ILIAS  release_7 Revision v7.30-3-g800a261c036
class.ilRbacAdmin.php
Go to the documentation of this file.
1<?php
2/* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
3
4
19{
24 public function __construct()
25 {
26 global $DIC;
27
28 $ilDB = $DIC['ilDB'];
29 $ilErr = $DIC['ilErr'];
30 $ilias = $DIC['ilias'];
31
32 // set db & error handler
33 (isset($ilDB)) ? $this->ilDB = &$ilDB : $this->ilDB = &$ilias->db;
34
35 if (!isset($ilErr)) {
36 $ilErr = new ilErrorHandling();
37 $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK, array($ilErr,'errorHandler'));
38 } else {
39 $this->ilErr = &$ilErr;
40 }
41 }
42
49 public function setBlockedStatus($a_role_id, $a_ref_id, $a_blocked_status)
50 {
51 global $DIC;
52
53 $ilDB = $DIC['ilDB'];
54
55 ilLoggerFactory::getLogger('crs')->logStack();
56 $query = 'UPDATE rbac_fa set blocked = ' . $ilDB->quote($a_blocked_status, 'integer') . ' ' .
57 'WHERE rol_id = ' . $ilDB->quote($a_role_id, 'integer') . ' ' .
58 'AND parent = ' . $ilDB->quote($a_ref_id, 'integer');
59 $ilDB->manipulate($query);
60 }
61
69 public function removeUser($a_usr_id)
70 {
71 global $DIC;
72
73 $ilDB = $DIC->database();
74 $review = $DIC->rbac()->review();
75
76 if (!isset($a_usr_id)) {
77 $message = get_class($this) . "::removeUser(): No usr_id given!";
78 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
79 }
80
81 foreach ($review->assignedRoles($a_usr_id) as $role_id) {
82 $this->deassignUser($role_id, $a_usr_id);
83 }
84
85 $query = "DELETE FROM rbac_ua WHERE usr_id = " . $ilDB->quote($a_usr_id, 'integer');
86 $res = $ilDB->manipulate($query);
87
88 return true;
89 }
90
98 public function deleteRole($a_rol_id, $a_ref_id)
99 {
100 global $DIC;
101
102 $lng = $DIC['lng'];
103 $ilDB = $DIC['ilDB'];
104
105 if (!isset($a_rol_id) || !isset($a_ref_id)) {
106 $message = get_class($this) . "::deleteRole(): Missing parameter! role_id: " . $a_rol_id . " ref_id of role folder: " . $a_ref_id;
107 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
108 }
109
110 // exclude system role from rbac
111 if ($a_rol_id == SYSTEM_ROLE_ID) {
112 $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"), $this->ilErr->MESSAGE);
113 }
114
115 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
117 $mapping->deleteRole($a_rol_id);
118
119
120 // TODO: check assigned users before deletion
121 // This is done in ilObjRole. Should be better moved to this place?
122
123 // delete user assignements
124 $query = "DELETE FROM rbac_ua " .
125 "WHERE rol_id = " . $ilDB->quote($a_rol_id, 'integer');
126 $res = $ilDB->manipulate($query);
127
128 // delete permission assignments
129 $query = "DELETE FROM rbac_pa " .
130 "WHERE rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
131 $res = $ilDB->manipulate($query);
132
133 //delete rbac_templates and rbac_fa
134 $this->deleteLocalRole($a_rol_id);
135
136 return true;
137 }
138
145 public function deleteTemplate($a_obj_id)
146 {
147 global $DIC;
148
149 $ilDB = $DIC['ilDB'];
150
151 if (!isset($a_obj_id)) {
152 $message = get_class($this) . "::deleteTemplate(): No obj_id given!";
153 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
154 }
155
156 $query = 'DELETE FROM rbac_templates ' .
157 'WHERE rol_id = ' . $ilDB->quote($a_obj_id, 'integer');
158 $res = $ilDB->manipulate($query);
159
160 $query = 'DELETE FROM rbac_fa ' .
161 'WHERE rol_id = ' . $ilDB->quote($a_obj_id, 'integer');
162 $res = $ilDB->manipulate($query);
163
164 return true;
165 }
166
174 public function deleteLocalRole($a_rol_id, $a_ref_id = 0)
175 {
176 global $DIC;
177
178 $ilDB = $DIC['ilDB'];
179
180 if (!isset($a_rol_id)) {
181 $message = get_class($this) . "::deleteLocalRole(): Missing parameter! role_id: '" . $a_rol_id . "'";
182 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
183 }
184
185 // exclude system role from rbac
186 if ($a_rol_id == SYSTEM_ROLE_ID) {
187 return true;
188 }
189
190 if ($a_ref_id != 0) {
191 $clause = 'AND parent = ' . $ilDB->quote($a_ref_id, 'integer') . ' ';
192 }
193
194 $query = 'DELETE FROM rbac_fa ' .
195 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
196 $clause;
197 $res = $ilDB->manipulate($query);
198
199 $query = 'DELETE FROM rbac_templates ' .
200 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
201 $clause;
202 $res = $ilDB->manipulate($query);
203 return true;
204 }
205
212 public function assignUserLimited($a_role_id, $a_usr_id, $a_limit, $a_limited_roles = [])
213 {
214 global $DIC;
215
216 $ilDB = $DIC['ilDB'];
217
218 $ilAtomQuery = $ilDB->buildAtomQuery();
219 $ilAtomQuery->addTableLock('rbac_ua');
220
221 $ilAtomQuery->addQueryCallable(
222 function (ilDBInterface $ilDB) use (&$ret, $a_role_id, $a_usr_id, $a_limit, $a_limited_roles) {
223 $ret = true;
224 $limit_query = 'SELECT COUNT(*) num FROM rbac_ua ' .
225 'WHERE ' . $ilDB->in('rol_id', (array) $a_limited_roles, false, 'integer');
226 $res = $ilDB->query($limit_query);
227 $row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT);
228 if ($row->num >= $a_limit) {
229 $ret = false;
230 return;
231 }
232
233 $query = "INSERT INTO rbac_ua (usr_id, rol_id) " .
234 "VALUES (" .
235 $ilDB->quote($a_usr_id, 'integer') . "," . $ilDB->quote($a_role_id, 'integer') .
236 ")";
237 $res = $ilDB->manipulate($query);
238 }
239 );
240
241 $ilAtomQuery->run();
242
243 if (!$ret) {
244 return false;
245 }
246
247 $GLOBALS['DIC']['rbacreview']->setAssignedCacheEntry($a_role_id, $a_usr_id, true);
248
249 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
251 $mapping->assign($a_role_id, $a_usr_id);
252 return true;
253 }
254
255
264 public function assignUser($a_rol_id, $a_usr_id)
265 {
266 global $DIC;
267
268 $ilDB = $DIC['ilDB'];
269 $rbacreview = $DIC['rbacreview'];
270
271 if (!isset($a_rol_id) || !isset($a_usr_id)) {
272 $message = get_class($this) . "::assignUser(): Missing parameter! role_id: " . $a_rol_id . " usr_id: " . $a_usr_id;
273 #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
274 }
275
276 // check if already assigned user id and role_id
277 $alreadyAssigned = $rbacreview->isAssigned($a_usr_id, $a_rol_id);
278
279 // enhanced: only if we haven't had this role for this user
280 if (!$alreadyAssigned) {
281 $query = "INSERT INTO rbac_ua (usr_id, rol_id) " .
282 "VALUES (" . $ilDB->quote($a_usr_id, 'integer') . "," . $ilDB->quote($a_rol_id, 'integer') . ")";
283 $res = $ilDB->manipulate($query);
284
285 $rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, true);
286 }
287
288 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
290 $mapping->assign($a_rol_id, $a_usr_id);
291
292
293 $ref_id = $GLOBALS['DIC']['rbacreview']->getObjectReferenceOfRole($a_rol_id);
294 $obj_id = ilObject::_lookupObjId($ref_id);
295 $type = ilObject::_lookupType($obj_id);
296
297 if (!$alreadyAssigned) {
298 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event assign user');
299 $GLOBALS['DIC']['ilAppEventHandler']->raise(
300 'Services/AccessControl',
301 'assignUser',
302 array(
303 'obj_id' => $obj_id,
304 'usr_id' => $a_usr_id,
305 'role_id' => $a_rol_id,
306 'type' => $type
307 )
308 );
309 }
310 return true;
311 }
312
313
322 public function deassignUser($a_rol_id, $a_usr_id)
323 {
324 global $DIC;
325
326 $ilDB = $DIC['ilDB'];
327 $rbacreview = $DIC->rbac()->review();
328
329 if (!isset($a_rol_id) || !isset($a_usr_id)) {
330 $message = get_class($this) . "::deassignUser(): Missing parameter! role_id: " . $a_rol_id . " usr_id: " . $a_usr_id;
331 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
332 }
333
334 $query = "DELETE FROM rbac_ua " .
335 "WHERE usr_id = " . $ilDB->quote($a_usr_id, 'integer') . " " .
336 "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
337 $res = $ilDB->manipulate($query);
338
339 $rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, false);
340
341 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
343 $mapping->deassign($a_rol_id, $a_usr_id);
344
345 if ($res) {
346 $ref_id = $GLOBALS['DIC']['rbacreview']->getObjectReferenceOfRole($a_rol_id);
347 $obj_id = ilObject::_lookupObjId($ref_id);
348 $type = ilObject::_lookupType($obj_id);
349
350 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event deassign user');
351 $GLOBALS['DIC']['ilAppEventHandler']->raise('Services/AccessControl', 'deassignUser', array(
352 'obj_id' => $obj_id,
353 'usr_id' => $a_usr_id,
354 'role_id' => $a_rol_id,
355 'type' => $type,
356 ));
357 }
358
359 return true;
360 }
361
370 public function grantPermission($a_rol_id, $a_ops, $a_ref_id)
371 {
372 global $DIC;
373
374 $ilDB = $DIC['ilDB'];
375
376 if (!isset($a_rol_id) || !isset($a_ops) || !isset($a_ref_id)) {
377 $this->ilErr->raiseError(get_class($this) . "::grantPermission(): Missing parameter! " .
378 "role_id: " . $a_rol_id . " ref_id: " . $a_ref_id . " operations: ", $this->ilErr->WARNING);
379 }
380
381 if (!is_array($a_ops)) {
382 $this->ilErr->raiseError(
383 get_class($this) . "::grantPermission(): Wrong datatype for operations!",
384 $this->ilErr->WARNING
385 );
386 }
387
388 // exclude system role from rbac
389 if ($a_rol_id == SYSTEM_ROLE_ID) {
390 return true;
391 }
392
393 // convert all values to integer
394 foreach ($a_ops as $key => $operation) {
395 $a_ops[$key] = (int) $operation;
396 }
397
398 // Serialization des ops_id Arrays
399 $ops_ids = serialize($a_ops);
400
401 $query = 'DELETE FROM rbac_pa ' .
402 'WHERE rol_id = %s ' .
403 'AND ref_id = %s';
404 $res = $ilDB->queryF(
405 $query,
406 array('integer','integer'),
407 array($a_rol_id,$a_ref_id)
408 );
409
410 if (!count($a_ops)) {
411 return false;
412 }
413
414 $query = "INSERT INTO rbac_pa (rol_id, ops_id, ref_id) " .
415 "VALUES " .
416 "(" . $ilDB->quote($a_rol_id, 'integer') . ", " . $ilDB->quote($ops_ids, 'text') . ", " . $ilDB->quote($a_ref_id, 'integer') . ")";
417 $res = $ilDB->manipulate($query);
418
419 return true;
420 }
421
431 public function revokePermission($a_ref_id, $a_rol_id = 0, $a_keep_protected = true)
432 {
433 global $DIC;
434
435 $rbacreview = $DIC['rbacreview'];
436 $log = $DIC['log'];
437 $ilDB = $DIC['ilDB'];
438 $ilLog = $DIC['ilLog'];
439
440 if (!isset($a_ref_id)) {
441 $ilLog->logStack();
442 $message = get_class($this) . "::revokePermission(): Missing parameter! ref_id: " . $a_ref_id;
443 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
444 }
445
446 // bypass protected status of roles
447 if ($a_keep_protected != true) {
448 // exclude system role from rbac
449 if ($a_rol_id == SYSTEM_ROLE_ID) {
450 return true;
451 }
452
453 if ($a_rol_id) {
454 $and1 = " AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
455 } else {
456 $and1 = "";
457 }
458
459 $query = "DELETE FROM rbac_pa " .
460 "WHERE ref_id = " . $ilDB->quote($a_ref_id, 'integer') .
461 $and1;
462
463 $res = $ilDB->manipulate($query);
464
465 return true;
466 }
467
468 // consider protected status of roles
469
470 // in any case, get all roles in scope first
471 $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
472
473 if (!$a_rol_id) {
474 $role_ids = [];
475
476 foreach ($roles_in_scope as $role) {
477 if ($role['protected'] == true) {
478 continue;
479 }
480
481 $role_ids[] = $role['obj_id'];
482 }
483
484 // return if no role in array
485 if (!$role_ids) {
486 return true;
487 }
488
489 $query = 'DELETE FROM rbac_pa ' .
490 'WHERE ' . $ilDB->in('rol_id', $role_ids, false, 'integer') . ' ' .
491 'AND ref_id = ' . $ilDB->quote($a_ref_id, 'integer');
492 $res = $ilDB->manipulate($query);
493 } else {
494 // exclude system role from rbac
495 if ($a_rol_id == SYSTEM_ROLE_ID) {
496 return true;
497 }
498
499 // exclude protected permission settings from revoking
500 if ($roles_in_scope[$a_rol_id]['protected'] == true) {
501 return true;
502 }
503
504 $query = "DELETE FROM rbac_pa " .
505 "WHERE ref_id = " . $ilDB->quote($a_ref_id, 'integer') . " " .
506 "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
507 $res = $ilDB->manipulate($query);
508 }
509
510 return true;
511 }
512
519 public function revokeSubtreePermissions($a_ref_id, $a_role_id)
520 {
521 global $DIC;
522
523 $ilDB = $DIC['ilDB'];
524
525 $query = 'DELETE FROM rbac_pa ' .
526 'WHERE ref_id IN ' .
527 '( ' . $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
528 'AND rol_id = ' . $ilDB->quote($a_role_id, 'integer');
529
530 $ilDB->manipulate($query);
531 return true;
532 }
533
540 public function deleteSubtreeTemplates($a_ref_id, $a_rol_id)
541 {
542 global $DIC;
543
544 $ilDB = $DIC['ilDB'];
545
546 $query = 'DELETE FROM rbac_templates ' .
547 'WHERE parent IN ( ' .
548 $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
549 'AND rol_id = ' . $ilDB->quote($a_rol_id, 'integer');
550
551 $ilDB->manipulate($query);
552
553 $query = 'DELETE FROM rbac_fa ' .
554 'WHERE parent IN ( ' .
555 $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
556 'AND rol_id = ' . $ilDB->quote($a_rol_id, 'integer');
557
558 $ilDB->manipulate($query);
559
560 return true;
561 }
562
570 public function revokePermissionList($a_ref_ids, $a_rol_id)
571 {
572 global $DIC;
573
574 $ilDB = $DIC['ilDB'];
575
576 if (!isset($a_ref_ids) || !is_array($a_ref_ids)) {
577 $message = get_class($this) . "::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: " . var_dump($a_ref_ids);
578 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
579 }
580
581 if (!isset($a_rol_id)) {
582 $message = get_class($this) . "::revokePermissionList(): Missing parameter! rol_id: " . $a_rol_id;
583 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
584 }
585
586 // exclude system role from rbac
587 if ($a_rol_id == SYSTEM_ROLE_ID) {
588 return true;
589 }
590
591 $query = "DELETE FROM rbac_pa " .
592 "WHERE " . $ilDB->in('ref_id', $a_ref_ids, false, 'integer') . ' ' .
593 "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer');
594 $res = $ilDB->manipulate($query);
595
596 return true;
597 }
598
609 public function copyRolePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected = true)
610 {
611 global $DIC;
612
613 $tree = $DIC['tree'];
614 $rbacreview = $DIC['rbacreview'];
615
616 // Copy template permissions
617 $this->copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected);
618
619 $ops = $rbacreview->getRoleOperationsOnObject($a_source_id, $a_source_parent);
620
621 $this->revokePermission($a_dest_parent, $a_dest_id);
622 $this->grantPermission($a_dest_id, $ops, $a_dest_parent);
623 return true;
624 }
625
636 public function copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected = true)
637 {
638 global $DIC;
639
640 $rbacreview = $DIC['rbacreview'];
641 $ilDB = $DIC['ilDB'];
642
643 if (!isset($a_source_id) || !isset($a_source_parent) || !isset($a_dest_id) || !isset($a_dest_parent)) {
644 $message = __METHOD__ . ": Missing parameter! source_id: " . $a_source_id .
645 " source_parent_id: " . $a_source_parent .
646 " dest_id : " . $a_dest_id .
647 " dest_parent_id: " . $a_dest_parent;
648 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
649 }
650
651 // exclude system role from rbac
652 if ($a_dest_id == SYSTEM_ROLE_ID) {
653 return true;
654 }
655
656 // Read operations
657 $query = 'SELECT * FROM rbac_templates ' .
658 'WHERE rol_id = ' . $ilDB->quote($a_source_id, 'integer') . ' ' .
659 'AND parent = ' . $ilDB->quote($a_source_parent, 'integer');
660 $res = $ilDB->query($query);
661 $operations = [];
662 $rownum = 0;
663 while ($row = $ilDB->fetchObject($res)) {
664 $operations[$rownum]['type'] = $row->type;
665 $operations[$rownum]['ops_id'] = $row->ops_id;
666 $rownum++;
667 }
668
669 // Delete target permissions
670 $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
671 'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
672 $res = $ilDB->manipulate($query);
673
674 foreach ($operations as $row => $op) {
675 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
676 'VALUES (' .
677 $ilDB->quote($a_dest_id, 'integer') . "," .
678 $ilDB->quote($op['type'], 'text') . "," .
679 $ilDB->quote($op['ops_id'], 'integer') . "," .
680 $ilDB->quote($a_dest_parent, 'integer') . ")";
681 $ilDB->manipulate($query);
682 }
683
684 // copy also protection status if applicable
685 if ($a_consider_protected == true) {
686 if ($rbacreview->isProtected($a_source_parent, $a_source_id)) {
687 $this->setProtected($a_dest_parent, $a_dest_id, 'y');
688 }
689 }
690
691 return true;
692 }
706 public function copyRolePermissionIntersection($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
707 {
708 global $DIC;
709
710 $rbacreview = $DIC['rbacreview'];
711 $ilDB = $DIC['ilDB'];
712
713 if (!isset($a_source1_id) || !isset($a_source1_parent)
714 || !isset($a_source2_id) || !isset($a_source2_parent)
715 || !isset($a_dest_id) || !isset($a_dest_parent)) {
716 $message = get_class($this) . "::copyRolePermissionIntersection(): Missing parameter! source1_id: " . $a_source1_id .
717 " source1_parent: " . $a_source1_parent .
718 " source2_id: " . $a_source2_id .
719 " source2_parent: " . $a_source2_parent .
720 " dest_id: " . $a_dest_id .
721 " dest_parent_id: " . $a_dest_parent;
722 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
723 }
724
725 // exclude system role from rbac
726 if ($a_dest_id == SYSTEM_ROLE_ID) {
727 ilLoggerFactory::getLogger('ac')->debug('Ignoring system role.');
728 return true;
729 }
730
731 if ($rbacreview->isProtected($a_source2_parent, $a_source2_id)) {
732 $GLOBALS['DIC']['ilLog']->write(__METHOD__ . ': Role is protected');
733 return true;
734 }
735
736 $query = "SELECT s1.type, s1.ops_id " .
737 "FROM rbac_templates s1, rbac_templates s2 " .
738 "WHERE s1.rol_id = " . $ilDB->quote($a_source1_id, 'integer') . " " .
739 "AND s1.parent = " . $ilDB->quote($a_source1_parent, 'integer') . " " .
740 "AND s2.rol_id = " . $ilDB->quote($a_source2_id, 'integer') . " " .
741 "AND s2.parent = " . $ilDB->quote($a_source2_parent, 'integer') . " " .
742 "AND s1.type = s2.type " .
743 "AND s1.ops_id = s2.ops_id";
744
746
747 $res = $ilDB->query($query);
748 $operations = [];
749 $rowNum = 0;
750 while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
751 $operations[$rowNum]['type'] = $row->type;
752 $operations[$rowNum]['ops_id'] = $row->ops_id;
753
754 $rowNum++;
755 }
756
757 // Delete template permissions of target
758 $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
759 'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
760 $res = $ilDB->manipulate($query);
761
762 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
763 'VALUES (?,?,?,?)';
764 $sta = $ilDB->prepareManip($query, array('integer','text','integer','integer'));
765 foreach ($operations as $key => $set) {
766 $ilDB->execute($sta, array(
767 $a_dest_id,
768 $set['type'],
769 $set['ops_id'],
770 $a_dest_parent));
771 }
772 return true;
773 }
774
786 public function copyRolePermissionUnion(
787 $a_source1_id,
788 $a_source1_parent,
789 $a_source2_id,
790 $a_source2_parent,
791 $a_dest_id,
792 $a_dest_parent
793 ) {
794 global $DIC;
795
796 $ilDB = $DIC['ilDB'];
797 $rbacreview = $DIC['rbacreview'];
798
799
800 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id, $a_source1_parent);
801 $s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id, $a_source2_parent);
802
803 $this->deleteRolePermission($a_dest_id, $a_dest_parent);
804
805 $GLOBALS['DIC']['ilLog']->write(__METHOD__ . ': ' . print_r($s1_ops, true));
806 $GLOBALS['DIC']['ilLog']->write(__METHOD__ . ': ' . print_r($s2_ops, true));
807
808 foreach ($s1_ops as $type => $ops) {
809 foreach ($ops as $op) {
810 // insert all permission of source 1
811 // #15469
812 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
813 'VALUES( ' .
814 $ilDB->quote($a_dest_id, 'integer') . ', ' .
815 $ilDB->quote($type, 'text') . ', ' .
816 $ilDB->quote($op, 'integer') . ', ' .
817 $ilDB->quote($a_dest_parent, 'integer') . ' ' .
818 ')';
819 $ilDB->manipulate($query);
820 }
821 }
822
823 // and the other direction...
824 foreach ($s2_ops as $type => $ops) {
825 foreach ($ops as $op) {
826 if (!isset($s1_ops[$type]) || !in_array($op, $s1_ops[$type])) {
827 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
828 'VALUES( ' .
829 $ilDB->quote($a_dest_id, 'integer') . ', ' .
830 $ilDB->quote($type, 'text') . ', ' .
831 $ilDB->quote($op, 'integer') . ', ' .
832 $ilDB->quote($a_dest_parent, 'integer') . ' ' .
833 ')';
834 $ilDB->manipulate($query);
835 }
836 }
837 }
838
839 return true;
840 }
841
849 public function copyRolePermissionSubtract($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
850 {
851 global $DIC;
852
853 $rbacreview = $DIC['rbacreview'];
854 $ilDB = $DIC['ilDB'];
855
856 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source_id, $a_source_parent);
857 $d_ops = $rbacreview->getAllOperationsOfRole($a_dest_id, $a_dest_parent);
858
859 foreach ($s1_ops as $type => $ops) {
860 foreach ($ops as $op) {
861 if (isset($d_ops[$type]) && in_array($op, $d_ops[$type])) {
862 $query = 'DELETE FROM rbac_templates ' .
863 'WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
864 'AND type = ' . $ilDB->quote($type, 'text') . ' ' .
865 'AND ops_id = ' . $ilDB->quote($op, 'integer') . ' ' .
866 'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
867 $ilDB->manipulate($query);
868 }
869 }
870 }
871 return true;
872 }
873
874
885 public function deleteRolePermission($a_rol_id, $a_ref_id, $a_type = false)
886 {
887 global $DIC;
888
889 $ilDB = $DIC['ilDB'];
890
891 if (!isset($a_rol_id) || !isset($a_ref_id)) {
892 $message = get_class($this) . "::deleteRolePermission(): Missing parameter! role_id: " . $a_rol_id . " ref_id: " . $a_ref_id;
893 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
894 }
895
896 // exclude system role from rbac
897 if ($a_rol_id == SYSTEM_ROLE_ID) {
898 return true;
899 }
900
901 if ($a_type !== false) {
902 $and_type = " AND type=" . $ilDB->quote($a_type, 'text') . " ";
903 }
904
905 $query = 'DELETE FROM rbac_templates ' .
906 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
907 'AND parent = ' . $ilDB->quote($a_ref_id, 'integer') . ' ' .
908 $and_type;
909
910 $res = $ilDB->manipulate($query);
911
912 return true;
913 }
914
925 public function setRolePermission($a_rol_id, $a_type, $a_ops, $a_ref_id)
926 {
927 global $DIC;
928
929 $ilDB = $DIC['ilDB'];
930
931 if (!isset($a_rol_id) || !isset($a_type) || !isset($a_ops) || !isset($a_ref_id)) {
932 $message = get_class($this) . "::setRolePermission(): Missing parameter!" .
933 " role_id: " . $a_rol_id .
934 " type: " . $a_type .
935 " operations: " . $a_ops .
936 " ref_id: " . $a_ref_id;
937 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
938 }
939
940 if (!is_string($a_type) || empty($a_type)) {
941 $message = get_class($this) . "::setRolePermission(): a_type is no string or empty!";
942 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
943 }
944
945 if (!is_array($a_ops) || empty($a_ops)) {
946 $message = get_class($this) . "::setRolePermission(): a_ops is no array or empty!";
947 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
948 }
949
950 // exclude system role from rbac
951 if ($a_rol_id == SYSTEM_ROLE_ID) {
952 return true;
953 }
954
955 foreach ($a_ops as $op) {
956 $ilDB->replace(
957 'rbac_templates',
958 [
959 'rol_id' => ['integer', $a_rol_id],
960 'type' => ['text', $a_type],
961 'ops_id' => ['integer', $op],
962 'parent' => ['integer', $a_ref_id]
963 ],
964 []
965 );
966 }
967 return true;
968 }
969
983 public function assignRoleToFolder($a_rol_id, $a_parent, $a_assign = "y")
984 {
985 global $DIC;
986 $ilDB = $DIC['ilDB'];
987
988 if (!isset($a_rol_id) || !isset($a_parent)) {
989 $message = get_class($this) . "::assignRoleToFolder(): Missing Parameter!" .
990 " role_id: " . $a_rol_id .
991 " parent_id: " . $a_parent .
992 " assign: " . $a_assign;
993 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
994 }
995
996 // exclude system role from rbac
997 if ($a_rol_id == SYSTEM_ROLE_ID) {
998 return true;
999 }
1000
1001 // if a wrong value is passed, always set assign to "n"
1002 if ($a_assign != "y") {
1003 $a_assign = "n";
1004 }
1005
1006 // check if already assigned
1007 $query = 'SELECT rol_id FROM rbac_fa ' .
1008 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
1009 'AND parent = ' . $ilDB->quote($a_parent, 'integer');
1010 $res = $ilDB->query($query);
1011 if ($res->numRows()) {
1012 ilLoggerFactory::getLogger('ac')->info('Role already assigned to object');
1013 return false;
1014 }
1015
1016 $query = sprintf(
1017 'INSERT INTO rbac_fa (rol_id, parent, assign, protected) ' .
1018 'VALUES (%s,%s,%s,%s)',
1019 $ilDB->quote($a_rol_id, 'integer'),
1020 $ilDB->quote($a_parent, 'integer'),
1021 $ilDB->quote($a_assign, 'text'),
1022 $ilDB->quote('n', 'text')
1023 );
1024 $res = $ilDB->manipulate($query);
1025
1026 return true;
1027 }
1028
1037 public function assignOperationToObject($a_type_id, $a_ops_id)
1038 {
1039 global $DIC;
1040
1041 $ilDB = $DIC['ilDB'];
1042
1043 if (!isset($a_type_id) || !isset($a_ops_id)) {
1044 $message = get_class($this) . "::assignOperationToObject(): Missing parameter!" .
1045 "type_id: " . $a_type_id .
1046 "ops_id: " . $a_ops_id;
1047 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
1048 }
1049
1050 $query = "INSERT INTO rbac_ta (typ_id, ops_id) " .
1051 "VALUES(" . $ilDB->quote($a_type_id, 'integer') . "," . $ilDB->quote($a_ops_id, 'integer') . ")";
1052 $res = $ilDB->manipulate($query);
1053 return true;
1054 }
1055
1064 public function deassignOperationFromObject($a_type_id, $a_ops_id)
1065 {
1066 global $DIC;
1067
1068 $ilDB = $DIC['ilDB'];
1069
1070 if (!isset($a_type_id) || !isset($a_ops_id)) {
1071 $message = get_class($this) . "::deassignPermissionFromObject(): Missing parameter!" .
1072 "type_id: " . $a_type_id .
1073 "ops_id: " . $a_ops_id;
1074 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
1075 }
1076
1077 $query = "DELETE FROM rbac_ta " .
1078 "WHERE typ_id = " . $ilDB->quote($a_type_id, 'integer') . " " .
1079 "AND ops_id = " . $ilDB->quote($a_ops_id, 'integer');
1080 $res = $ilDB->manipulate($query);
1081
1082 return true;
1083 }
1084
1093 public function setProtected($a_ref_id, $a_role_id, $a_value)
1094 {
1095 global $DIC;
1096
1097 $ilDB = $DIC['ilDB'];
1098
1099 // ref_id not used yet. protected permission acts 'global' for each role,
1100 // regardless of any broken inheritance before
1101 $query = 'UPDATE rbac_fa ' .
1102 'SET protected = ' . $ilDB->quote($a_value, 'text') . ' ' .
1103 'WHERE rol_id = ' . $ilDB->quote($a_role_id, 'integer');
1104 $res = $ilDB->manipulate($query);
1105 return true;
1106 }
1107
1118 public function copyLocalRoles($a_source_id, $a_target_id)
1119 {
1120 global $DIC;
1121
1122 $rbacreview = $DIC['rbacreview'];
1123 $ilLog = $DIC['ilLog'];
1124 $ilObjDataCache = $DIC['ilObjDataCache'];
1125
1126 $real_local = [];
1127 foreach ($rbacreview->getRolesOfRoleFolder($a_source_id, false) as $role_data) {
1128 $title = $ilObjDataCache->lookupTitle($role_data);
1129 if (substr($title, 0, 3) == 'il_') {
1130 continue;
1131 }
1132 $real_local[] = $role_data;
1133 }
1134 if (!count($real_local)) {
1135 return true;
1136 }
1137 // Create role folder
1138 foreach ($real_local as $role) {
1139 include_once("./Services/AccessControl/classes/class.ilObjRole.php");
1140 $orig = new ilObjRole($role);
1141 $orig->read();
1142
1143 $ilLog->write(__METHOD__ . ': Start copying of role ' . $orig->getTitle());
1144 $roleObj = new ilObjRole();
1145 $roleObj->setTitle($orig->getTitle());
1146 $roleObj->setDescription($orig->getDescription());
1147 $roleObj->setImportId($orig->getImportId());
1148 $roleObj->create();
1149
1150 $this->assignRoleToFolder($roleObj->getId(), $a_target_id, "y");
1151 $this->copyRolePermissions($role, $a_source_id, $a_target_id, $roleObj->getId(), true);
1152 $ilLog->write(__METHOD__ . ': Added new local role, id ' . $roleObj->getId());
1153 }
1154 }
1155
1166 public function initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
1167 {
1168 global $DIC;
1169
1170 $rbacreview = $DIC['rbacreview'];
1171
1172 if ($rbacreview->isProtected($a_role_parent, $a_role_id)) {
1173 // Assign object permissions
1174 $new_ops = $rbacreview->getOperationsOfRole(
1175 $a_role_id,
1176 ilObject::_lookupType($a_ref_id, true),
1177 $a_role_parent
1178 );
1179
1180 // set new permissions for object
1181 $this->grantPermission(
1182 $a_role_id,
1183 (array) $new_ops,
1184 $a_ref_id
1185 );
1186 return;
1187 }
1188 if (!$a_template_id) {
1189 ilLoggerFactory::getLogger('ac')->info('No template id given. Aborting.');
1190 return;
1191 }
1192 // create template permission intersection
1194 $a_template_id,
1195 $a_template_parent,
1196 $a_role_id,
1197 $a_role_parent,
1198 $a_ref_id,
1199 $a_role_id
1200 );
1201
1202 // assign role to folder
1203 $this->assignRoleToFolder(
1204 $a_role_id,
1205 $a_ref_id,
1206 'n'
1207 );
1208
1209 // Assign object permissions
1210 $new_ops = $rbacreview->getOperationsOfRole(
1211 $a_role_id,
1212 ilObject::_lookupType($a_ref_id, true),
1213 $a_ref_id
1214 );
1215
1216 // revoke existing permissions
1217 $this->revokePermission($a_ref_id, $a_role_id);
1218
1219 // set new permissions for object
1220 $this->grantPermission(
1221 $a_role_id,
1222 (array) $new_ops,
1223 $a_ref_id
1224 );
1225
1226 return;
1227 }
1228
1236 protected function applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent)
1237 {
1238 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateObjSettings.php';
1240 if (!$tpl_id) {
1241 return;
1242 }
1243 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateActionFactory.php';
1244 foreach (ilDidacticTemplateActionFactory::getActionsByTemplateId($tpl_id) as $action) {
1245 if ($action instanceof ilDidacticTemplateLocalRoleAction) {
1246 continue;
1247 }
1248 $action->setRefId($a_ref_id);
1249 $action->apply();
1250 }
1251 return;
1252 }
1253
1254
1266 public function adjustMovedObjectPermissions($ref_id, $old_parent)
1267 {
1268 global $DIC;
1269
1270 $rbacreview = $DIC['rbacreview'];
1271 $tree = $DIC['tree'];
1272 $ilLog = $DIC['ilLog'];
1273
1274 $new_parent = $tree->getParentId($ref_id);
1275 $old_context_roles = $rbacreview->getParentRoleIds($old_parent, false);
1276 $new_context_roles = $rbacreview->getParentRoleIds($new_parent, false);
1277
1283 $tree->useCache(false);
1284
1285 $for_addition = $for_deletion = [];
1286 foreach ($new_context_roles as $new_role_id => $new_role) {
1287 if (!isset($old_context_roles[$new_role_id])) {
1288 $for_addition[] = $new_role_id;
1289 } elseif ($new_role['parent'] != $old_context_roles[$new_role_id]['parent']) {
1290 // handle stopped inheritance
1291 $for_deletion[] = $new_role_id;
1292 $for_addition[] = $new_role_id;
1293 }
1294 }
1295 foreach ($old_context_roles as $old_role_id => $old_role) {
1296 if (!isset($new_context_roles[$old_role_id])) {
1297 $for_deletion[] = $old_role_id;
1298 }
1299 }
1300
1301 if (!count($for_deletion) && !count($for_addition)) {
1302 $this->applyMovedObjectDidacticTemplates($ref_id, $old_parent);
1303 return true;
1304 }
1305
1306 $rbac_log_active = ilRbacLog::isActive();
1307 if ($rbac_log_active) {
1308 $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
1309 }
1310
1311 foreach ($tree->getSubTree($tree->getNodeData($ref_id), true) as $node_data) {
1312 $node_id = $node_data['child'];
1313
1314 if ($rbac_log_active) {
1315 $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
1316 }
1317
1318 // If $node_data['type'] is not set, this means there is a tree entry without
1319 // object_reference and/or object_data entry
1320 // Continue in this case
1321 if (!$node_data['type']) {
1322 $ilLog->write(__METHOD__ . ': No type give. Choosing next tree entry.');
1323 continue;
1324 }
1325
1326 if (!$node_id) {
1327 $ilLog->write(__METHOD__ . ': Missing subtree node_id');
1328 continue;
1329 }
1330
1331 foreach ($for_deletion as $role_id) {
1332 $this->deleteLocalRole($role_id, $node_id);
1333 $this->revokePermission($node_id, $role_id, false);
1334 }
1335 foreach ($for_addition as $role_id) {
1336 $role_parent_id = $rbacreview->getParentOfRole($role_id, $ref_id);
1337 switch ($node_data['type']) {
1338 case 'grp':
1339 $tpl_id = ilObjGroup::lookupGroupStatusTemplateId($node_data['obj_id']);
1341 $node_data['child'],
1342 $role_id,
1343 $role_parent_id,
1344 $tpl_id,
1346 );
1347 break;
1348
1349 case 'crs':
1352 $node_data['child'],
1353 $role_id,
1354 $role_parent_id,
1355 $tpl_id,
1357 );
1358 break;
1359
1360 default:
1361 $this->grantPermission(
1362 $role_id,
1363 $rbacreview->getOperationsOfRole($role_id, $node_data['type'], $role_parent_id),
1364 $node_id
1365 );
1366 break;
1367
1368 }
1369 }
1370
1371 if ($rbac_log_active) {
1372 $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
1373 $log = ilRbacLog::diffFaPa($log_old, $log_new);
1375 }
1376 }
1377
1381 $tree->useCache();
1382
1383 $this->applyMovedObjectDidacticTemplates($ref_id, $old_parent);
1384 }
1385} // END class.ilRbacAdmin
if(!defined('PATH_SEPARATOR')) $GLOBALS['_PEAR_default_error_mode']
Definition: PEAR.php:64
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
An exception for terminatinating execution or to throw for unit testing.
static getActionsByTemplateId($a_tpl_id)
Get actions of one template.
represents a creation of local roles action
static lookupTemplateId($a_ref_id)
Lookup template id @global ilDB $ilDB.
static _getInstance()
Get singleton instance of this class.
static getLogger($a_component_id)
Get component logger.
static lookupCourseNonMemberTemplatesId()
Lookup course non member id.
static lookupGroupStatusTemplateId($a_obj_id)
@global $ilDB $ilDB
Class ilObjRole.
static _lookupObjId($a_id)
static _lookupType($a_id, $a_reference=false)
lookup object type
Class ilRbacAdmin Core functions for role based access control.
setProtected($a_ref_id, $a_role_id, $a_value)
Set protected @global $ilDB.
revokePermission($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
Revokes permissions of an object of one role.
deleteRole($a_rol_id, $a_ref_id)
Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua,...
deleteSubtreeTemplates($a_ref_id, $a_rol_id)
Delete all template permissions of subtree nodes.
__construct()
Constructor @access public.
adjustMovedObjectPermissions($ref_id, $old_parent)
Adjust permissions of moved objects.
copyRolePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions and permission of one role to another.
deassignOperationFromObject($a_type_id, $a_ops_id)
Deassign an existing operation from an object Update of rbac_ta @access public.
assignUser($a_rol_id, $a_usr_id)
Assigns an user to a role.
assignRoleToFolder($a_rol_id, $a_parent, $a_assign="y")
Assigns a role to an role folder A role folder is an object to store roles.
removeUser($a_usr_id)
deletes a user from rbac_ua all user <-> role relations are deleted @access public
deleteLocalRole($a_rol_id, $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates @access public.
copyLocalRoles($a_source_id, $a_target_id)
Copy local roles This method creates a copy of all local role.
revokePermissionList($a_ref_ids, $a_rol_id)
Revokes permissions of a LIST of objects of ONE role.
assignUserLimited($a_role_id, $a_usr_id, $a_limit, $a_limited_roles=[])
Assign user limited.
setRolePermission($a_rol_id, $a_type, $a_ops, $a_ref_id)
Inserts template permissions in rbac_templates for an specific object type.
initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
Init intersection permissions.
copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions of one role to another.
applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent)
Apply didactic templates after object movement.
copyRolePermissionUnion( $a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_id, $a_dest_parent)
@global <type> $ilDB
deassignUser($a_rol_id, $a_usr_id)
Deassigns a user from a role.
setBlockedStatus($a_role_id, $a_ref_id, $a_blocked_status)
Set blocked status.
revokeSubtreePermissions($a_ref_id, $a_role_id)
Revoke subtree permissions.
copyRolePermissionIntersection($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
Copies the intersection of the template permissions of two roles to a third role.
assignOperationToObject($a_type_id, $a_ops_id)
Assign an existing operation to an object Update of rbac_ta.
deleteTemplate($a_obj_id)
Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public...
grantPermission($a_rol_id, $a_ops, $a_ref_id)
Grants a permission to an object and a specific role.
deleteRolePermission($a_rol_id, $a_ref_id, $a_type=false)
Deletes all entries of a template.
copyRolePermissionSubtract($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
Subtract role permissions.
const MOVE_OBJECT
static diffFaPa(array $a_old, array $a_new)
static add($a_action, $a_ref_id, array $a_diff, $a_source_ref_id=false)
static gatherFaPa($a_ref_id, array $a_role_ids, $a_add_action=false)
static isActive()
if(!file_exists(getcwd() . '/ilias.ini.php'))
registration confirmation script for ilias
Definition: confirmReg.php:12
const SYSTEM_ROLE_ID
Definition: constants.php:27
const ROLE_FOLDER_ID
Definition: constants.php:32
global $DIC
Definition: goto.php:24
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
$ret
Definition: parser.php:6
$query
$type
$ilErr
Definition: raiseError.php:18
$log
Definition: result.php:15
$lng
foreach($_POST as $key=> $value) $res
global $ilDB
$message
Definition: xapiexit.php:14