ILIAS  release_7 Revision v7.30-3-g800a261c036
All Data Structures Namespaces Files Functions Variables Modules Pages
ilPRGPermissionsHelper.php
Go to the documentation of this file.
1 <?php declare(strict_types = 1);
2 
11 class ilPRGPermissionsHelper
12 {
13  const ORGU_OPERATIONS = [
14  ilOrgUnitOperation::OP_VIEW_MEMBERS,
15  ilOrgUnitOperation::OP_READ_LEARNING_PROGRESS,
16  ilOrgUnitOperation::OP_VIEW_INDIVIDUAL_PLAN,
17  ilOrgUnitOperation::OP_EDIT_INDIVIDUAL_PLAN,
18  ilOrgUnitOperation::OP_MANAGE_MEMBERS
19  ];
20 
21  const ROLEPERM_VIEW = 'rp_visible';
22  const ROLEPERM_READ = 'rp_read';
23  const ROLEPERM_WRITE = 'rp_write';
24  //both org-unit and rbac permission read "manage_members";
25  //however, rbac-manage_members does include all of the orgu-permissions listed here.
26  const ROLEPERM_MANAGE_MEMBERS = 'rp_manage_members';
27 
28  const ROLEMAPPINGS = [
29  'rp_visible' => 'visible',
30  'rp_read' => 'read',
31  'rp_write' => 'write',
32  'rp_manage_members' => 'manage_members'
33  ];
34 
38  protected $access;
39 
43  protected $orgu_access;
44 
48  protected $programme;
49 
53  protected $user_id_cache;
54 
55  public function __construct(
56  ilAccess $access,
57  ilOrgUnitPositionAccess $orgu_access,
58  ilObjStudyProgramme $programme
59  ) {
60  $this->access = $access;
61  $this->orgu_access = $orgu_access;
62  $this->programme = $programme;
63  }
64 
65  public function may(string $operation) : bool
66  {
67  $this->throwForInvalidOperation($operation);
68  if (in_array($operation, self::ORGU_OPERATIONS)) {
69  return
70  $this->access->checkAccess( //RBAC overrides OrgUs
71  self::ROLEMAPPINGS[self::ROLEPERM_MANAGE_MEMBERS],
72  '',
73  $this->getProgrammeRefId()
74  )
75  || $this->access->checkPositionAccess($operation, $this->getProgrammeRefId());
76  } else {
77  return $this->access->checkAccess(self::ROLEMAPPINGS[$operation], '', $this->getProgrammeRefId());
78  }
79  }
80 
84  public function mayAnyOf(array $operations) : bool
85  {
86  foreach ($operations as $operation) {
87  if ($this->may($operation)) {
88  return true;
89  }
90  }
91  return false;
92  }
93 
97  public function getUserIdsSusceptibleTo(string $operation) : array
98  {
99  $this->throwForInvalidOperation($operation);
100 
101  if ($this->may(self::ROLEPERM_MANAGE_MEMBERS)) { //RBAC overrides OrgUs
102  return $this->getAllAssignedUserIds();
103  }
104 
105  if (in_array($operation, self::ORGU_OPERATIONS) && $this->may($operation)) {
106  return $this->getUserIdsInPrgAccessibleForOperation($operation);
107  }
108  return [];
109  }
110 
114  public function filterUserIds(array $user_ids, string $operation) : array
115  {
116  if ($this->may(self::ROLEPERM_MANAGE_MEMBERS)) { //RBAC overrides OrgUs
117  return $user_ids;
118  }
119 
120  return $this->orgu_access->filterUserIdsByPositionOfCurrentUser(
121  $operation,
122  $this->getProgrammeRefId(),
123  $user_ids
124  );
125  }
126 
127  protected function throwForInvalidOperation(string $operation) : void
128  {
129  $valid = array_merge(
130  self::ORGU_OPERATIONS,
131  [
132  self::ROLEPERM_VIEW,
133  self::ROLEPERM_READ,
134  self::ROLEPERM_WRITE,
135  self::ROLEPERM_MANAGE_MEMBERS
136  ]
137  );
138 
139  if (!in_array($operation, $valid)) {
140  throw new \ilException('prg does not provide this permission: ' . $operation);
141  }
142  }
143 
144  protected function getUserIdsInPrgAccessibleForOperation(string $orgu_operation) : array
145  {
146  if (!$this->cache[$orgu_operation]) {
147  $user_ids = array_map(
148  'intval',
149  $this->orgu_access->filterUserIdsByPositionOfCurrentUser(
150  $orgu_operation,
151  $this->getProgrammeRefId(),
152  $this->getAllAssignedUserIds()
153  )
154  );
155  $this->cache[$orgu_operation] = array_unique($user_ids);
156  }
157  return $this->cache[$orgu_operation];
158  }
159 
163  protected function getAllAssignedUserIds() : array
164  {
165  if (!$this->cache[self::ROLEPERM_MANAGE_MEMBERS]) {
166  $this->cache[self::ROLEPERM_MANAGE_MEMBERS] = array_unique($this->programme->getMembers());
167  }
168  return $this->cache[self::ROLEPERM_MANAGE_MEMBERS];
169  }
170 
171  protected function getProgrammeRefId() : int
172  {
173  return (int) $this->programme->getRefId();
174  }
175 }
ilPRGPermissionsHelper\getUserIdsInPrgAccessibleForOperation
getUserIdsInPrgAccessibleForOperation(string $orgu_operation)
Definition: ilPRGPermissionsHelper.php:144
$valid
$valid
Definition: dummy_client.php:52
ilOrgUnitPositionAccess
Class ilOrgUnitPositionAccess.
Definition: class.ilOrgUnitPositionAccess.php:8
ilPRGPermissionsHelper\__construct
__construct(ilAccess $access, ilOrgUnitPositionAccess $orgu_access, ilObjStudyProgramme $programme)
Definition: ilPRGPermissionsHelper.php:55
ilPRGPermissionsHelper
Both role and OrgU-based permissions are relevant in many places of the PRG.
Definition: ilPRGPermissionsHelper.php:11
ilPRGPermissionsHelper\getUserIdsSusceptibleTo
getUserIdsSusceptibleTo(string $operation)
return int[]
Definition: ilPRGPermissionsHelper.php:97
ilPRGPermissionsHelper\filterUserIds
filterUserIds(array $user_ids, string $operation)
Definition: ilPRGPermissionsHelper.php:114
ilPRGPermissionsHelper\throwForInvalidOperation
throwForInvalidOperation(string $operation)
Definition: ilPRGPermissionsHelper.php:127