ILIAS  release_7 Revision v7.30-3-g800a261c036
All Data Structures Namespaces Files Functions Variables Modules Pages
class.ilObjRole.php
Go to the documentation of this file.
1 <?php
2 
3 /* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
4 
5 require_once "./Services/Object/classes/class.ilObject.php";
6 require_once('./Services/Repository/classes/class.ilObjectPlugin.php');
7 
16 class ilObjRole extends ilObject
17 {
18  const MODE_PROTECTED_DELETE_LOCAL_POLICIES = 1;
19  const MODE_PROTECTED_KEEP_LOCAL_POLICIES = 2;
20  const MODE_UNPROTECTED_DELETE_LOCAL_POLICIES = 3;
21  const MODE_UNPROTECTED_KEEP_LOCAL_POLICIES = 4;
22 
23  public const MODE_ADD_OPERATIONS = 1;
24  public const MODE_READ_OPERATIONS = 2;
25  public const MODE_REMOVE_OPERATIONS = 3;
26 
30  private $logger = null;
31 
39  public $parent;
40 
41  public $allow_register;
42  public $assign_users;
43 
50  public function __construct($a_id = 0, $a_call_by_reference = false)
51  {
52  global $DIC;
53 
54  $this->logger = $DIC->logger()->ac();
55  $this->type = "role";
56  parent::__construct($a_id, $a_call_by_reference);
57  }
58 
67  public static function createDefaultRole($a_title, $a_description, $a_tpl_name, $a_ref_id)
68  {
69  global $DIC;
70 
71  $ilDB = $DIC['ilDB'];
72 
73  // SET PERMISSION TEMPLATE OF NEW LOCAL CONTRIBUTOR ROLE
74  $res = $ilDB->query("SELECT obj_id FROM object_data " .
75  " WHERE type=" . $ilDB->quote("rolt", "text") .
76  " AND title=" . $ilDB->quote($a_tpl_name, "text"));
77  while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
78  $tpl_id = $row->obj_id;
79  }
80 
81  if (!$tpl_id) {
82  return null;
83  }
84 
85  include_once './Services/AccessControl/classes/class.ilObjRole.php';
86  $role = new ilObjRole();
87  $role->setTitle($a_title);
88  $role->setDescription($a_description);
89  $role->create();
90 
91  $GLOBALS['DIC']['rbacadmin']->assignRoleToFolder($role->getId(), $a_ref_id, 'y');
92 
93  $GLOBALS['DIC']['rbacadmin']->copyRoleTemplatePermissions(
94  $tpl_id,
95  ROLE_FOLDER_ID,
96  $a_ref_id,
97  $role->getId()
98  );
99 
100  $ops = $GLOBALS['DIC']['rbacreview']->getOperationsOfRole(
101  $role->getId(),
102  ilObject::_lookupType($a_ref_id, true),
103  $a_ref_id
104  );
105  $GLOBALS['DIC']['rbacadmin']->grantPermission(
106  $role->getId(),
107  $ops,
108  $a_ref_id
109  );
110  return $role;
111  }
112 
113 
118  public function validate()
119  {
120  global $DIC;
121 
122  $ilErr = $DIC['ilErr'];
123 
124  if (substr($this->getTitle(), 0, 3) == 'il_') {
125  $ilErr->setMessage('msg_role_reserved_prefix');
126  return false;
127  }
128  return true;
129  }
130 
135  public function getPresentationTitle() : string
136  {
137  $r = ilObjRole::_getTranslation($this->getTitle());
138 
139  if ($r === $this->getUntranslatedTitle()) {
140  return $r;
141  }
142 
143  return $r . ' (' . $this->getUntranslatedTitle() . ')';
144  }
145 
146  public function toggleAssignUsersStatus($a_assign_users)
147  {
148  $this->assign_users = (int) $a_assign_users;
149  }
150  public function getAssignUsersStatus()
151  {
152  return $this->assign_users ? $this->assign_users : 0;
153  }
154  // Same method (static)
155  public static function _getAssignUsersStatus($a_role_id)
156  {
157  global $DIC;
158 
159  $ilDB = $DIC['ilDB'];
160 
161  $query = "SELECT assign_users FROM role_data WHERE role_id = " . $ilDB->quote($a_role_id, 'integer') . " ";
162  $res = $ilDB->query($query);
163  while ($row = $ilDB->fetchObject($res)) {
164  return $row->assign_users ? true : false;
165  }
166  return false;
167  }
168 
173  public function read()
174  {
175  global $DIC;
176 
177  $ilDB = $DIC['ilDB'];
178 
179  $query = "SELECT * FROM role_data WHERE role_id= " . $ilDB->quote($this->id, 'integer') . " ";
180 
181  $res = $ilDB->query($query);
182  if ($res->numRows() > 0) {
183  $data = $ilDB->fetchAssoc($res);
184 
185  // fill member vars in one shot
186  $this->assignData($data);
187  } else {
188  $this->ilias->raiseError("<b>Error: There is no dataset with id " . $this->id . "!</b><br />class: " . get_class($this) . "<br />Script: " . __FILE__ . "<br />Line: " . __LINE__, $this->ilias->FATAL);
189  }
190 
191  parent::read();
192  }
193 
199  public function assignData($a_data)
200  {
201  $this->setTitle(ilUtil::stripSlashes($a_data["title"]));
202  $this->setDescription(ilUtil::stripslashes($a_data["desc"]));
203  $this->setAllowRegister($a_data["allow_register"]);
204  $this->toggleAssignUsersStatus($a_data['assign_users']);
205  }
206 
211  public function update()
212  {
213  global $DIC;
214 
215  $ilDB = $DIC['ilDB'];
216 
217  $query = "UPDATE role_data SET " .
218  "allow_register= " . $ilDB->quote($this->allow_register, 'integer') . ", " .
219  "assign_users = " . $ilDB->quote($this->getAssignUsersStatus(), 'integer') . " " .
220  "WHERE role_id= " . $ilDB->quote($this->id, 'integer') . " ";
221  $res = $ilDB->manipulate($query);
222 
223  parent::update();
224 
225  $this->read();
226 
227  return true;
228  }
229 
237  public function create()
238  {
239  global $DIC;
240 
241  $ilDB = $DIC['ilDB'];
242 
243  $this->id = parent::create();
244 
245  $query = "INSERT INTO role_data " .
246  "(role_id,allow_register,assign_users) " .
247  "VALUES " .
248  "(" . $ilDB->quote($this->id, 'integer') . "," .
249  $ilDB->quote($this->getAllowRegister(), 'integer') . "," .
250  $ilDB->quote($this->getAssignUsersStatus(), 'integer') . ")"
251  ;
252  $res = $ilDB->query($query);
253 
254  return $this->id;
255  }
256 
263  public function setAllowRegister($a_allow_register)
264  {
265  if (empty($a_allow_register)) {
266  $a_allow_register == 0;
267  }
268 
269  $this->allow_register = (int) $a_allow_register;
270  }
271 
278  public function getAllowRegister()
279  {
280  return $this->allow_register ? $this->allow_register : false;
281  }
282 
289  public static function _lookupRegisterAllowed()
290  {
291  global $DIC;
292 
293  $ilDB = $DIC['ilDB'];
294 
295  $query = "SELECT * FROM role_data " .
296  "JOIN object_data ON object_data.obj_id = role_data.role_id " .
297  "WHERE allow_register = 1";
298  $res = $ilDB->query($query);
299 
300  $roles = array();
301  while ($role = $ilDB->fetchAssoc($res)) {
302  $roles[] = array("id" => $role["obj_id"],
303  "title" => $role["title"],
304  "auth_mode" => $role['auth_mode']);
305  }
306 
307  return $roles;
308  }
309 
316  public static function _lookupAllowRegister($a_role_id)
317  {
318  global $DIC;
319 
320  $ilDB = $DIC['ilDB'];
321 
322  $query = "SELECT * FROM role_data " .
323  " WHERE role_id =" . $ilDB->quote($a_role_id, 'integer');
324 
325  $res = $ilDB->query($query);
326  if ($role_rec = $ilDB->fetchAssoc($res)) {
327  if ($role_rec["allow_register"]) {
328  return true;
329  }
330  }
331  return false;
332  }
333 
341  public function setParent($a_parent_ref)
342  {
343  $this->parent = $a_parent_ref;
344  }
345 
352  public function getParent()
353  {
354  return $this->parent;
355  }
356 
357 
364  public function delete()
365  {
366  global $DIC;
367 
368  $rbacadmin = $DIC['rbacadmin'];
369  $rbacreview = $DIC['rbacreview'];
370  $ilDB = $DIC['ilDB'];
371 
372  // Temporary bugfix
373  if ($rbacreview->hasMultipleAssignments($this->getId())) {
374  ilLoggerFactory::getLogger('ac')->warning('Found role with multiple assignments: role_id: ' . $this->getId());
375  ilLoggerFactory::getLogger('ac')->warning('Aborted deletion of role.');
376  return false;
377  }
378 
379  if ($rbacreview->isAssignable($this->getId(), $this->getParent())) {
380  ilLoggerFactory::getLogger('ac')->debug('Handling assignable role...');
381  // do not delete a global role, if the role is the last
382  // role a user is assigned to.
383  //
384  // Performance improvement: In the code section below, we
385  // only need to consider _global_ roles. We don't need
386  // to check for _local_ roles, because a user who has
387  // a local role _always_ has a global role too.
388  $last_role_user_ids = array();
389  if ($this->getParent() == ROLE_FOLDER_ID) {
390  ilLoggerFactory::getLogger('ac')->debug('Handling global role...');
391  // The role is a global role: check if
392  // we find users who aren't assigned to any
393  // other global role than this one.
394  $user_ids = $rbacreview->assignedUsers($this->getId());
395 
396  foreach ($user_ids as $user_id) {
397  // get all roles each user has
398  $role_ids = $rbacreview->assignedRoles($user_id);
399 
400  // is last role?
401  if (count($role_ids) == 1) {
402  $last_role_user_ids[] = $user_id;
403  }
404  }
405  }
406 
407  // users with last role found?
408  if (count($last_role_user_ids) > 0) {
409  $user_names = array();
410  foreach ($last_role_user_ids as $user_id) {
411  // GET OBJECT TITLE
412  $user_names[] = ilObjUser::_lookupLogin($user_id);
413  }
414 
415  // TODO: This check must be done in rolefolder object because if multiple
416  // roles were selected the other roles are still deleted and the system does not
417  // give any feedback about this.
418  $users = implode(', ', $user_names);
419  ilLoggerFactory::getLogger('ac')->info('Cannot delete last global role of users.');
420  $this->ilias->raiseError($this->lng->txt("msg_user_last_role1") . " " .
421  $users . "<br/>" . $this->lng->txt("msg_user_last_role2"), $this->ilias->error_obj->WARNING);
422  } else {
423  ilLoggerFactory::getLogger('ac')->debug('Starting deletion of assignable role: role_id: ' . $this->getId());
424  $rbacadmin->deleteRole($this->getId(), $this->getParent());
425 
426  // Delete ldap role group mappings
427  include_once('./Services/LDAP/classes/class.ilLDAPRoleGroupMappingSettings.php');
428  ilLDAPRoleGroupMappingSettings::_deleteByRole($this->getId());
429 
430  // delete object_data entry
431  parent::delete();
432 
433  // delete role_data entry
434  $query = "DELETE FROM role_data WHERE role_id = " . $ilDB->quote($this->getId(), 'integer');
435  $res = $ilDB->manipulate($query);
436  }
437  } else {
438  ilLoggerFactory::getLogger('ac')->debug('Starting deletion of linked role: role_id ' . $this->getId());
439  // linked local role: INHERITANCE WAS STOPPED, SO DELETE ONLY THIS LOCAL ROLE
440  $rbacadmin->deleteLocalRole($this->getId(), $this->getParent());
441  }
442  return true;
443  }
444 
445  public function getCountMembers()
446  {
447  global $DIC;
448 
449  $rbacreview = $DIC['rbacreview'];
450 
451  return count($rbacreview->assignedUsers($this->getId()));
452  }
453 
454  public static function _getTranslation($a_role_title)
455  {
456  global $DIC;
457 
458  $lng = $DIC['lng'];
459  $objDefinition = $DIC['objDefinition'];
460 
461  $role_title = self::_removeObjectId($a_role_title);
462 
463  if (preg_match("/^il_([a-z]{1,4})_./", $role_title, $type)) {
464  //BT ID 0032909: language variables for roles from plugins were not resolved properly
465  if ($objDefinition->isPlugin($type[1])) {
466  return ilObjectPlugin::lookupTxtById($type[1], $role_title);
467  }
468 
469  return $lng->txt($role_title);
470  }
471 
472  return $a_role_title;
473  }
474 
475  public static function _removeObjectId($a_role_title)
476  {
477  $role_title_parts = explode('_', $a_role_title);
478 
479  $test2 = (int) $role_title_parts[3];
480  if ($test2 > 0) {
481  unset($role_title_parts[3]);
482  }
483 
484  return implode('_', $role_title_parts);
485  }
486 
494  public static function getSubObjects($a_obj_type, $a_add_admin_objects)
495  {
496  global $DIC;
500  $objDefinition = $DIC['objDefinition'];
501  $lng = $DIC->language();
502  $subs = $objDefinition->getSubObjectsRecursively($a_obj_type, true, $a_add_admin_objects);
503 
504  $filter = array();
505  $sorted = array();
506 
507  if (!ilECSSetting::ecsConfigured()) {
508  $filter = array_merge($filter, ilECSUtils::getPossibleRemoteTypes(false));
509  $filter[] = 'rtst';
510  }
511 
512  foreach ($subs as $subtype => $def) {
513  if (in_array($def["name"], $filter)) {
514  continue;
515  }
516 
517  if ($objDefinition->isPlugin($subtype)) {
518  $translation = ilObjectPlugin::lookupTxtById($subtype, "obj_" . $subtype);
519  } elseif ($objDefinition->isSystemObject($subtype)) {
520  $translation = $lng->txt("obj_" . $subtype);
521  } else {
522  $translation = $lng->txt('objs_' . $subtype);
523  }
524 
525  $sorted[$subtype] = $def;
526  $sorted[$subtype]['translation'] = $translation;
527  }
528 
529  return ilUtil::sortArray($sorted, 'translation', 'asc', true, true);
530  }
531 
532  public static function _updateAuthMode($a_roles)
533  {
534  global $DIC;
535 
536  $ilDB = $DIC['ilDB'];
537 
538  foreach ($a_roles as $role_id => $auth_mode) {
539  $query = "UPDATE role_data SET " .
540  "auth_mode= " . $ilDB->quote($auth_mode, 'text') . " " .
541  "WHERE role_id= " . $ilDB->quote($role_id, 'integer') . " ";
542  $res = $ilDB->manipulate($query);
543  }
544  }
545 
546  public static function _getAuthMode($a_role_id)
547  {
548  global $DIC;
549 
550  $ilDB = $DIC['ilDB'];
551 
552  $query = "SELECT auth_mode FROM role_data " .
553  "WHERE role_id= " . $ilDB->quote($a_role_id, 'integer') . " ";
554  $res = $ilDB->query($query);
555  $row = $ilDB->fetchAssoc($res);
556 
557  return $row['auth_mode'];
558  }
559 
567  public static function _getRolesByAuthMode($a_auth_mode)
568  {
569  global $DIC;
570 
571  $ilDB = $DIC['ilDB'];
572 
573  $query = "SELECT * FROM role_data " .
574  "WHERE auth_mode = " . $ilDB->quote($a_auth_mode, 'text');
575  $res = $ilDB->query($query);
576  $roles = array();
577  while ($row = $ilDB->fetchObject($res)) {
578  $roles[] = $row->role_id;
579  }
580  return $roles;
581  }
582 
591  public static function _resetAuthMode($a_auth_mode)
592  {
593  global $DIC;
594 
595  $ilDB = $DIC['ilDB'];
596 
597  $query = "UPDATE role_data SET auth_mode = 'default' WHERE auth_mode = " . $ilDB->quote($a_auth_mode, 'text');
598  $res = $ilDB->manipulate($query);
599  }
600 
601  // returns array of operation/objecttype definitions
602  // private
603  public function __getPermissionDefinitions()
604  {
605  global $DIC;
606 
607  $ilDB = $DIC['ilDB'];
608  $lng = $DIC['lng'];
609  $objDefinition = $DIC['objDefinition'];
610  $rbacreview = $DIC['rbacreview'];
611 
612  $operation_info = $rbacreview->getOperationAssignment();
613  foreach ($operation_info as $info) {
614  if ($objDefinition->getDevMode($info['type'])) {
615  continue;
616  }
617  $rbac_objects[$info['typ_id']] = array("obj_id" => $info['typ_id'],
618  "type" => $info['type']);
619 
620  // handle plugin permission texts
621  $txt = $objDefinition->isPlugin($info['type'])
622  ? ilObjectPlugin::lookupTxtById($info['type'], $info['type'] . "_" . $info['operation'])
623  : $lng->txt($info['type'] . "_" . $info['operation']);
624  if (substr($info['operation'], 0, 7) == "create_" &&
625  $objDefinition->isPlugin(substr($info['operation'], 7))) {
626  $txt = ilObjectPlugin::lookupTxtById(substr($info['operation'], 7), $info['type'] . "_" . $info['operation']);
627  }
628  $rbac_operations[$info['typ_id']][$info['ops_id']] = array(
629  "ops_id" => $info['ops_id'],
630  "title" => $info['operation'],
631  "name" => $txt);
632  }
633  return array($rbac_objects,$rbac_operations);
634  }
635 
636 
637  public static function isAutoGenerated($a_role_id)
638  {
639  return substr(ilObject::_lookupTitle($a_role_id), 0, 3) == 'il_';
640  }
641 
649  public function changeExistingObjects($a_start_node, $a_mode, $a_filter, $a_exclusion_filter = array(),$a_operation_mode = self::MODE_READ_OPERATIONS, $a_operation_stack = [])
650  {
651  global $DIC;
652 
653  $tree = $DIC->repositoryTree();
654  $rbacreview = $DIC->rbac()->review();
655 
656  // Get node info of subtree
657  $nodes = $tree->getRbacSubtreeInfo($a_start_node);
658 
659  // get local policies
660  $all_local_policies = $rbacreview->getObjectsWithStopedInheritance($this->getId());
661 
662  // filter relevant roles
663  $local_policies = array();
664  foreach ($all_local_policies as $lp) {
665  if (isset($nodes[$lp])) {
666  $local_policies[] = $lp;
667  }
668  }
669 
670  // Delete deprecated policies
671  switch ($a_mode) {
672  case self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES:
673  case self::MODE_PROTECTED_DELETE_LOCAL_POLICIES:
674  $local_policies = $this->deleteLocalPolicies($a_start_node, $local_policies, $a_filter);
675  break;
676  }
677  $this->adjustPermissions($a_mode, $nodes, $local_policies, $a_filter, $a_exclusion_filter, $a_operation_mode, $a_operation_stack);
678  }
679 
685  protected function deleteLocalPolicies($a_start, $a_policies, $a_filter)
686  {
687  global $DIC;
688 
689  $rbacreview = $DIC['rbacreview'];
690  $rbacadmin = $DIC['rbacadmin'];
691 
692  $local_policies = array();
693  foreach ($a_policies as $policy) {
694  if ($policy == $a_start or $policy == SYSTEM_FOLDER_ID) {
695  $local_policies[] = $policy;
696  continue;
697  }
698  if (!in_array('all', $a_filter) and !in_array(ilObject::_lookupType(ilObject::_lookupObjId($policy)), $a_filter)) {
699  $local_policies[] = $policy;
700  continue;
701  }
702  $rbacadmin->deleteLocalRole($this->getId(), $policy);
703  }
704  return $local_policies;
705  }
706 
715  protected function adjustPermissions($a_mode, $a_nodes, $a_policies, $a_filter, $a_exclusion_filter = array(), $a_operation_mode = self::MODE_READ_OPERATIONS, $a_operation_stack = [])
716  {
717  global $DIC;
718 
719  $rbacadmin = $DIC['rbacadmin'];
720  $rbacreview = $DIC['rbacreview'];
721  $tree = $DIC['tree'];
722  $logger = $DIC->logger()->ac();
723 
724  $operation_stack = array();
725  $policy_stack = array();
726  $node_stack = array();
727 
728  $start_node = current($a_nodes);
729  array_push($node_stack, $start_node);
730  $this->updatePolicyStack($policy_stack, $start_node['child']);
731 
732  if ($a_operation_mode == self::MODE_READ_OPERATIONS) {
733  $this->updateOperationStack($operation_stack, $start_node['child'], true);
734  }
735  else {
736  $operation_stack = $a_operation_stack;
737  }
738 
739  $this->logger->debug('adjust permissions operation stack');
740  $this->logger->dump($operation_stack, ilLogLevel::DEBUG);
741 
742  include_once "Services/AccessControl/classes/class.ilRbacLog.php";
743  $rbac_log_active = ilRbacLog::isActive();
744 
745  $local_policy = false;
746  foreach ($a_nodes as $node) {
747  $cmp_node = end($node_stack);
748  while ($relation = $tree->getRelationOfNodes($node, $cmp_node)) {
749  switch ($relation) {
750  case ilTree::RELATION_NONE:
751  case ilTree::RELATION_SIBLING:
752  $logger->debug('Handling sibling/none relation.');
753  array_pop($operation_stack);
754  array_pop($policy_stack);
755  array_pop($node_stack);
756  $cmp_node = end($node_stack);
757  $local_policy = false;
758  break;
759 
760  case ilTree::RELATION_CHILD:
761  case ilTree::RELATION_EQUALS:
762  case ilTree::RELATION_PARENT:
763  default:
764  $logger->debug('Handling child/equals/parent ' . $relation);
765  break 2;
766  }
767  }
768 
769  if ($local_policy) {
770  continue;
771  }
772 
773  // Start node => set permissions and continue
774  if ($node['child'] == $start_node['child']) {
775  if ($this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) {
776  if ($rbac_log_active) {
777  $rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false);
778  $rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
779  }
780 
781  // Set permissions
782  $perms = end($operation_stack);
783  $this->changeExistingObjectsGrantPermissions(
784  $this->getId(),
785  (array) $perms[$node['type']],
786  $node['child'],
787  $a_operation_mode
788  );
789 
790  if ($rbac_log_active) {
791  $rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
792  $rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new);
793  ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log);
794  }
795  }
796  continue;
797  }
798 
799  // Node has local policies => update permission stack and continue
800  if (in_array($node['child'], $a_policies) and ($node['child'] != SYSTEM_FOLDER_ID)) {
801  $local_policy = true;
802  $this->updatePolicyStack($policy_stack, $node['child']);
803  $this->updateOperationStack($operation_stack, $node['child']);
804  array_push($node_stack, $node);
805  continue;
806  }
807 
808  // Continue if this object type is not in filter
809  if (!$this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) {
810  continue;
811  }
812 
813  if ($rbac_log_active) {
814  $rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false);
815  $rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
816  }
817 
818  // Node is course or group => create permission intersection
819  if (
820  ($a_mode == self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES || $a_mode == self::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES) &&
821  ($node['type'] == 'crs' || $node['type'] == 'grp')
822  ) {
823  // Copy role permission intersection
824  $perms = end($operation_stack);
825  $this->createPermissionIntersection($policy_stack, $perms[$node['type']], $node['child'], $node['type']);
826  if ($this->updateOperationStack($operation_stack, $node['child'])) {
827  $this->updatePolicyStack($policy_stack, $node['child']);
828  array_push($node_stack, $node);
829  }
830  }
831 
832  // Set permission
833  $perms = end($operation_stack);
834  $this->changeExistingObjectsGrantPermissions(
835  $this->getId(),
836  (array) $perms[$node['type']],
837  $node['child'],
838  $a_operation_mode
839  );
840  if ($rbac_log_active) {
841  $rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
842  $rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new);
843  ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log);
844  }
845  }
846  }
847 
854  protected function changeExistingObjectsGrantPermissions($a_role_id, $a_permissions, $a_ref_id, $a_operation_mode)
855  {
856  global $DIC;
857 
858  $admin = $DIC->rbac()->admin();
859  $review = $DIC->rbac()->review();
860  if ($a_operation_mode == self::MODE_READ_OPERATIONS) {
861  $admin->grantPermission(
862  $a_role_id,
863  $a_permissions,
864  $a_ref_id
865  );
866  }
867  elseif ($a_operation_mode == self::MODE_ADD_OPERATIONS) {
868  $current_operations = $review->getRoleOperationsOnObject(
869  $a_role_id,
870  $a_ref_id
871  );
872  $this->logger->debug('Current operations');
873  $this->logger->dump($current_operations);
874 
875  $new_ops = array_unique(array_merge($a_permissions, $current_operations));
876  $this->logger->debug('New operations');
877  $this->logger->dump($new_ops);
878 
879  $admin->grantPermission(
880  $a_role_id,
881  $new_ops,
882  $a_ref_id
883  );
884  }
885  elseif ($a_operation_mode == self::MODE_REMOVE_OPERATIONS) {
886  $current_operations = $review->getRoleOperationsOnObject(
887  $a_role_id,
888  $a_ref_id
889  );
890  $this->logger->debug('Current operations');
891  $this->logger->dump($current_operations);
892 
893  $new_ops = array_diff($current_operations, $a_permissions);
894 
895  $admin->grantPermission(
896  $a_role_id,
897  $new_ops,
898  $a_ref_id
899  );
900  }
901  }
902 
903 
910  protected function isHandledObjectType($a_filter, $a_exclusion_filter, $a_type)
911  {
912  if (in_array($a_type, $a_exclusion_filter)) {
913  return false;
914  }
915 
916  if (in_array('all', $a_filter)) {
917  return true;
918  }
919  return in_array($a_type, $a_filter);
920  }
921 
928  protected function updateOperationStack(&$a_stack, $a_node, $a_init = false)
929  {
930  global $DIC;
931 
932  $rbacreview = $DIC['rbacreview'];
933 
934  $has_policies = null;
935  $policy_origin = null;
936 
937  if ($a_node == ROOT_FOLDER_ID) {
938  $has_policies = true;
939  $policy_origin = ROLE_FOLDER_ID;
940  } else {
941  $has_policies = $rbacreview->getLocalPolicies($a_node);
942  $policy_origin = $a_node;
943 
944  if ($a_init) {
945  $parent_roles = $rbacreview->getParentRoleIds($a_node, false);
946  if ($parent_roles[$this->getId()]) {
947  $a_stack[] = $rbacreview->getAllOperationsOfRole(
948  $this->getId(),
949  $parent_roles[$this->getId()]['parent']
950  );
951  }
952  return true;
953  }
954  }
955 
956  if (!$has_policies) {
957  return false;
958  }
959 
960  $a_stack[] = $rbacreview->getAllOperationsOfRole(
961  $this->getId(),
962  $policy_origin
963  );
964  return true;
965  }
966 
972  protected function updatePolicyStack(&$a_stack, $a_node)
973  {
974  global $DIC;
975 
976  $rbacreview = $DIC['rbacreview'];
977 
978  $has_policies = null;
979  $policy_origin = null;
980 
981  if ($a_node == ROOT_FOLDER_ID) {
982  $has_policies = true;
983  $policy_origin = ROLE_FOLDER_ID;
984  } else {
985  $has_policies = $rbacreview->getLocalPolicies($a_node);
986  $policy_origin = $a_node;
987  }
988 
989  if (!$has_policies) {
990  return false;
991  }
992 
993  $a_stack[] = $policy_origin;
994  return true;
995  }
996 
1004  protected function createPermissionIntersection($policy_stack, $a_current_ops, $a_id, $a_type)
1005  {
1006  global $DIC;
1007 
1008  $ilDB = $DIC['ilDB'];
1009  $rbacreview = $DIC['rbacreview'];
1010  $rbacadmin = $DIC['rbacadmin'];
1011 
1012  static $course_non_member_id = null;
1013  static $group_non_member_id = null;
1014  static $group_open_id = null;
1015  static $group_closed_id = null;
1016 
1017  // Get template id
1018  switch ($a_type) {
1019  case 'grp':
1020 
1021  include_once './Modules/Group/classes/class.ilObjGroup.php';
1022  $type = ilObjGroup::lookupGroupTye(ilObject::_lookupObjId($a_id));
1023  #var_dump("GROUP TYPE",$type);
1024  switch ($type) {
1025  case GRP_TYPE_CLOSED:
1026  if (!$group_closed_id) {
1027  $query = "SELECT obj_id FROM object_data WHERE type='rolt' AND title='il_grp_status_closed'";
1028  $res = $ilDB->query($query);
1029  while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
1030  $group_closed_id = $row->obj_id;
1031  }
1032  }
1033  $template_id = $group_closed_id;
1034  #var_dump("GROUP CLOSED id:" . $template_id);
1035  break;
1036 
1037  case GRP_TYPE_OPEN:
1038  default:
1039  if (!$group_open_id) {
1040  $query = "SELECT obj_id FROM object_data WHERE type='rolt' AND title='il_grp_status_open'";
1041  $res = $ilDB->query($query);
1042  while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
1043  $group_open_id = $row->obj_id;
1044  }
1045  }
1046  $template_id = $group_open_id;
1047  #var_dump("GROUP OPEN id:" . $template_id);
1048  break;
1049  }
1050  break;
1051 
1052  case 'crs':
1053  if (!$course_non_member_id) {
1054  $query = "SELECT obj_id FROM object_data WHERE type='rolt' AND title='il_crs_non_member'";
1055  $res = $ilDB->query($query);
1056  while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
1057  $course_non_member_id = $row->obj_id;
1058  }
1059  }
1060  $template_id = $course_non_member_id;
1061  break;
1062  }
1063 
1064  $current_ops = $a_current_ops[$a_type];
1065 
1066  // Create intersection template permissions
1067  if ($template_id) {
1068  //$rolf = $rbacreview->getRoleFolderIdOfObject($a_id);
1069 
1070  $rbacadmin->copyRolePermissionIntersection(
1071  $template_id,
1072  ROLE_FOLDER_ID,
1073  $this->getId(),
1074  end($policy_stack),
1075  $a_id,
1076  $this->getId()
1077  );
1078  } else {
1079  #echo "No template id for ".$a_id.' of type'.$a_type.'<br>';
1080  }
1081  #echo "ROLE ASSIGN: ".$rolf.' AID'.$a_id;
1082  if ($a_id and !$GLOBALS['DIC']['rbacreview']->isRoleAssignedToObject($this->getId(), $a_id)) {
1083  $rbacadmin->assignRoleToFolder($this->getId(), $a_id, "n");
1084  }
1085  return true;
1086  }
1087 } // END class.ilObjRole
GRP_TYPE_OPEN
const GRP_TYPE_OPEN
Definition: class.ilObjGroup.php:20
ilObjUser\_lookupLogin
static _lookupLogin($a_user_id)
lookup login
Definition: class.ilObjUser.php:816
ilObjRole
Class ilObjRole.
Definition: class.ilObjRole.php:16
ilUtil\sortArray
static sortArray( $array, $a_array_sortby, $a_array_sortorder=0, $a_numeric=false, $a_keep_keys=false)
sortArray
Definition: class.ilUtil.php:3058
ilECSUtils\getPossibleRemoteTypes
static getPossibleRemoteTypes($a_with_captions=false)
Get all possible remote object types.
Definition: class.ilECSUtils.php:102
$data
$data
Definition: storeScorm.php:23
ilObjectPlugin\lookupTxtById
static lookupTxtById($plugin_id, $lang_var)
Definition: class.ilObjectPlugin.php:99
ilObjRole\getPresentationTitle
getPresentationTitle()
For autogenerated roles this returns &#39;Translated Title (untranslated title)&#39;.
Definition: class.ilObjRole.php:135
ilObjRole\_lookupRegisterAllowed
static _lookupRegisterAllowed()
get all roles that are activated in user registration
Definition: class.ilObjRole.php:289
ilECSSetting\ecsConfigured
static ecsConfigured()
Checks if an ecs server is configured.
Definition: class.ilECSSetting.php:131
ROOT_FOLDER_ID
const ROOT_FOLDER_ID
Definition: constants.php:30
ilObjRole\MODE_PROTECTED_DELETE_LOCAL_POLICIES
const MODE_PROTECTED_DELETE_LOCAL_POLICIES
Definition: class.ilObjRole.php:18
ilObjRole\createPermissionIntersection
createPermissionIntersection($policy_stack, $a_current_ops, $a_id, $a_type)
Create course group permission intersection.
Definition: class.ilObjRole.php:1004
ilObjRole\setParent
setParent($a_parent_ref)
set reference id of parent object this is neccessary for non RBAC protected objects!!! ...
Definition: class.ilObjRole.php:341
ilObjRole\toggleAssignUsersStatus
toggleAssignUsersStatus($a_assign_users)
Definition: class.ilObjRole.php:146
ilObjRole\_updateAuthMode
static _updateAuthMode($a_roles)
Definition: class.ilObjRole.php:532
ilTree\RELATION_PARENT
const RELATION_PARENT
Definition: class.ilTree.php:34
ilObject\_lookupTitle
static _lookupTitle($a_id)
lookup object title
Definition: class.ilObject.php:991
ilObjRole\setAllowRegister
setAllowRegister($a_allow_register)
set allow_register of role
Definition: class.ilObjRole.php:263
ilObjRole\update
update()
updates a record "role" and write it into database public
Definition: class.ilObjRole.php:211
ilRbacLog\isActive
static isActive()
Definition: class.ilRbacLog.php:25
ilObjRole\updatePolicyStack
updatePolicyStack(&$a_stack, $a_node)
Update policy stack.
Definition: class.ilObjRole.php:972
ilObjRole\MODE_REMOVE_OPERATIONS
const MODE_REMOVE_OPERATIONS
Definition: class.ilObjRole.php:25
ilObjRole\_getAuthMode
static _getAuthMode($a_role_id)
Definition: class.ilObjRole.php:546
ilObjRole\_resetAuthMode
static _resetAuthMode($a_auth_mode)
Reset auth mode to default.
Definition: class.ilObjRole.php:591
ilObjRole\deleteLocalPolicies
deleteLocalPolicies($a_start, $a_policies, $a_filter)
Delete local policies.
Definition: class.ilObjRole.php:685
ilObjRole\_getAssignUsersStatus
static _getAssignUsersStatus($a_role_id)
Definition: class.ilObjRole.php:155
ilRbacLog\gatherFaPa
static gatherFaPa($a_ref_id, array $a_role_ids, $a_add_action=false)
Definition: class.ilRbacLog.php:35
ilObjRole\getAllowRegister
getAllowRegister()
get allow_register
Definition: class.ilObjRole.php:278
SYSTEM_FOLDER_ID
const SYSTEM_FOLDER_ID
Definition: constants.php:33
ilRbacLog\diffFaPa
static diffFaPa(array $a_old, array $a_new)
Definition: class.ilRbacLog.php:69
$ilErr
$ilErr
Definition: raiseError.php:18
ilObject\setTitle
setTitle($a_title)
set object title
Definition: class.ilObject.php:417
ilObjRole\createDefaultRole
static createDefaultRole($a_title, $a_description, $a_tpl_name, $a_ref_id)
Definition: class.ilObjRole.php:67
ilObjRole\MODE_PROTECTED_KEEP_LOCAL_POLICIES
const MODE_PROTECTED_KEEP_LOCAL_POLICIES
Definition: class.ilObjRole.php:19
ilObjRole\MODE_READ_OPERATIONS
const MODE_READ_OPERATIONS
Definition: class.ilObjRole.php:24
ilObjRole\create
create()
create
Definition: class.ilObjRole.php:237
ilObjRole\isAutoGenerated
static isAutoGenerated($a_role_id)
Definition: class.ilObjRole.php:637
$res
foreach($_POST as $key=> $value) $res
Definition: save_question_post_data.php:15
ilObject\getId
getId()
get object id public
Definition: class.ilObject.php:319
GRP_TYPE_CLOSED
const GRP_TYPE_CLOSED
Definition: class.ilObjGroup.php:19
ilObject\_lookupObjId
static _lookupObjId($a_id)
Definition: class.ilObject.php:1110
ilObjRole\isHandledObjectType
isHandledObjectType($a_filter, $a_exclusion_filter, $a_type)
Check if type is filterer.
Definition: class.ilObjRole.php:910
$DIC
global $DIC
Definition: goto.php:24
$GLOBALS
if(!defined('PATH_SEPARATOR')) $GLOBALS['_PEAR_default_error_mode']
Definition: PEAR.php:64
ilObject\getTitle
getTitle()
get object title public
Definition: class.ilObject.php:395
ilObjRole\_getRolesByAuthMode
static _getRolesByAuthMode($a_auth_mode)
Get roles by auth mode.
Definition: class.ilObjRole.php:567
ilias
redirection script todo: (a better solution should control the processing via a xml file) ...
$query
$query
Definition: proxy_ylocal.php:13
ilUtil\stripSlashes
static stripSlashes($a_str, $a_strip_html=true, $a_allow="")
strip slashes if magic qoutes is enabled
Definition: class.ilUtil.php:2406
ilObjRole\__construct
__construct($a_id=0, $a_call_by_reference=false)
Constructor public.
Definition: class.ilObjRole.php:50
ilTree\RELATION_EQUALS
const RELATION_EQUALS
Definition: class.ilTree.php:36
$txt
$txt
Definition: error.php:13
ilTree\RELATION_CHILD
const RELATION_CHILD
Definition: class.ilTree.php:33
ilTree\RELATION_NONE
const RELATION_NONE
Definition: class.ilTree.php:37
ilObjRole\_getTranslation
static _getTranslation($a_role_title)
Definition: class.ilObjRole.php:454
ilObjRole\validate
validate()
Validate role data.
Definition: class.ilObjRole.php:118
ROLE_FOLDER_ID
const ROLE_FOLDER_ID
Definition: constants.php:32
ilObject\_lookupType
static _lookupType($a_id, $a_reference=false)
lookup object type
Definition: class.ilObject.php:1281
ilObjRole\getParent
getParent()
get reference id of parent object
Definition: class.ilObjRole.php:352
ilObjRole\MODE_ADD_OPERATIONS
const MODE_ADD_OPERATIONS
Definition: class.ilObjRole.php:23
ilObjRole\__getPermissionDefinitions
__getPermissionDefinitions()
Definition: class.ilObjRole.php:603
ilObjRole\changeExistingObjects
changeExistingObjects($a_start_node, $a_mode, $a_filter, $a_exclusion_filter=array(), $a_operation_mode=self::MODE_READ_OPERATIONS, $a_operation_stack=[])
Change existing objects.
Definition: class.ilObjRole.php:649
ilObjRole\_removeObjectId
static _removeObjectId($a_role_title)
Definition: class.ilObjRole.php:475
ilObjRole\MODE_UNPROTECTED_DELETE_LOCAL_POLICIES
const MODE_UNPROTECTED_DELETE_LOCAL_POLICIES
Definition: class.ilObjRole.php:20
ilObjRole\adjustPermissions
adjustPermissions($a_mode, $a_nodes, $a_policies, $a_filter, $a_exclusion_filter=array(), $a_operation_mode=self::MODE_READ_OPERATIONS, $a_operation_stack=[])
Adjust permissions.
Definition: class.ilObjRole.php:715
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
Definition: PluginProviderHelper.php:40
ilRbacLog\add
static add($a_action, $a_ref_id, array $a_diff, $a_source_ref_id=false)
Definition: class.ilRbacLog.php:137
ilObjRole\MODE_UNPROTECTED_KEEP_LOCAL_POLICIES
const MODE_UNPROTECTED_KEEP_LOCAL_POLICIES
Definition: class.ilObjRole.php:21
ilObjRole\changeExistingObjectsGrantPermissions
changeExistingObjectsGrantPermissions($a_role_id, $a_permissions, $a_ref_id, $a_operation_mode)
Definition: class.ilObjRole.php:854
$ilDB
global $ilDB
Definition: storeScorm2004.php:16
ilObjGroup\lookupGroupTye
static lookupGroupTye($a_id)
Lookup group type.
Definition: class.ilObjGroup.php:155
ilRbacLog\EDIT_TEMPLATE_EXISTING
const EDIT_TEMPLATE_EXISTING
Definition: class.ilRbacLog.php:22
ilObjRole\updateOperationStack
updateOperationStack(&$a_stack, $a_node, $a_init=false)
Update operation stack.
Definition: class.ilObjRole.php:928
ilTree\RELATION_SIBLING
const RELATION_SIBLING
Definition: class.ilTree.php:35
ilObject\setDescription
setDescription($a_desc)
set object description
Definition: class.ilObject.php:442
ilLoggerFactory\getLogger
static getLogger($a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:74
ilObjRole\read
read()
loads "role" from database private
Definition: class.ilObjRole.php:173
ilObject\getUntranslatedTitle
getUntranslatedTitle()
get untranslated object title public
Definition: class.ilObject.php:405
ilObjRole\_lookupAllowRegister
static _lookupAllowRegister($a_role_id)
check whether role is allowed in user registration or not
Definition: class.ilObjRole.php:316
ilObjRole\assignData
assignData($a_data)
loads a record "role" from array public
Definition: class.ilObjRole.php:199