $DIC['rbacreview'];
370 $ilDB = $DIC['ilDB'];
371
372 // Temporary bugfix
373 if ($rbacreview->hasMultipleAssignments($this->getId())) {
374 ilLoggerFactory::getLogger('ac')->warning('Found role with multiple assignments: role_id: ' . $this->getId());
375 ilLoggerFactory::getLogger('ac')->warning('Aborted deletion of role.');
376 return false;
377 }
378
379 if ($rbacreview->isAssignable($this->getId(), $this->getParent())) {
380 ilLoggerFactory::getLogger('ac')->debug('Handling assignable role...');
381 // do not delete a global role, if the role is the last
382 // role a user is assigned to.
383 //
384 // Performance improvement: In the code section below, we
385 // only need to consider _global_ roles. We don't need
386 // to check for _local_ roles, because a user who has
387 // a local role _always_ has a global role too.
388 $last_role_user_ids = array();
389 if ($this->getParent() == ROLE_FOLDER_ID) {
390 ilLoggerFactory::getLogger('ac')->debug('Handling global role...');
391 // The role is a global role: check if
392 // we find users who aren't assigned to any
393 // other global role than this one.
394 $user_ids = $rbacreview->assignedUsers($this->getId());
395
396 foreach ($user_ids as $user_id) {
397 // get all roles each user has
398 $role_ids = $rbacreview->assignedRoles($user_id);
399
400 // is last role?
401 if (count($role_ids) == 1) {
402 $last_role_user_ids[] = $user_id;
403 }
404 }
405 }
406
407 // users with last role found?
408 if (count($last_role_user_ids) > 0) {
409 $user_names = array();
410 foreach ($last_role_user_ids as $user_id) {
411 // GET OBJECT TITLE
412 $user_names[] = ilObjUser::_lookupLogin($user_id);
413 }
414
415 // TODO: This check must be done in rolefolder object because if multiple
416 // roles were selected the other roles are still deleted and the system does not
417 // give any feedback about this.
418 $users = implode(', ', $user_names);
419 ilLoggerFactory::getLogger('ac')->info('Cannot delete last global role of users.');
420 $this->ilias->raiseError($this->lng->txt("msg_user_last_role1") . " " .
421 $users . "<br/>" . $this->lng->txt("msg_user_last_role2"), $this->ilias->error_obj->WARNING);
422 } else {
423 ilLoggerFactory::getLogger('ac')->debug('Starting deletion of assignable role: role_id: ' . $this->getId());
424 $rbacadmin->deleteRole($this->getId(), $this->getParent());
425
426 // Delete ldap role group mappings
427 include_once('./Services/LDAP/classes/class.ilLDAPRoleGroupMappingSettings.php');
428 ilLDAPRoleGroupMappingSettings::_deleteByRole($this->getId());
429
430 // delete object_data entry
431 parent::delete();
432
433 // delete role_data entry
434 $query = "DELETE FROM role_data WHERE role_id = " . $ilDB->quote($this->getId(), 'integer');
435 $res = $ilDB->manipulate($query);
436 }
437 } else {
438 ilLoggerFactory::getLogger('ac')->debug('Starting deletion of linked role: role_id ' . $this->getId());
439 // linked local role: INHERITANCE WAS STOPPED, SO DELETE ONLY THIS LOCAL ROLE
440 $rbacadmin->deleteLocalRole($this->getId(), $this->getParent());
441 }
442 return true;
443 }
444
445 public function getCountMembers()
446 {
447 global $DIC;
448
449 $rbacreview = $DIC['rbacreview'];
450
451 return count($rbacreview->assignedUsers($this->getId()));
452 }
453
454 public static function _getTranslation($a_role_title)
455 {
456 global $DIC;
457
458 $lng = $DIC['lng'];
459 $objDefinition = $DIC['objDefinition'];
460
461 $role_title = self::_removeObjectId($a_role_title);
462
463 if (preg_match("/^il_([a-z]{1,4})_./", $role_title, $type)) {
464 //BT ID 0032909: language variables for roles from plugins were not resolved properly
465 if ($objDefinition->isPlugin($type[1])) {
466 return ilObjectPlugin::lookupTxtById($type[1], $role_title);
467 }
468
469 return $lng->txt($role_title);
470 }
471
472 return $a_role_title;
473 }
474
475 public static function _removeObjectId($a_role_title)
476 {
477 $role_title_parts = explode('_', $a_role_title);
478
479 $test2 = (int) $role_title_parts[3];
480 if ($test2 > 0) {
481 unset($role_title_parts[3]);
482 }
483
484 return implode('_', $role_title_parts);
485 }
486
494 public static function getSubObjects($a_obj_type, $a_add_admin_objects)
495 {
496 global $DIC;
500 $objDefinition = $DIC['objDefinition'];
501 $lng = $DIC->language();
502 $subs = $objDefinition->getSubObjectsRecursively($a_obj_type, true, $a_add_admin_objects);
503
504 $filter = array();
505 $sorted = array();
506
507 if (!ilECSSetting::ecsConfigured()) {
508 $filter = array_merge($filter, ilECSUtils::getPossibleRemoteTypes(false));
509 $filter[] = 'rtst';
510 }
511
512 foreach ($subs as $subtype => $def) {
513 if (in_array($def["name"], $filter)) {
514 continue;
515 }
516
517 if ($objDefinition->isPlugin($subtype)) {
518 $translation = ilObjectPlugin::lookupTxtById($subtype, "obj_" . $subtype);
519 } elseif ($objDefinition->isSystemObject($subtype)) {
520 $translation = $lng->txt("obj_" . $subtype);
521 } else {
522 $translation = $lng->txt('objs_' . $subtype);
523 }
524
525 $sorted[$subtype] = $def;
526 $sorted[$subtype]['translation'] = $translation;
527 }
528
529 return ilUtil::sortArray($sorted, 'translation', 'asc', true, true);
530 }
531
532 public static function _updateAuthMode($a_roles)
533 {
534 global $DIC;
535
536 $ilDB = $DIC['ilDB'];
537
538 foreach ($a_roles as $role_id => $auth_mode) {
539 $query = "UPDATE role_data SET " .
540 "auth_mode= " . $ilDB->quote($auth_mode, 'text') . " " .
541 "WHERE role_id= " . $ilDB->quote($role_id, 'integer') . " ";
542 $res = $ilDB->manipulate($query);
543 }
544 }
545
546 public static function _getAuthMode($a_role_id)
547 {
548 global $DIC;
549
550 $ilDB = $DIC['ilDB'];
551
552 $query = "SELECT auth_mode FROM role_data " .
553 "WHERE role_id= " . $ilDB->quote($a_role_id, 'integer') . " ";
554 $res = $ilDB->query($query);
555 $row = $ilDB->fetchAssoc($res);
556
557 return $row['auth_mode'];
558 }
559
567 public static function _getRolesByAuthMode($a_auth_mode)
568 {
569 global $DIC;
570
571 $ilDB = $DIC['ilDB'];
572
573 $query = "SELECT * FROM role_data " .
574 "WHERE auth_mode = " . $ilDB->quote($a_auth_mode, 'text');
575 $res = $ilDB->query($query);
576 $roles = array();
577 while ($row = $ilDB->fetchObject($res)) {
578 $roles[] = $row->role_id;
579 }
580 return $roles;
581 }
582
591 public static function _resetAuthMode($a_auth_mode)
592 {
593 global $DIC;
594
595 $ilDB = $DIC['ilDB'];
596
597 $query = "UPDATE role_data SET auth_mode = 'default' WHERE auth_mode = " . $ilDB->quote($a_auth_mode, 'text');
598 $res = $ilDB->manipulate($query);
599 }
600
601 // returns array of operation/objecttype definitions
602 // private
603 public function __getPermissionDefinitions()
604 {
605 global $DIC;
606
607 $ilDB = $DIC['ilDB'];
608 $lng = $DIC['lng'];
609 $objDefinition = $DIC['objDefinition'];
610 $rbacreview = $DIC['rbacreview'];
611
612 $operation_info = $rbacreview->getOperationAssignment();
613 foreach ($operation_info as $info) {
614 if ($objDefinition->getDevMode($info['type'])) {
615 continue;
616 }
617 $rbac_objects[$info['typ_id']] = array("obj_id" => $info['typ_id'],
618 "type" => $info['type']);
619
620 // handle plugin permission texts
621 $txt = $objDefinition->isPlugin($info['type'])
622 ? ilObjectPlugin::lookupTxtById($info['type'], $info['type'] . "_" . $info['operation'])
623 : $lng->txt($info['type'] . "_" . $info['operation']);
624 if (substr($info['operation'], 0, 7) == "create_" &&
625 $objDefinition->isPlugin(substr($info['operation'], 7))) {
626 $txt = ilObjectPlugin::lookupTxtById(substr($info['operation'], 7), $info['type'] . "_" . $info['operation']);
627 }
628 $rbac_operations[$info['typ_id']][$info['ops_id']] = array(
629 "ops_id" => $info['ops_id'],
630 "title" => $info['operation'],
631 "name" => $txt);
632 }
633 return array($rbac_objects,$rbac_operations);
634 }
635
636
637 public static function isAutoGenerated($a_role_id)
638 {
639 return substr(ilObject::_lookupTitle($a_role_id), 0, 3) == 'il_';
640 }
641
649 public function changeExistingObjects($a_start_node, $a_mode, $a_filter, $a_exclusion_filter = array(),$a_operation_mode = self::MODE_READ_OPERATIONS, $a_operation_stack = [])
650 {
651 global $DIC;
652
653 $tree = $DIC->repositoryTree();
654 $rbacreview = $DIC->rbac()->review();
655
656 // Get node info of subtree
657 $nodes = $tree->getRbacSubtreeInfo($a_start_node);
658
659 // get local policies
660 $all_local_policies = $rbacreview->getObjectsWithStopedInheritance($this->getId());
661
662 // filter relevant roles
663 $local_policies = array();
664 foreach ($all_local_policies as $lp) {
665 if (isset($nodes[$lp])) {
666 $local_policies[] = $lp;
667 }
668 }
669
670 // Delete deprecated policies
671 switch ($a_mode) {
672 case self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES:
673 case self::MODE_PROTECTED_DELETE_LOCAL_POLICIES:
674 $local_policies = $this->deleteLocalPolicies($a_start_node, $local_policies, $a_filter);
675 break;
676 }
677 $this->adjustPermissions($a_mode, $nodes, $local_policies, $a_filter, $a_exclusion_filter, $a_operation_mode, $a_operation_stack);
678 }
679
685 protected function deleteLocalPolicies($a_start, $a_policies, $a_filter)
686 {
687 global $DIC;
688
689 $rbacreview = $DIC['rbacreview'];
690 $rbacadmin = $DIC['rbacadmin'];
691
692 $local_policies = array();
693 foreach ($a_policies as $policy) {
694 if ($policy == $a_start or $policy == SYSTEM_FOLDER_ID) {
695 $local_policies[] = $policy;
696 continue;
697 }
698 if (!in_array('all', $a_filter) and !in_array(ilObject::_lookupType(ilObject::_lookupObjId($policy)), $a_filter)) {
699 $local_policies[] = $policy;
700 continue;
701 }
702 $rbacadmin->deleteLocalRole($this->getId(), $policy);
703 }
704 return $local_policies;
705 }
706
715 protected function adjustPermissions($a_mode, $a_nodes, $a_policies, $a_filter, $a_exclusion_filter = array(), $a_operation_mode = self::MODE_READ_OPERATIONS, $a_operation_stack = [])
716 {
717 global $DIC;
718
719 $rbacadmin = $DIC['rbacadmin'];
720 $rbacreview = $DIC['rbacreview'];
721 $tree = $DIC['tree'];
722 $logger = $DIC->logger()->ac();
723
724 $operation_stack = array();
725 $policy_stack = array();
726 $node_stack = array();
727
728 $start_node = current($a_nodes);
729 array_push($node_stack, $start_node);
730 $this->updatePolicyStack($policy_stack, $start_node['child']);
731
732 if ($a_operation_mode == self::MODE_READ_OPERATIONS) {
733 $this->updateOperationStack($operation_stack, $start_node['child'], true);
734 }
735 else {
736 $operation_stack = $a_operation_stack;
737 }
738
739 $this->logger->debug('adjust permissions operation stack');
740 $this->logger->dump($operation_stack, ilLogLevel::DEBUG);
741
742 include_once "Services/AccessControl/classes/class.ilRbacLog.php";
743 $rbac_log_active = ilRbacLog::isActive();
744
745 $local_policy = false;
746 foreach ($a_nodes as $node) {
747 $cmp_node = end($node_stack);
748 while ($relation = $tree->getRelationOfNodes($node, $cmp_node)) {
749 switch ($relation) {
750 case ilTree::RELATION_NONE:
751 case ilTree::RELATION_SIBLING:
752 $logger->debug('Handling sibling/none relation.');
753 array_pop($operation_stack);
754 array_pop($policy_stack);
755 array_pop($node_stack);
756 $cmp_node = end($node_stack);
757 $local_policy = false;
758 break;
759
760 case ilTree::RELATION_CHILD:
761 case ilTree::RELATION_EQUALS:
762 case ilTree::RELATION_PARENT:
763 default:
764 $logger->debug('Handling child/equals/parent ' . $relation);
765 break 2;
766 }
767 }
768
769 if ($local_policy) {
770 continue;
771 }
772
773 // Start node => set permissions and continue
774 if ($node['child'] == $start_node['child']) {
775 if ($this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) {
776 if ($rbac_log_active) {
777 $rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false);
778 $rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
779 }
780
781 // Set permissions
782 $perms = end($operation_stack);
783 $this->changeExistingObjectsGrantPermissions(
784 $this->getId(),
785 (array) $perms[$node['type']],
786 $node['child'],
787 $a_operation_mode
788 );
789
790 if ($rbac_log_active) {
791 $rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
792 $rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new);
793 ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log);
794 }
795 }
796 continue;
797 }
798
799 // Node has local policies => update permission stack and continue
800 if (in_array($node['child'], $a_policies) and ($node['child'] != SYSTEM_FOLDER_ID)) {
801 $local_policy = true;
802 $this->updatePolicyStack($policy_stack, $node['child']);
803 $this->updateOperationStack($operation_stack, $node['child']);
804 array_push($node_stack, $node);
805 continue;
806 }
807
808 // Continue if this object type is not in filter
809 if (!$this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) {
810 continue;
811 }
812
813 if ($rbac_log_active) {
814 $rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false);
815 $rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
816 }
817
818 // Node is course or group => create permission intersection
819 if (
820 ($a_mode == self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES || $a_mode == self::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES) &&
821 ($node['type'] == 'crs' || $node['type'] == 'grp')
822 ) {
823 // Copy role permission intersection
824 $perms = end($operation_stack);
825 $this->createPermissionIntersection($policy_stack, $perms[$node['type']], $node['child'], $node['type']);
826 if ($this->updateOperationStack($operation_stack, $node['child'])) {
827 $this->updatePolicyStack($policy_stack, $node['child']);
828 array_push($node_stack, $node);
829 }
830 }
831
832 // Set permission
833 $perms = end($operation_stack);
834 $this->changeExistingObjectsGrantPermissions(
835 $this->getId(),
836 (array) $perms[$node['type']],
837 $node['child'],
838 $a_operation_mode
839 );
840 if ($rbac_log_active) {
841 $rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
842 $rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new);
843 ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log);
844 }
845 }
846 }
847
854 protected function changeExistingObjectsGrantPermissions($a_role_id, $a_permissions, $a_ref_id, $a_operation_mode)
855 {
856 global $DIC;
857
858 $admin = $DIC->rbac()->admin();
859 $review = $DIC->rbac()->review();
860 if ($a_operation_mode == self::MODE_READ_OPERATIONS) {
861 $admin->grantPermission(
862 $a_role_id,
863 $a_permissions,
864 $a_ref_id
865 );
866 }
867 elseif ($a_operation_mode == self::MODE_ADD_OPERATIONS) {
868 $current_operations = $review->getRoleOperationsOnObject(
869 $a_role_id,
870 $a_ref_id
871 );
872 $this->logger->debug('Current operations');
873 $this->logger->dump($current_operations);
874
875 $new_ops = array_unique(array_merge($a_permissions, $current_operations));
876 $this->logger->debug('New operations');
877 $this->logger->dump($new_ops);
878
879 $admin->grantPermission(
880 $a_role_id,
881 $new_ops,
882 $a_ref_id
883 );
884 }
885 elseif ($a_operation_mode == self::MODE_REMOVE_OPERATIONS) {
886 $current_operations = $review->getRoleOperationsOnObject(
887 $a_role_id,
888 $a_ref_id
889 );
890 $this->logger->debug('Current operations');
891 $this->logger->dump($current_operations);
892
893 $new_ops = array_diff($current_operations, $a_permissions);
894
895 $admin->grantPermission(
896 $a_role_id,
897 $new_ops,
898 $a_ref_id
899 );
900 }
901 }
902
903
910 protected function isHandledObjectType($a_filter, $a_exclusion_filter, $a_type)
911 {
912 if (in_array($a_type, $a_exclusion_filter)) {
913 return false;
914 }
915
916 if (in_array('all', $a_filter)) {
917 return true;
918 }
919 return in_array($a_type, $a_filter);
920 }
921
928 protected function updateOperationStack(&$a_stack, $a_node, $a_init = false)
929 {
930 global $DIC;
931
932 $rbacreview = $DIC['rbacreview'];
933
934 $has_policies = null;
935 $policy_origin = null;
936
937 if ($a_node == ROOT_FOLDER_ID) {
938 $has_policies = true;
939 $policy_origin = ROLE_FOLDER_ID;
940 } else {
941 $has_policies = $rbacreview->getLocalPolicies($a_node);
942 $policy_origin = $a_node;
943
944 if ($a_init) {
945 $parent_roles = $rbacreview->getParentRoleIds($a_node, false);
946 if ($parent_roles[$this->getId()]) {
947 $a_stack[] = $rbacreview->getAllOperationsOfRole(
948 $this->getId(),
949 $parent_roles[$this->getId()]['parent']
950 );
951 }
952 return true;
953 }
954 }
955
956 if (!$has_policies) {
957 return false;
958 }
959
960 $a_stack[] = $rbacreview->getAllOperationsOfRole(
961 $this->getId(),
962 $policy_origin
963 );
964 return true;
965 }
966
972 protected function updatePolicyStack(&$a_stack, $a_node)
973 {
974 global $DIC;
975
976 $rbacreview = $DIC['rbacreview'];
977
978 $has_policies = null;
979 $policy_origin = null;
980
981 if ($a_node == ROOT_FOLDER_ID) {
982 $has_policies = true;
983 $policy_origin = ROLE_FOLDER_ID;
984 } else {
985 $has_policies = $rbacreview->getLocalPolicies($a_node);
986 $policy_origin = $a_node;
987 }
988
989 if (!$has_policies) {
990 return false;
991 }
992
993 $a_stack[] = $policy_origin;
994 return true;
995 }
996
1004 protected function createPermissionIntersection($policy_stack, $a_current_ops, $a_id, $a_type)
1005 {
1006 global $DIC;
1007
1008 $ilDB = $DIC['ilDB'];
1009 $rbacreview = $DIC['rbacreview'];
1010 $rbacadmin = $DIC['rbacadmin'];
1011
1012 static $course_non_member_id = null;
1013 static $group_non_member_id = null;
1014 static $group_open_id = null;
1015 static $group_closed_id = null;
1016
1017 // Get template id
1018 switch ($a_type) {
1019 case 'grp':
1020
1021 include_once './Modules/Group/classes/class.ilObjGroup.php';
1022 $type = ilObjGroup::lookupGroupTye(ilObject::_lookupObjId($a_id));
1023 #var_dump("GROUP TYPE",$type);
1024 switch ($type) {
1025 case GRP_TYPE_CLOSED:
1026 if (!$group_closed_id) {
1027 $query = "SELECT obj_id FROM object_data WHERE type='rolt' AND title='il_grp_status_closed'";
1028 $res = $ilDB->query($query);
1029 while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
1030 $group_closed_id = $row->obj_id;
1031 }
1032 }
1033 $template_id = $group_closed_id;
1034 #var_dump("GROUP CLOSED id:" . $template_id);
1035 break;
1036
1037 case GRP_TYPE_OPEN:
1038 default:
1039 if (!$group_open_id) {
1040 $query = "SELECT obj_id FROM object_data WHERE type='rolt' AND title='il_grp_status_open'";
1041 $res = $ilDB->query($query);
1042 while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
1043 $group_open_id = $row->obj_id;
1044 }
1045 }
1046 $template_id = $group_open_id;
1047 #var_dump("GROUP OPEN id:" . $template_id);
1048 break;
1049 }
1050 break;
1051
1052 case 'crs':
1053 if (!$course_non_member_id) {
1054 $query = "SELECT obj_id FROM object_data WHERE type='rolt' AND title='il_crs_non_member'";
1055 $res = $ilDB->query($query);
1056 while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
1057 $course_non_member_id = $row->obj_id;
1058 }
1059 }
1060 $template_id = $course_non_member_id;
1061 break;
1062 }
1063
1064 $current_ops = $a_current_ops[$a_type];
1065
1066 // Create intersection template permissions
1067 if ($template_id) {
1068 //$rolf = $rbacreview->getRoleFolderIdOfObject($a_id);
1069
1070 $rbacadmin->copyRolePermissionIntersection(
1071 $template_id,
1072 ROLE_FOLDER_ID,
1073 $this->getId(),
1074 end($policy_stack),
1075 $a_id,
1076 $this->getId()
1077 );
1078 } else {
1079 #echo "No template id for ".$a_id.' of type'.$a_type.'<br>';
1080 }
1081 #echo "ROLE ASSIGN: ".$rolf.' AID'.$a_id;
1082 if ($a_id and !$GLOBALS['DIC']['rbacreview']->isRoleAssignedToObject($this->getId(), $a_id)) {
1083 $rbacadmin->assignRoleToFolder($this->getId(), $a_id, "n");
1084 }
1085 return true;
1086 }
1087} // END class.ilObjRole
$GLOBALS
if(!defined('PATH_SEPARATOR')) $GLOBALS['_PEAR_default_error_mode']
Definition: PEAR.php:64
php
An exception for terminatinating execution or to throw for unit testing.
true
return true
Flag indicating whether or not HTTP headers will be sent when outputting captcha image/audio.
Definition: class.ilIniFile.php:168
GRP_TYPE_OPEN
const GRP_TYPE_OPEN
Definition: class.ilObjGroup.php:20
GRP_TYPE_CLOSED
const GRP_TYPE_CLOSED
Definition: class.ilObjGroup.php:19
ilECSSetting\ecsConfigured
static ecsConfigured()
Checks if an ecs server is configured.
Definition: class.ilECSSetting.php:131
ilECSUtils\getPossibleRemoteTypes
static getPossibleRemoteTypes($a_with_captions=false)
Get all possible remote object types.
Definition: class.ilECSUtils.php:102
ilLoggerFactory\getLogger
static getLogger($a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:74
ilObjGroup\lookupGroupTye
static lookupGroupTye($a_id)
Lookup group type.
Definition: class.ilObjGroup.php:155
ilObjRole
Class ilObjRole.
Definition: class.ilObjRole.php:17
ilObjRole\setAllowRegister
setAllowRegister($a_allow_register)
set allow_register of role
Definition: class.ilObjRole.php:263
ilObjRole\MODE_UNPROTECTED_KEEP_LOCAL_POLICIES
const MODE_UNPROTECTED_KEEP_LOCAL_POLICIES
Definition: class.ilObjRole.php:21
ilObjRole\MODE_PROTECTED_DELETE_LOCAL_POLICIES
const MODE_PROTECTED_DELETE_LOCAL_POLICIES
Definition: class.ilObjRole.php:18
ilObjRole\createPermissionIntersection
createPermissionIntersection($policy_stack, $a_current_ops, $a_id, $a_type)
Create course group permission intersection.
Definition: class.ilObjRole.php:1004
ilObjRole\MODE_UNPROTECTED_DELETE_LOCAL_POLICIES
const MODE_UNPROTECTED_DELETE_LOCAL_POLICIES
Definition: class.ilObjRole.php:20
ilObjRole\changeExistingObjectsGrantPermissions
changeExistingObjectsGrantPermissions($a_role_id, $a_permissions, $a_ref_id, $a_operation_mode)
Definition: class.ilObjRole.php:854
ilObjRole\__getPermissionDefinitions
__getPermissionDefinitions()
Definition: class.ilObjRole.php:603
ilObjRole\create
create()
create
Definition: class.ilObjRole.php:237
ilObjRole\updatePolicyStack
updatePolicyStack(&$a_stack, $a_node)
Update policy stack.
Definition: class.ilObjRole.php:972
ilObjRole\_getRolesByAuthMode
static _getRolesByAuthMode($a_auth_mode)
Get roles by auth mode.
Definition: class.ilObjRole.php:567
ilObjRole\_lookupAllowRegister
static _lookupAllowRegister($a_role_id)
check whether role is allowed in user registration or not
Definition: class.ilObjRole.php:316
ilObjRole\isHandledObjectType
isHandledObjectType($a_filter, $a_exclusion_filter, $a_type)
Check if type is filterer.
Definition: class.ilObjRole.php:910
ilObjRole\setParent
setParent($a_parent_ref)
set reference id of parent object this is neccessary for non RBAC protected objects!...
Definition: class.ilObjRole.php:341
ilObjRole\_getAuthMode
static _getAuthMode($a_role_id)
Definition: class.ilObjRole.php:546
ilObjRole\getAllowRegister
getAllowRegister()
get allow_register
Definition: class.ilObjRole.php:278
ilObjRole\MODE_REMOVE_OPERATIONS
const MODE_REMOVE_OPERATIONS
Definition: class.ilObjRole.php:25
ilObjRole\deleteLocalPolicies
deleteLocalPolicies($a_start, $a_policies, $a_filter)
Delete local policies.
Definition: class.ilObjRole.php:685
ilObjRole\_getTranslation
static _getTranslation($a_role_title)
Definition: class.ilObjRole.php:454
ilObjRole\updateOperationStack
updateOperationStack(&$a_stack, $a_node, $a_init=false)
Update operation stack.
Definition: class.ilObjRole.php:928
ilObjRole\update
update()
updates a record "role" and write it into database @access public
Definition: class.ilObjRole.php:211
ilObjRole\MODE_PROTECTED_KEEP_LOCAL_POLICIES
const MODE_PROTECTED_KEEP_LOCAL_POLICIES
Definition: class.ilObjRole.php:19
ilObjRole\adjustPermissions
adjustPermissions($a_mode, $a_nodes, $a_policies, $a_filter, $a_exclusion_filter=array(), $a_operation_mode=self::MODE_READ_OPERATIONS, $a_operation_stack=[])
Adjust permissions.
Definition: class.ilObjRole.php:715
ilObjRole\_removeObjectId
static _removeObjectId($a_role_title)
Definition: class.ilObjRole.php:475
ilObjRole\read
read()
loads "role" from database @access private
Definition: class.ilObjRole.php:173
ilObjRole\isAutoGenerated
static isAutoGenerated($a_role_id)
Definition: class.ilObjRole.php:637
ilObjRole\toggleAssignUsersStatus
toggleAssignUsersStatus($a_assign_users)
Definition: class.ilObjRole.php:146
ilObjRole\_resetAuthMode
static _resetAuthMode($a_auth_mode)
Reset auth mode to default.
Definition: class.ilObjRole.php:591
ilObjRole\_getAssignUsersStatus
static _getAssignUsersStatus($a_role_id)
Definition: class.ilObjRole.php:155
ilObjRole\_lookupRegisterAllowed
static _lookupRegisterAllowed()
get all roles that are activated in user registration
Definition: class.ilObjRole.php:289
ilObjRole\MODE_ADD_OPERATIONS
const MODE_ADD_OPERATIONS
Definition: class.ilObjRole.php:23
ilObjRole\getPresentationTitle
getPresentationTitle()
For autogenerated roles this returns 'Translated Title (untranslated title)'.
Definition: class.ilObjRole.php:135
ilObjRole\_updateAuthMode
static _updateAuthMode($a_roles)
Definition: class.ilObjRole.php:532
ilObjRole\validate
validate()
Validate role data.
Definition: class.ilObjRole.php:118
ilObjRole\MODE_READ_OPERATIONS
const MODE_READ_OPERATIONS
Definition: class.ilObjRole.php:24
ilObjRole\__construct
__construct($a_id=0, $a_call_by_reference=false)
Constructor @access public.
Definition: class.ilObjRole.php:50
ilObjRole\assignData
assignData($a_data)
loads a record "role" from array @access public
Definition: class.ilObjRole.php:199
ilObjRole\getParent
getParent()
get reference id of parent object
Definition: class.ilObjRole.php:352
ilObjRole\createDefaultRole
static createDefaultRole($a_title, $a_description, $a_tpl_name, $a_ref_id)
Definition: class.ilObjRole.php:67
ilObjRole\changeExistingObjects
changeExistingObjects($a_start_node, $a_mode, $a_filter, $a_exclusion_filter=array(), $a_operation_mode=self::MODE_READ_OPERATIONS, $a_operation_stack=[])
Change existing objects.
Definition: class.ilObjRole.php:649
ilObjUser\_lookupLogin
static _lookupLogin($a_user_id)
lookup login
Definition: class.ilObjUser.php:816
ilObjectPlugin\lookupTxtById
static lookupTxtById($plugin_id, $lang_var)
Definition: class.ilObjectPlugin.php:99
ilObject
Class ilObject Basic functions for all objects.
Definition: class.ilObject.php:14
ilObject\_lookupObjId
static _lookupObjId($a_id)
Definition: class.ilObject.php:1110
ilObject\_lookupTitle
static _lookupTitle($a_id)
lookup object title
Definition: class.ilObject.php:991
ilObject\setTitle
setTitle($a_title)
set object title
Definition: class.ilObject.php:417
ilObject\setDescription
setDescription($a_desc)
set object description
Definition: class.ilObject.php:442
ilObject\getId
getId()
get object id @access public
Definition: class.ilObject.php:319
ilObject\getUntranslatedTitle
getUntranslatedTitle()
get untranslated object title @access public
Definition: class.ilObject.php:405
ilObject\_lookupType
static _lookupType($a_id, $a_reference=false)
lookup object type
Definition: class.ilObject.php:1281
ilObject\getTitle
getTitle()
get object title @access public
Definition: class.ilObject.php:395
ilRbacLog\diffFaPa
static diffFaPa(array $a_old, array $a_new)
Definition: class.ilRbacLog.php:69
ilRbacLog\add
static add($a_action, $a_ref_id, array $a_diff, $a_source_ref_id=false)
Definition: class.ilRbacLog.php:137
ilRbacLog\EDIT_TEMPLATE_EXISTING
const EDIT_TEMPLATE_EXISTING
Definition: class.ilRbacLog.php:22
ilRbacLog\gatherFaPa
static gatherFaPa($a_ref_id, array $a_role_ids, $a_add_action=false)
Definition: class.ilRbacLog.php:35
ilRbacLog\isActive
static isActive()
Definition: class.ilRbacLog.php:25
ilTree\RELATION_EQUALS
const RELATION_EQUALS
Definition: class.ilTree.php:36
ilTree\RELATION_PARENT
const RELATION_PARENT
Definition: class.ilTree.php:34
ilTree\RELATION_NONE
const RELATION_NONE
Definition: class.ilTree.php:37
ilTree\RELATION_SIBLING
const RELATION_SIBLING
Definition: class.ilTree.php:35
ilTree\RELATION_CHILD
const RELATION_CHILD
Definition: class.ilTree.php:33
ilUtil\sortArray
static sortArray( $array, $a_array_sortby, $a_array_sortorder=0, $a_numeric=false, $a_keep_keys=false)
sortArray
Definition: class.ilUtil.php:3058
ilUtil\stripSlashes
static stripSlashes($a_str, $a_strip_html=true, $a_allow="")
strip slashes if magic qoutes is enabled
Definition: class.ilUtil.php:2406
SYSTEM_FOLDER_ID
const SYSTEM_FOLDER_ID
Definition: constants.php:33
ROLE_FOLDER_ID
const ROLE_FOLDER_ID
Definition: constants.php:32
ROOT_FOLDER_ID
const ROOT_FOLDER_ID
Definition: constants.php:30
$txt
$txt
Definition: error.php:13
$DIC
global $DIC
Definition: goto.php:24
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
@inheritDoc
Definition: PluginProviderHelper.php:40
ilias
redirection script todo: (a better solution should control the processing via a xml file)
$query
$query
Definition: proxy_ylocal.php:13
$ilErr
$ilErr
Definition: raiseError.php:18
$res
foreach($_POST as $key=> $value) $res
Definition: save_question_post_data.php:15
$ilDB
global $ilDB
Definition: storeScorm2004.php:19
$data
$data
Definition: storeScorm.php:23