ILIAS  release_7 Revision v7.30-3-g800a261c036
ilPRGPermissionsHelper.php
Go to the documentation of this file.
1<?php declare(strict_types = 1);
2
11class ilPRGPermissionsHelper
12{
13 const ORGU_OPERATIONS = [
14 ilOrgUnitOperation::OP_VIEW_MEMBERS,
15 ilOrgUnitOperation::OP_READ_LEARNING_PROGRESS,
16 ilOrgUnitOperation::OP_VIEW_INDIVIDUAL_PLAN,
17 ilOrgUnitOperation::OP_EDIT_INDIVIDUAL_PLAN,
18 ilOrgUnitOperation::OP_MANAGE_MEMBERS
19 ];
20
21 const ROLEPERM_VIEW = 'rp_visible';
22 const ROLEPERM_READ = 'rp_read';
23 const ROLEPERM_WRITE = 'rp_write';
24 //both org-unit and rbac permission read "manage_members";
25 //however, rbac-manage_members does include all of the orgu-permissions listed here.
26 const ROLEPERM_MANAGE_MEMBERS = 'rp_manage_members';
27
28 const ROLEMAPPINGS = [
29 'rp_visible' => 'visible',
30 'rp_read' => 'read',
31 'rp_write' => 'write',
32 'rp_manage_members' => 'manage_members'
33 ];
34
38 protected $access;
39
43 protected $orgu_access;
44
48 protected $programme;
49
53 protected $user_id_cache;
54
55 public function __construct(
56 ilAccess $access,
57 ilOrgUnitPositionAccess $orgu_access,
58 ilObjStudyProgramme $programme
59 ) {
60 $this->access = $access;
61 $this->orgu_access = $orgu_access;
62 $this->programme = $programme;
63 }
64
65 public function may(string $operation) : bool
66 {
67 $this->throwForInvalidOperation($operation);
68 if (in_array($operation, self::ORGU_OPERATIONS)) {
69 return
70 $this->access->checkAccess( //RBAC overrides OrgUs
71 self::ROLEMAPPINGS[self::ROLEPERM_MANAGE_MEMBERS],
72 '',
73 $this->getProgrammeRefId()
74 )
75 || $this->access->checkPositionAccess($operation, $this->getProgrammeRefId());
76 } else {
77 return $this->access->checkAccess(self::ROLEMAPPINGS[$operation], '', $this->getProgrammeRefId());
78 }
79 }
80
84 public function mayAnyOf(array $operations) : bool
85 {
86 foreach ($operations as $operation) {
87 if ($this->may($operation)) {
88 return true;
89 }
90 }
91 return false;
92 }
93
97 public function getUserIdsSusceptibleTo(string $operation) : array
98 {
99 $this->throwForInvalidOperation($operation);
100
101 if ($this->may(self::ROLEPERM_MANAGE_MEMBERS)) { //RBAC overrides OrgUs
102 return $this->getAllAssignedUserIds();
103 }
104
105 if (in_array($operation, self::ORGU_OPERATIONS) && $this->may($operation)) {
106 return $this->getUserIdsInPrgAccessibleForOperation($operation);
107 }
108 return [];
109 }
110
114 public function filterUserIds(array $user_ids, string $operation) : array
115 {
116 if ($this->may(self::ROLEPERM_MANAGE_MEMBERS)) { //RBAC overrides OrgUs
117 return $user_ids;
118 }
119
120 return $this->orgu_access->filterUserIdsByPositionOfCurrentUser(
121 $operation,
122 $this->getProgrammeRefId(),
123 $user_ids
124 );
125 }
126
127 protected function throwForInvalidOperation(string $operation) : void
128 {
129 $valid = array_merge(
130 self::ORGU_OPERATIONS,
131 [
132 self::ROLEPERM_VIEW,
133 self::ROLEPERM_READ,
134 self::ROLEPERM_WRITE,
135 self::ROLEPERM_MANAGE_MEMBERS
136 ]
137 );
138
139 if (!in_array($operation, $valid)) {
140 throw new \ilException('prg does not provide this permission: ' . $operation);
141 }
142 }
143
144 protected function getUserIdsInPrgAccessibleForOperation(string $orgu_operation) : array
145 {
146 if (!$this->cache[$orgu_operation]) {
147 $user_ids = array_map(
148 'intval',
149 $this->orgu_access->filterUserIdsByPositionOfCurrentUser(
150 $orgu_operation,
151 $this->getProgrammeRefId(),
152 $this->getAllAssignedUserIds()
153 )
154 );
155 $this->cache[$orgu_operation] = array_unique($user_ids);
156 }
157 return $this->cache[$orgu_operation];
158 }
159
163 protected function getAllAssignedUserIds() : array
164 {
165 if (!$this->cache[self::ROLEPERM_MANAGE_MEMBERS]) {
166 $this->cache[self::ROLEPERM_MANAGE_MEMBERS] = array_unique($this->programme->getMembers());
167 }
168 return $this->cache[self::ROLEPERM_MANAGE_MEMBERS];
169 }
170
171 protected function getProgrammeRefId() : int
172 {
173 return (int) $this->programme->getRefId();
174 }
175}
php
An exception for terminatinating execution or to throw for unit testing.
ilAccess
Class ilAccessHandler.
Definition: class.ilAccess.php:14
ilOrgUnitPositionAccess
Class ilOrgUnitPositionAccess.
Definition: class.ilOrgUnitPositionAccess.php:9
ilPRGPermissionsHelper
Both role and OrgU-based permissions are relevant in many places of the PRG.
Definition: ilPRGPermissionsHelper.php:12
ilPRGPermissionsHelper\throwForInvalidOperation
throwForInvalidOperation(string $operation)
Definition: ilPRGPermissionsHelper.php:127
ilPRGPermissionsHelper\getUserIdsInPrgAccessibleForOperation
getUserIdsInPrgAccessibleForOperation(string $orgu_operation)
Definition: ilPRGPermissionsHelper.php:144
ilPRGPermissionsHelper\__construct
__construct(ilAccess $access, ilOrgUnitPositionAccess $orgu_access, ilObjStudyProgramme $programme)
Definition: ilPRGPermissionsHelper.php:55
ilPRGPermissionsHelper\getUserIdsSusceptibleTo
getUserIdsSusceptibleTo(string $operation)
return int[]
Definition: ilPRGPermissionsHelper.php:97
ilPRGPermissionsHelper\filterUserIds
filterUserIds(array $user_ids, string $operation)
Definition: ilPRGPermissionsHelper.php:114
$valid
$valid
Definition: dummy_client.php:52