ILIAS  release_7 Revision v7.30-3-g800a261c036
Public Member Functions | Protected Member Functions
ilRbacAdmin Class Reference

Class ilRbacAdmin Core functions for role based access control. More...

+ Collaboration diagram for ilRbacAdmin:

Public Member Functions

 __construct ()
 Constructor @access public. More...
 
 setBlockedStatus ($a_role_id, $a_ref_id, $a_blocked_status)
 Set blocked status. More...
 
 removeUser ($a_usr_id)
 deletes a user from rbac_ua all user <-> role relations are deleted @access public More...
 
 deleteRole ($a_rol_id, $a_ref_id)
 Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa @access public. More...
 
 deleteTemplate ($a_obj_id)
 Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public. More...
 
 deleteLocalRole ($a_rol_id, $a_ref_id=0)
 Deletes a local role and entries in rbac_fa and rbac_templates @access public. More...
 
 assignUserLimited ($a_role_id, $a_usr_id, $a_limit, $a_limited_roles=[])
 Assign user limited. More...
 
 assignUser ($a_rol_id, $a_usr_id)
 Assigns an user to a role. More...
 
 deassignUser ($a_rol_id, $a_usr_id)
 Deassigns a user from a role. More...
 
 grantPermission ($a_rol_id, $a_ops, $a_ref_id)
 Grants a permission to an object and a specific role. More...
 
 revokePermission ($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
 Revokes permissions of an object of one role. More...
 
 revokeSubtreePermissions ($a_ref_id, $a_role_id)
 Revoke subtree permissions. More...
 
 deleteSubtreeTemplates ($a_ref_id, $a_rol_id)
 Delete all template permissions of subtree nodes. More...
 
 revokePermissionList ($a_ref_ids, $a_rol_id)
 Revokes permissions of a LIST of objects of ONE role. More...
 
 copyRolePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions and permission of one role to another. More...
 
 copyRoleTemplatePermissions ($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
 Copies template permissions of one role to another. More...
 
 copyRolePermissionIntersection ($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
 Copies the intersection of the template permissions of two roles to a third role. More...
 
 copyRolePermissionUnion ( $a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_id, $a_dest_parent)
 @global <type> $ilDB More...
 
 copyRolePermissionSubtract ($a_source_id, $a_source_parent, $a_dest_id, $a_dest_parent)
 Subtract role permissions. More...
 
 deleteRolePermission ($a_rol_id, $a_ref_id, $a_type=false)
 Deletes all entries of a template. More...
 
 setRolePermission ($a_rol_id, $a_type, $a_ops, $a_ref_id)
 Inserts template permissions in rbac_templates for an specific object type. More...
 
 assignRoleToFolder ($a_rol_id, $a_parent, $a_assign="y")
 Assigns a role to an role folder A role folder is an object to store roles. More...
 
 assignOperationToObject ($a_type_id, $a_ops_id)
 Assign an existing operation to an object Update of rbac_ta. More...
 
 deassignOperationFromObject ($a_type_id, $a_ops_id)
 Deassign an existing operation from an object Update of rbac_ta @access public. More...
 
 setProtected ($a_ref_id, $a_role_id, $a_value)
 Set protected @global $ilDB. More...
 
 copyLocalRoles ($a_source_id, $a_target_id)
 Copy local roles This method creates a copy of all local role. More...
 
 initIntersectionPermissions ($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
 Init intersection permissions. More...
 
 adjustMovedObjectPermissions ($ref_id, $old_parent)
 Adjust permissions of moved objects. More...
 

Protected Member Functions

 applyMovedObjectDidacticTemplates ($a_ref_id, $a_old_parent)
 Apply didactic templates after object movement. More...
 

Detailed Description

Class ilRbacAdmin Core functions for role based access control.

Creation and maintenance of Relations. The main relations of Rbac are user <-> role (UR) assignment relation and the permission <-> role (PR) assignment relation. This class contains methods to 'create' and 'delete' instances of the (UR) relation e.g.: assignUser(), deassignUser() Required methods for the PR relation are grantPermission(), revokePermission()

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
$Id$

Definition at line 18 of file class.ilRbacAdmin.php.

Constructor & Destructor Documentation

◆ __construct()

ilRbacAdmin::__construct ( )

Constructor @access public.

Definition at line 24 of file class.ilRbacAdmin.php.

25 {
26 global $DIC;
27
28 $ilDB = $DIC['ilDB'];
29 $ilErr = $DIC['ilErr'];
30 $ilias = $DIC['ilias'];
31
32 // set db & error handler
33 (isset($ilDB)) ? $this->ilDB = &$ilDB : $this->ilDB = &$ilias->db;
34
35 if (!isset($ilErr)) {
36 $ilErr = new ilErrorHandling();
37 $ilErr->setErrorHandling(PEAR_ERROR_CALLBACK, array($ilErr,'errorHandler'));
38 } else {
39 $this->ilErr = &$ilErr;
40 }
41 }
PEAR_ERROR_CALLBACK
const PEAR_ERROR_CALLBACK
Definition: PEAR.php:35
if
if(!file_exists(getcwd() . '/ilias.ini.php'))
registration confirmation script for ilias
Definition: confirmReg.php:12
$DIC
global $DIC
Definition: goto.php:24
$ilErr
$ilErr
Definition: raiseError.php:18
$ilDB
global $ilDB
Definition: storeScorm2004.php:19

References $DIC, $ilDB, $ilErr, if, and PEAR_ERROR_CALLBACK.

Member Function Documentation

◆ adjustMovedObjectPermissions()

ilRbacAdmin::adjustMovedObjectPermissions (   $ref_id,
  $old_parent 
)

Adjust permissions of moved objects.

  • Delete permissions of parent roles that do not exist in new context
  • Delete role templates of parent roles that do not exist in new context
  • Add permissions for parent roles that did not exist in old context

@access public

Parameters
intref id of moved object
intref_id of old parent

2023-08-15 sk: We need to switch off the cache here, as otherwise there seems to be no way to get an adequate reading of the new path. We switch it back on again at the end of this function.

We switch the cache back on again. See above.

Definition at line 1266 of file class.ilRbacAdmin.php.

1267 {
1268 global $DIC;
1269
1270 $rbacreview = $DIC['rbacreview'];
1271 $tree = $DIC['tree'];
1272 $ilLog = $DIC['ilLog'];
1273
1274 $new_parent = $tree->getParentId($ref_id);
1275 $old_context_roles = $rbacreview->getParentRoleIds($old_parent, false);
1276 $new_context_roles = $rbacreview->getParentRoleIds($new_parent, false);
1277
1283 $tree->useCache(false);
1284
1285 $for_addition = $for_deletion = [];
1286 foreach ($new_context_roles as $new_role_id => $new_role) {
1287 if (!isset($old_context_roles[$new_role_id])) {
1288 $for_addition[] = $new_role_id;
1289 } elseif ($new_role['parent'] != $old_context_roles[$new_role_id]['parent']) {
1290 // handle stopped inheritance
1291 $for_deletion[] = $new_role_id;
1292 $for_addition[] = $new_role_id;
1293 }
1294 }
1295 foreach ($old_context_roles as $old_role_id => $old_role) {
1296 if (!isset($new_context_roles[$old_role_id])) {
1297 $for_deletion[] = $old_role_id;
1298 }
1299 }
1300
1301 if (!count($for_deletion) && !count($for_addition)) {
1302 $this->applyMovedObjectDidacticTemplates($ref_id, $old_parent);
1303 return true;
1304 }
1305
1306 $rbac_log_active = ilRbacLog::isActive();
1307 if ($rbac_log_active) {
1308 $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
1309 }
1310
1311 foreach ($tree->getSubTree($tree->getNodeData($ref_id), true) as $node_data) {
1312 $node_id = $node_data['child'];
1313
1314 if ($rbac_log_active) {
1315 $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
1316 }
1317
1318 // If $node_data['type'] is not set, this means there is a tree entry without
1319 // object_reference and/or object_data entry
1320 // Continue in this case
1321 if (!$node_data['type']) {
1322 $ilLog->write(__METHOD__ . ': No type give. Choosing next tree entry.');
1323 continue;
1324 }
1325
1326 if (!$node_id) {
1327 $ilLog->write(__METHOD__ . ': Missing subtree node_id');
1328 continue;
1329 }
1330
1331 foreach ($for_deletion as $role_id) {
1332 $this->deleteLocalRole($role_id, $node_id);
1333 $this->revokePermission($node_id, $role_id, false);
1334 }
1335 foreach ($for_addition as $role_id) {
1336 $role_parent_id = $rbacreview->getParentOfRole($role_id, $ref_id);
1337 switch ($node_data['type']) {
1338 case 'grp':
1339 $tpl_id = ilObjGroup::lookupGroupStatusTemplateId($node_data['obj_id']);
1340 $this->initIntersectionPermissions(
1341 $node_data['child'],
1342 $role_id,
1343 $role_parent_id,
1344 $tpl_id,
1345 ROLE_FOLDER_ID
1346 );
1347 break;
1348
1349 case 'crs':
1350 $tpl_id = ilObjCourse::lookupCourseNonMemberTemplatesId();
1351 $this->initIntersectionPermissions(
1352 $node_data['child'],
1353 $role_id,
1354 $role_parent_id,
1355 $tpl_id,
1356 ROLE_FOLDER_ID
1357 );
1358 break;
1359
1360 default:
1361 $this->grantPermission(
1362 $role_id,
1363 $rbacreview->getOperationsOfRole($role_id, $node_data['type'], $role_parent_id),
1364 $node_id
1365 );
1366 break;
1367
1368 }
1369 }
1370
1371 if ($rbac_log_active) {
1372 $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
1373 $log = ilRbacLog::diffFaPa($log_old, $log_new);
1374 ilRbacLog::add(ilRbacLog::MOVE_OBJECT, $node_id, $log);
1375 }
1376 }
1377
1381 $tree->useCache();
1382
1383 $this->applyMovedObjectDidacticTemplates($ref_id, $old_parent);
1384 }
ilObjCourse\lookupCourseNonMemberTemplatesId
static lookupCourseNonMemberTemplatesId()
Lookup course non member id.
Definition: class.ilObjCourse.php:1721
ilObjGroup\lookupGroupStatusTemplateId
static lookupGroupStatusTemplateId($a_obj_id)
@global $ilDB $ilDB
Definition: class.ilObjGroup.php:1501
ilRbacAdmin\revokePermission
revokePermission($a_ref_id, $a_rol_id=0, $a_keep_protected=true)
Revokes permissions of an object of one role.
Definition: class.ilRbacAdmin.php:431
ilRbacAdmin\deleteLocalRole
deleteLocalRole($a_rol_id, $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates @access public.
Definition: class.ilRbacAdmin.php:174
ilRbacAdmin\initIntersectionPermissions
initIntersectionPermissions($a_ref_id, $a_role_id, $a_role_parent, $a_template_id, $a_template_parent)
Init intersection permissions.
Definition: class.ilRbacAdmin.php:1166
ilRbacAdmin\applyMovedObjectDidacticTemplates
applyMovedObjectDidacticTemplates($a_ref_id, $a_old_parent)
Apply didactic templates after object movement.
Definition: class.ilRbacAdmin.php:1236
ilRbacAdmin\grantPermission
grantPermission($a_rol_id, $a_ops, $a_ref_id)
Grants a permission to an object and a specific role.
Definition: class.ilRbacAdmin.php:370
ilRbacLog\MOVE_OBJECT
const MOVE_OBJECT
Definition: class.ilRbacLog.php:17
ilRbacLog\diffFaPa
static diffFaPa(array $a_old, array $a_new)
Definition: class.ilRbacLog.php:69
ilRbacLog\add
static add($a_action, $a_ref_id, array $a_diff, $a_source_ref_id=false)
Definition: class.ilRbacLog.php:137
ilRbacLog\gatherFaPa
static gatherFaPa($a_ref_id, array $a_role_ids, $a_add_action=false)
Definition: class.ilRbacLog.php:35
ilRbacLog\isActive
static isActive()
Definition: class.ilRbacLog.php:25
ROLE_FOLDER_ID
const ROLE_FOLDER_ID
Definition: constants.php:32
$log
$log
Definition: result.php:15

References $DIC, $log, ilRbacLog\add(), applyMovedObjectDidacticTemplates(), deleteLocalRole(), ilRbacLog\diffFaPa(), ilRbacLog\gatherFaPa(), grantPermission(), initIntersectionPermissions(), ilRbacLog\isActive(), ilObjCourse\lookupCourseNonMemberTemplatesId(), ilObjGroup\lookupGroupStatusTemplateId(), ilRbacLog\MOVE_OBJECT, revokePermission(), and ROLE_FOLDER_ID.

+ Here is the call graph for this function:

◆ applyMovedObjectDidacticTemplates()

ilRbacAdmin::applyMovedObjectDidacticTemplates (   $a_ref_id,
  $a_old_parent 
)
protected

Apply didactic templates after object movement.

Parameters
int$a_ref_id
int$a_old_parent
Deprecated:
since version 5.1.0 will be removed with 5.4 and implemented using event handler

Definition at line 1236 of file class.ilRbacAdmin.php.

1237 {
1238 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateObjSettings.php';
1239 $tpl_id = ilDidacticTemplateObjSettings::lookupTemplateId($a_ref_id);
1240 if (!$tpl_id) {
1241 return;
1242 }
1243 include_once './Services/DidacticTemplate/classes/class.ilDidacticTemplateActionFactory.php';
1244 foreach (ilDidacticTemplateActionFactory::getActionsByTemplateId($tpl_id) as $action) {
1245 if ($action instanceof ilDidacticTemplateLocalRoleAction) {
1246 continue;
1247 }
1248 $action->setRefId($a_ref_id);
1249 $action->apply();
1250 }
1251 return;
1252 }
ilDidacticTemplateActionFactory\getActionsByTemplateId
static getActionsByTemplateId($a_tpl_id)
Get actions of one template.
Definition: class.ilDidacticTemplateActionFactory.php:65
ilDidacticTemplateLocalRoleAction
represents a creation of local roles action
Definition: class.ilDidacticTemplateLocalRoleAction.php:13
ilDidacticTemplateObjSettings\lookupTemplateId
static lookupTemplateId($a_ref_id)
Lookup template id @global ilDB $ilDB.
Definition: class.ilDidacticTemplateObjSettings.php:19

References ilDidacticTemplateActionFactory\getActionsByTemplateId(), and ilDidacticTemplateObjSettings\lookupTemplateId().

Referenced by adjustMovedObjectPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ assignOperationToObject()

ilRbacAdmin::assignOperationToObject (   $a_type_id,
  $a_ops_id 
)

Assign an existing operation to an object Update of rbac_ta.

@access public

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 1037 of file class.ilRbacAdmin.php.

1038 {
1039 global $DIC;
1040
1041 $ilDB = $DIC['ilDB'];
1042
1043 if (!isset($a_type_id) || !isset($a_ops_id)) {
1044 $message = get_class($this) . "::assignOperationToObject(): Missing parameter!" .
1045 "type_id: " . $a_type_id .
1046 "ops_id: " . $a_ops_id;
1047 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
1048 }
1049
1050 $query = "INSERT INTO rbac_ta (typ_id, ops_id) " .
1051 "VALUES(" . $ilDB->quote($a_type_id, 'integer') . "," . $ilDB->quote($a_ops_id, 'integer') . ")";
1052 $res = $ilDB->manipulate($query);
1053 return true;
1054 }
$query
$query
Definition: proxy_ylocal.php:13
$res
foreach($_POST as $key=> $value) $res
Definition: save_question_post_data.php:15
$message
$message
Definition: xapiexit.php:14

References $DIC, $ilDB, $message, $query, and $res.

◆ assignRoleToFolder()

ilRbacAdmin::assignRoleToFolder (   $a_rol_id,
  $a_parent,
  $a_assign = "y" 
)

Assigns a role to an role folder A role folder is an object to store roles.

Every role is assigned to minimum one role folder If the inheritance of a role is stopped, a new role template will created, and the role is assigned to minimum two role folders. All roles with stopped inheritance need the flag '$a_assign = false'

@access public

Parameters
integerobject id of role
integerref_id of role folder
stringassignable('y','n'); default: 'y'
Returns
boolean

Definition at line 983 of file class.ilRbacAdmin.php.

984 {
985 global $DIC;
986 $ilDB = $DIC['ilDB'];
987
988 if (!isset($a_rol_id) || !isset($a_parent)) {
989 $message = get_class($this) . "::assignRoleToFolder(): Missing Parameter!" .
990 " role_id: " . $a_rol_id .
991 " parent_id: " . $a_parent .
992 " assign: " . $a_assign;
993 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
994 }
995
996 // exclude system role from rbac
997 if ($a_rol_id == SYSTEM_ROLE_ID) {
998 return true;
999 }
1000
1001 // if a wrong value is passed, always set assign to "n"
1002 if ($a_assign != "y") {
1003 $a_assign = "n";
1004 }
1005
1006 // check if already assigned
1007 $query = 'SELECT rol_id FROM rbac_fa ' .
1008 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
1009 'AND parent = ' . $ilDB->quote($a_parent, 'integer');
1010 $res = $ilDB->query($query);
1011 if ($res->numRows()) {
1012 ilLoggerFactory::getLogger('ac')->info('Role already assigned to object');
1013 return false;
1014 }
1015
1016 $query = sprintf(
1017 'INSERT INTO rbac_fa (rol_id, parent, assign, protected) ' .
1018 'VALUES (%s,%s,%s,%s)',
1019 $ilDB->quote($a_rol_id, 'integer'),
1020 $ilDB->quote($a_parent, 'integer'),
1021 $ilDB->quote($a_assign, 'text'),
1022 $ilDB->quote('n', 'text')
1023 );
1024 $res = $ilDB->manipulate($query);
1025
1026 return true;
1027 }
ilLoggerFactory\getLogger
static getLogger($a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:74
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:27

References $DIC, $ilDB, $message, $query, $res, ilLoggerFactory\getLogger(), and SYSTEM_ROLE_ID.

Referenced by copyLocalRoles(), and initIntersectionPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ assignUser()

ilRbacAdmin::assignUser (   $a_rol_id,
  $a_usr_id 
)

Assigns an user to a role.

Update of table rbac_ua

Parameters
int$a_rol_idObject-ID of role
int$a_usr_idObject-ID of user
Returns
boolean

Definition at line 264 of file class.ilRbacAdmin.php.

265 {
266 global $DIC;
267
268 $ilDB = $DIC['ilDB'];
269 $rbacreview = $DIC['rbacreview'];
270
271 if (!isset($a_rol_id) || !isset($a_usr_id)) {
272 $message = get_class($this) . "::assignUser(): Missing parameter! role_id: " . $a_rol_id . " usr_id: " . $a_usr_id;
273 #$this->ilErr->raiseError($message,$this->ilErr->WARNING);
274 }
275
276 // check if already assigned user id and role_id
277 $alreadyAssigned = $rbacreview->isAssigned($a_usr_id, $a_rol_id);
278
279 // enhanced: only if we haven't had this role for this user
280 if (!$alreadyAssigned) {
281 $query = "INSERT INTO rbac_ua (usr_id, rol_id) " .
282 "VALUES (" . $ilDB->quote($a_usr_id, 'integer') . "," . $ilDB->quote($a_rol_id, 'integer') . ")";
283 $res = $ilDB->manipulate($query);
284
285 $rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, true);
286 }
287
288 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
289 $mapping = ilLDAPRoleGroupMapping::_getInstance();
290 $mapping->assign($a_rol_id, $a_usr_id);
291
292
293 $ref_id = $GLOBALS['DIC']['rbacreview']->getObjectReferenceOfRole($a_rol_id);
294 $obj_id = ilObject::_lookupObjId($ref_id);
295 $type = ilObject::_lookupType($obj_id);
296
297 if (!$alreadyAssigned) {
298 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event assign user');
299 $GLOBALS['DIC']['ilAppEventHandler']->raise(
300 'Services/AccessControl',
301 'assignUser',
302 array(
303 'obj_id' => $obj_id,
304 'usr_id' => $a_usr_id,
305 'role_id' => $a_rol_id,
306 'type' => $type
307 )
308 );
309 }
310 return true;
311 }
$GLOBALS
if(!defined('PATH_SEPARATOR')) $GLOBALS['_PEAR_default_error_mode']
Definition: PEAR.php:64
ilLDAPRoleGroupMapping\_getInstance
static _getInstance()
Get singleton instance of this class.
Definition: class.ilLDAPRoleGroupMapping.php:73
ilObject\_lookupObjId
static _lookupObjId($a_id)
Definition: class.ilObject.php:1110
ilObject\_lookupType
static _lookupType($a_id, $a_reference=false)
lookup object type
Definition: class.ilObject.php:1281
$type
$type
Definition: proxy_ylocal.php:10

References $DIC, $GLOBALS, $ilDB, $message, $query, $res, $type, ilLDAPRoleGroupMapping\_getInstance(), ilObject\_lookupObjId(), ilObject\_lookupType(), and ilLoggerFactory\getInstance().

+ Here is the call graph for this function:

◆ assignUserLimited()

ilRbacAdmin::assignUserLimited (   $a_role_id,
  $a_usr_id,
  $a_limit,
  $a_limited_roles = [] 
)

Assign user limited.

Parameters
type$a_role_id
type$a_usr_id
type$a_limit

Definition at line 212 of file class.ilRbacAdmin.php.

213 {
214 global $DIC;
215
216 $ilDB = $DIC['ilDB'];
217
218 $ilAtomQuery = $ilDB->buildAtomQuery();
219 $ilAtomQuery->addTableLock('rbac_ua');
220
221 $ilAtomQuery->addQueryCallable(
222 function (ilDBInterface $ilDB) use (&$ret, $a_role_id, $a_usr_id, $a_limit, $a_limited_roles) {
223 $ret = true;
224 $limit_query = 'SELECT COUNT(*) num FROM rbac_ua ' .
225 'WHERE ' . $ilDB->in('rol_id', (array) $a_limited_roles, false, 'integer');
226 $res = $ilDB->query($limit_query);
227 $row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT);
228 if ($row->num >= $a_limit) {
229 $ret = false;
230 return;
231 }
232
233 $query = "INSERT INTO rbac_ua (usr_id, rol_id) " .
234 "VALUES (" .
235 $ilDB->quote($a_usr_id, 'integer') . "," . $ilDB->quote($a_role_id, 'integer') .
236 ")";
237 $res = $ilDB->manipulate($query);
238 }
239 );
240
241 $ilAtomQuery->run();
242
243 if (!$ret) {
244 return false;
245 }
246
247 $GLOBALS['DIC']['rbacreview']->setAssignedCacheEntry($a_role_id, $a_usr_id, true);
248
249 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
250 $mapping = ilLDAPRoleGroupMapping::_getInstance();
251 $mapping->assign($a_role_id, $a_usr_id);
252 return true;
253 }
ilDBInterface
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: interface.ilDBInterface.php:26
$ret
$ret
Definition: parser.php:6

References $DIC, $GLOBALS, $ilDB, $query, $res, $ret, ilLDAPRoleGroupMapping\_getInstance(), and ilDBConstants\FETCHMODE_OBJECT.

+ Here is the call graph for this function:

◆ copyLocalRoles()

ilRbacAdmin::copyLocalRoles (   $a_source_id,
  $a_target_id 
)

Copy local roles This method creates a copy of all local role.

Note: auto generated roles are excluded

@access public

Parameters
intsource id of object (not role folder)
inttarget id of object

Definition at line 1118 of file class.ilRbacAdmin.php.

1119 {
1120 global $DIC;
1121
1122 $rbacreview = $DIC['rbacreview'];
1123 $ilLog = $DIC['ilLog'];
1124 $ilObjDataCache = $DIC['ilObjDataCache'];
1125
1126 $real_local = [];
1127 foreach ($rbacreview->getRolesOfRoleFolder($a_source_id, false) as $role_data) {
1128 $title = $ilObjDataCache->lookupTitle($role_data);
1129 if (substr($title, 0, 3) == 'il_') {
1130 continue;
1131 }
1132 $real_local[] = $role_data;
1133 }
1134 if (!count($real_local)) {
1135 return true;
1136 }
1137 // Create role folder
1138 foreach ($real_local as $role) {
1139 include_once("./Services/AccessControl/classes/class.ilObjRole.php");
1140 $orig = new ilObjRole($role);
1141 $orig->read();
1142
1143 $ilLog->write(__METHOD__ . ': Start copying of role ' . $orig->getTitle());
1144 $roleObj = new ilObjRole();
1145 $roleObj->setTitle($orig->getTitle());
1146 $roleObj->setDescription($orig->getDescription());
1147 $roleObj->setImportId($orig->getImportId());
1148 $roleObj->create();
1149
1150 $this->assignRoleToFolder($roleObj->getId(), $a_target_id, "y");
1151 $this->copyRolePermissions($role, $a_source_id, $a_target_id, $roleObj->getId(), true);
1152 $ilLog->write(__METHOD__ . ': Added new local role, id ' . $roleObj->getId());
1153 }
1154 }
ilObjRole
Class ilObjRole.
Definition: class.ilObjRole.php:17
ilRbacAdmin\copyRolePermissions
copyRolePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions and permission of one role to another.
Definition: class.ilRbacAdmin.php:609
ilRbacAdmin\assignRoleToFolder
assignRoleToFolder($a_rol_id, $a_parent, $a_assign="y")
Assigns a role to an role folder A role folder is an object to store roles.
Definition: class.ilRbacAdmin.php:983

References $DIC, assignRoleToFolder(), and copyRolePermissions().

+ Here is the call graph for this function:

◆ copyRolePermissionIntersection()

ilRbacAdmin::copyRolePermissionIntersection (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_parent,
  $a_dest_id 
)

Copies the intersection of the template permissions of two roles to a third role.

@access public

Parameters
integer$a_source1_idrole_id source
integer$a_source1_parentparent_id source
integer$a_source2_idrole_id source
integer$a_source2_parentparent_id source
integer$a_dest_idrole_id destination
integer$a_dest_parentparent_id destination
Returns
boolean

Definition at line 706 of file class.ilRbacAdmin.php.

707 {
708 global $DIC;
709
710 $rbacreview = $DIC['rbacreview'];
711 $ilDB = $DIC['ilDB'];
712
713 if (!isset($a_source1_id) || !isset($a_source1_parent)
714 || !isset($a_source2_id) || !isset($a_source2_parent)
715 || !isset($a_dest_id) || !isset($a_dest_parent)) {
716 $message = get_class($this) . "::copyRolePermissionIntersection(): Missing parameter! source1_id: " . $a_source1_id .
717 " source1_parent: " . $a_source1_parent .
718 " source2_id: " . $a_source2_id .
719 " source2_parent: " . $a_source2_parent .
720 " dest_id: " . $a_dest_id .
721 " dest_parent_id: " . $a_dest_parent;
722 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
723 }
724
725 // exclude system role from rbac
726 if ($a_dest_id == SYSTEM_ROLE_ID) {
727 ilLoggerFactory::getLogger('ac')->debug('Ignoring system role.');
728 return true;
729 }
730
731 if ($rbacreview->isProtected($a_source2_parent, $a_source2_id)) {
732 $GLOBALS['DIC']['ilLog']->write(__METHOD__ . ': Role is protected');
733 return true;
734 }
735
736 $query = "SELECT s1.type, s1.ops_id " .
737 "FROM rbac_templates s1, rbac_templates s2 " .
738 "WHERE s1.rol_id = " . $ilDB->quote($a_source1_id, 'integer') . " " .
739 "AND s1.parent = " . $ilDB->quote($a_source1_parent, 'integer') . " " .
740 "AND s2.rol_id = " . $ilDB->quote($a_source2_id, 'integer') . " " .
741 "AND s2.parent = " . $ilDB->quote($a_source2_parent, 'integer') . " " .
742 "AND s1.type = s2.type " .
743 "AND s1.ops_id = s2.ops_id";
744
745 ilLoggerFactory::getLogger('ac')->dump($query);
746
747 $res = $ilDB->query($query);
748 $operations = [];
749 $rowNum = 0;
750 while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
751 $operations[$rowNum]['type'] = $row->type;
752 $operations[$rowNum]['ops_id'] = $row->ops_id;
753
754 $rowNum++;
755 }
756
757 // Delete template permissions of target
758 $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
759 'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
760 $res = $ilDB->manipulate($query);
761
762 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
763 'VALUES (?,?,?,?)';
764 $sta = $ilDB->prepareManip($query, array('integer','text','integer','integer'));
765 foreach ($operations as $key => $set) {
766 $ilDB->execute($sta, array(
767 $a_dest_id,
768 $set['type'],
769 $set['ops_id'],
770 $a_dest_parent));
771 }
772 return true;
773 }

References $DIC, $GLOBALS, $ilDB, $message, $query, $res, ilDBConstants\FETCHMODE_OBJECT, ilLoggerFactory\getLogger(), and SYSTEM_ROLE_ID.

Referenced by initIntersectionPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ copyRolePermissions()

ilRbacAdmin::copyRolePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions and permission of one role to another.

@access public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 609 of file class.ilRbacAdmin.php.

610 {
611 global $DIC;
612
613 $tree = $DIC['tree'];
614 $rbacreview = $DIC['rbacreview'];
615
616 // Copy template permissions
617 $this->copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected);
618
619 $ops = $rbacreview->getRoleOperationsOnObject($a_source_id, $a_source_parent);
620
621 $this->revokePermission($a_dest_parent, $a_dest_id);
622 $this->grantPermission($a_dest_id, $ops, $a_dest_parent);
623 return true;
624 }
ilRbacAdmin\copyRoleTemplatePermissions
copyRoleTemplatePermissions($a_source_id, $a_source_parent, $a_dest_parent, $a_dest_id, $a_consider_protected=true)
Copies template permissions of one role to another.
Definition: class.ilRbacAdmin.php:636

References $DIC, copyRoleTemplatePermissions(), grantPermission(), and revokePermission().

Referenced by copyLocalRoles().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ copyRolePermissionSubtract()

ilRbacAdmin::copyRolePermissionSubtract (   $a_source_id,
  $a_source_parent,
  $a_dest_id,
  $a_dest_parent 
)

Subtract role permissions.

Parameters
type$a_source_id
type$a_source_parent
type$a_dest_id
type$a_dest_parent

Definition at line 849 of file class.ilRbacAdmin.php.

850 {
851 global $DIC;
852
853 $rbacreview = $DIC['rbacreview'];
854 $ilDB = $DIC['ilDB'];
855
856 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source_id, $a_source_parent);
857 $d_ops = $rbacreview->getAllOperationsOfRole($a_dest_id, $a_dest_parent);
858
859 foreach ($s1_ops as $type => $ops) {
860 foreach ($ops as $op) {
861 if (isset($d_ops[$type]) && in_array($op, $d_ops[$type])) {
862 $query = 'DELETE FROM rbac_templates ' .
863 'WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
864 'AND type = ' . $ilDB->quote($type, 'text') . ' ' .
865 'AND ops_id = ' . $ilDB->quote($op, 'integer') . ' ' .
866 'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
867 $ilDB->manipulate($query);
868 }
869 }
870 }
871 return true;
872 }

References $DIC, $ilDB, $query, and $type.

◆ copyRolePermissionUnion()

ilRbacAdmin::copyRolePermissionUnion (   $a_source1_id,
  $a_source1_parent,
  $a_source2_id,
  $a_source2_parent,
  $a_dest_id,
  $a_dest_parent 
)

@global <type> $ilDB

Parameters
<type>$a_source1_id
<type>$a_source1_parent
<type>$a_source2_id
<type>$a_source2_parent
<type>$a_dest_id
<type>$a_dest_parent
Returns
<type>

Definition at line 786 of file class.ilRbacAdmin.php.

793 {
794 global $DIC;
795
796 $ilDB = $DIC['ilDB'];
797 $rbacreview = $DIC['rbacreview'];
798
799
800 $s1_ops = $rbacreview->getAllOperationsOfRole($a_source1_id, $a_source1_parent);
801 $s2_ops = $rbacreview->getAlloperationsOfRole($a_source2_id, $a_source2_parent);
802
803 $this->deleteRolePermission($a_dest_id, $a_dest_parent);
804
805 $GLOBALS['DIC']['ilLog']->write(__METHOD__ . ': ' . print_r($s1_ops, true));
806 $GLOBALS['DIC']['ilLog']->write(__METHOD__ . ': ' . print_r($s2_ops, true));
807
808 foreach ($s1_ops as $type => $ops) {
809 foreach ($ops as $op) {
810 // insert all permission of source 1
811 // #15469
812 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
813 'VALUES( ' .
814 $ilDB->quote($a_dest_id, 'integer') . ', ' .
815 $ilDB->quote($type, 'text') . ', ' .
816 $ilDB->quote($op, 'integer') . ', ' .
817 $ilDB->quote($a_dest_parent, 'integer') . ' ' .
818 ')';
819 $ilDB->manipulate($query);
820 }
821 }
822
823 // and the other direction...
824 foreach ($s2_ops as $type => $ops) {
825 foreach ($ops as $op) {
826 if (!isset($s1_ops[$type]) || !in_array($op, $s1_ops[$type])) {
827 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
828 'VALUES( ' .
829 $ilDB->quote($a_dest_id, 'integer') . ', ' .
830 $ilDB->quote($type, 'text') . ', ' .
831 $ilDB->quote($op, 'integer') . ', ' .
832 $ilDB->quote($a_dest_parent, 'integer') . ' ' .
833 ')';
834 $ilDB->manipulate($query);
835 }
836 }
837 }
838
839 return true;
840 }
ilRbacAdmin\deleteRolePermission
deleteRolePermission($a_rol_id, $a_ref_id, $a_type=false)
Deletes all entries of a template.
Definition: class.ilRbacAdmin.php:885

References $DIC, $GLOBALS, $ilDB, $query, $type, and deleteRolePermission().

+ Here is the call graph for this function:

◆ copyRoleTemplatePermissions()

ilRbacAdmin::copyRoleTemplatePermissions (   $a_source_id,
  $a_source_parent,
  $a_dest_parent,
  $a_dest_id,
  $a_consider_protected = true 
)

Copies template permissions of one role to another.

It's also possible to copy template permissions from/to RoleTemplateObject @access public

Parameters
integer$a_source_idrole_id source
integer$a_source_parentparent_id source
integer$a_dest_parentparent_id destination
integer$a_dest_idrole_id destination
Returns
boolean

Definition at line 636 of file class.ilRbacAdmin.php.

637 {
638 global $DIC;
639
640 $rbacreview = $DIC['rbacreview'];
641 $ilDB = $DIC['ilDB'];
642
643 if (!isset($a_source_id) || !isset($a_source_parent) || !isset($a_dest_id) || !isset($a_dest_parent)) {
644 $message = __METHOD__ . ": Missing parameter! source_id: " . $a_source_id .
645 " source_parent_id: " . $a_source_parent .
646 " dest_id : " . $a_dest_id .
647 " dest_parent_id: " . $a_dest_parent;
648 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
649 }
650
651 // exclude system role from rbac
652 if ($a_dest_id == SYSTEM_ROLE_ID) {
653 return true;
654 }
655
656 // Read operations
657 $query = 'SELECT * FROM rbac_templates ' .
658 'WHERE rol_id = ' . $ilDB->quote($a_source_id, 'integer') . ' ' .
659 'AND parent = ' . $ilDB->quote($a_source_parent, 'integer');
660 $res = $ilDB->query($query);
661 $operations = [];
662 $rownum = 0;
663 while ($row = $ilDB->fetchObject($res)) {
664 $operations[$rownum]['type'] = $row->type;
665 $operations[$rownum]['ops_id'] = $row->ops_id;
666 $rownum++;
667 }
668
669 // Delete target permissions
670 $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $ilDB->quote($a_dest_id, 'integer') . ' ' .
671 'AND parent = ' . $ilDB->quote($a_dest_parent, 'integer');
672 $res = $ilDB->manipulate($query);
673
674 foreach ($operations as $row => $op) {
675 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
676 'VALUES (' .
677 $ilDB->quote($a_dest_id, 'integer') . "," .
678 $ilDB->quote($op['type'], 'text') . "," .
679 $ilDB->quote($op['ops_id'], 'integer') . "," .
680 $ilDB->quote($a_dest_parent, 'integer') . ")";
681 $ilDB->manipulate($query);
682 }
683
684 // copy also protection status if applicable
685 if ($a_consider_protected == true) {
686 if ($rbacreview->isProtected($a_source_parent, $a_source_id)) {
687 $this->setProtected($a_dest_parent, $a_dest_id, 'y');
688 }
689 }
690
691 return true;
692 }
ilRbacAdmin\setProtected
setProtected($a_ref_id, $a_role_id, $a_value)
Set protected @global $ilDB.
Definition: class.ilRbacAdmin.php:1093

References $DIC, $ilDB, $message, $query, $res, setProtected(), and SYSTEM_ROLE_ID.

Referenced by copyRolePermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deassignOperationFromObject()

ilRbacAdmin::deassignOperationFromObject (   $a_type_id,
  $a_ops_id 
)

Deassign an existing operation from an object Update of rbac_ta @access public.

Parameters
integerobject type
integeroperation_id
Returns
boolean

Definition at line 1064 of file class.ilRbacAdmin.php.

1065 {
1066 global $DIC;
1067
1068 $ilDB = $DIC['ilDB'];
1069
1070 if (!isset($a_type_id) || !isset($a_ops_id)) {
1071 $message = get_class($this) . "::deassignPermissionFromObject(): Missing parameter!" .
1072 "type_id: " . $a_type_id .
1073 "ops_id: " . $a_ops_id;
1074 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
1075 }
1076
1077 $query = "DELETE FROM rbac_ta " .
1078 "WHERE typ_id = " . $ilDB->quote($a_type_id, 'integer') . " " .
1079 "AND ops_id = " . $ilDB->quote($a_ops_id, 'integer');
1080 $res = $ilDB->manipulate($query);
1081
1082 return true;
1083 }

References $DIC, $ilDB, $message, $query, and $res.

◆ deassignUser()

ilRbacAdmin::deassignUser (   $a_rol_id,
  $a_usr_id 
)

Deassigns a user from a role.

Update of table rbac_ua

Parameters
int$a_rol_idObject-ID of role
int$a_usr_idObject-ID of user
Returns
boolean true on success

Definition at line 322 of file class.ilRbacAdmin.php.

323 {
324 global $DIC;
325
326 $ilDB = $DIC['ilDB'];
327 $rbacreview = $DIC->rbac()->review();
328
329 if (!isset($a_rol_id) || !isset($a_usr_id)) {
330 $message = get_class($this) . "::deassignUser(): Missing parameter! role_id: " . $a_rol_id . " usr_id: " . $a_usr_id;
331 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
332 }
333
334 $query = "DELETE FROM rbac_ua " .
335 "WHERE usr_id = " . $ilDB->quote($a_usr_id, 'integer') . " " .
336 "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
337 $res = $ilDB->manipulate($query);
338
339 $rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, false);
340
341 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
342 $mapping = ilLDAPRoleGroupMapping::_getInstance();
343 $mapping->deassign($a_rol_id, $a_usr_id);
344
345 if ($res) {
346 $ref_id = $GLOBALS['DIC']['rbacreview']->getObjectReferenceOfRole($a_rol_id);
347 $obj_id = ilObject::_lookupObjId($ref_id);
348 $type = ilObject::_lookupType($obj_id);
349
350 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event deassign user');
351 $GLOBALS['DIC']['ilAppEventHandler']->raise('Services/AccessControl', 'deassignUser', array(
352 'obj_id' => $obj_id,
353 'usr_id' => $a_usr_id,
354 'role_id' => $a_rol_id,
355 'type' => $type,
356 ));
357 }
358
359 return true;
360 }

References $DIC, $GLOBALS, $ilDB, $message, $query, $res, $type, ilLDAPRoleGroupMapping\_getInstance(), ilObject\_lookupObjId(), ilObject\_lookupType(), and ilLoggerFactory\getInstance().

Referenced by removeUser().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deleteLocalRole()

ilRbacAdmin::deleteLocalRole (   $a_rol_id,
  $a_ref_id = 0 
)

Deletes a local role and entries in rbac_fa and rbac_templates @access public.

Parameters
integerobject_id of role
integerref_id of role folder (optional)
Returns
boolean true on success

Definition at line 174 of file class.ilRbacAdmin.php.

175 {
176 global $DIC;
177
178 $ilDB = $DIC['ilDB'];
179
180 if (!isset($a_rol_id)) {
181 $message = get_class($this) . "::deleteLocalRole(): Missing parameter! role_id: '" . $a_rol_id . "'";
182 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
183 }
184
185 // exclude system role from rbac
186 if ($a_rol_id == SYSTEM_ROLE_ID) {
187 return true;
188 }
189
190 if ($a_ref_id != 0) {
191 $clause = 'AND parent = ' . $ilDB->quote($a_ref_id, 'integer') . ' ';
192 }
193
194 $query = 'DELETE FROM rbac_fa ' .
195 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
196 $clause;
197 $res = $ilDB->manipulate($query);
198
199 $query = 'DELETE FROM rbac_templates ' .
200 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
201 $clause;
202 $res = $ilDB->manipulate($query);
203 return true;
204 }

References $DIC, $ilDB, $message, $query, $res, and SYSTEM_ROLE_ID.

Referenced by adjustMovedObjectPermissions(), and deleteRole().

+ Here is the caller graph for this function:

◆ deleteRole()

ilRbacAdmin::deleteRole (   $a_rol_id,
  $a_ref_id 
)

Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa @access public.

Parameters
integerobj_id of role (role_id)
integerref_id of role folder (ref_id)
Returns
boolean true on success

Definition at line 98 of file class.ilRbacAdmin.php.

99 {
100 global $DIC;
101
102 $lng = $DIC['lng'];
103 $ilDB = $DIC['ilDB'];
104
105 if (!isset($a_rol_id) || !isset($a_ref_id)) {
106 $message = get_class($this) . "::deleteRole(): Missing parameter! role_id: " . $a_rol_id . " ref_id of role folder: " . $a_ref_id;
107 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
108 }
109
110 // exclude system role from rbac
111 if ($a_rol_id == SYSTEM_ROLE_ID) {
112 $this->ilErr->raiseError($lng->txt("msg_sysrole_not_deletable"), $this->ilErr->MESSAGE);
113 }
114
115 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMapping.php');
116 $mapping = ilLDAPRoleGroupMapping::_getInstance();
117 $mapping->deleteRole($a_rol_id);
118
119
120 // TODO: check assigned users before deletion
121 // This is done in ilObjRole. Should be better moved to this place?
122
123 // delete user assignements
124 $query = "DELETE FROM rbac_ua " .
125 "WHERE rol_id = " . $ilDB->quote($a_rol_id, 'integer');
126 $res = $ilDB->manipulate($query);
127
128 // delete permission assignments
129 $query = "DELETE FROM rbac_pa " .
130 "WHERE rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
131 $res = $ilDB->manipulate($query);
132
133 //delete rbac_templates and rbac_fa
134 $this->deleteLocalRole($a_rol_id);
135
136 return true;
137 }
$lng
$lng
Definition: save_question_post_data.php:23

References $DIC, $ilDB, $lng, $message, $query, $res, ilLDAPRoleGroupMapping\_getInstance(), deleteLocalRole(), and SYSTEM_ROLE_ID.

+ Here is the call graph for this function:

◆ deleteRolePermission()

ilRbacAdmin::deleteRolePermission (   $a_rol_id,
  $a_ref_id,
  $a_type = false 
)

Deletes all entries of a template.

If an object type is given for third parameter only the entries for that object type are deleted Update of table rbac_templates. @access public

Parameters
integerobject id of role
integerref_id of role folder
stringobject type (optional)
Returns
boolean

Definition at line 885 of file class.ilRbacAdmin.php.

886 {
887 global $DIC;
888
889 $ilDB = $DIC['ilDB'];
890
891 if (!isset($a_rol_id) || !isset($a_ref_id)) {
892 $message = get_class($this) . "::deleteRolePermission(): Missing parameter! role_id: " . $a_rol_id . " ref_id: " . $a_ref_id;
893 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
894 }
895
896 // exclude system role from rbac
897 if ($a_rol_id == SYSTEM_ROLE_ID) {
898 return true;
899 }
900
901 if ($a_type !== false) {
902 $and_type = " AND type=" . $ilDB->quote($a_type, 'text') . " ";
903 }
904
905 $query = 'DELETE FROM rbac_templates ' .
906 'WHERE rol_id = ' . $ilDB->quote($a_rol_id, 'integer') . ' ' .
907 'AND parent = ' . $ilDB->quote($a_ref_id, 'integer') . ' ' .
908 $and_type;
909
910 $res = $ilDB->manipulate($query);
911
912 return true;
913 }

References $DIC, $ilDB, $message, $query, $res, and SYSTEM_ROLE_ID.

Referenced by copyRolePermissionUnion().

+ Here is the caller graph for this function:

◆ deleteSubtreeTemplates()

ilRbacAdmin::deleteSubtreeTemplates (   $a_ref_id,
  $a_rol_id 
)

Delete all template permissions of subtree nodes.

Parameters
object$a_ref_id
object$a_rol_id
Returns

Definition at line 540 of file class.ilRbacAdmin.php.

541 {
542 global $DIC;
543
544 $ilDB = $DIC['ilDB'];
545
546 $query = 'DELETE FROM rbac_templates ' .
547 'WHERE parent IN ( ' .
548 $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
549 'AND rol_id = ' . $ilDB->quote($a_rol_id, 'integer');
550
551 $ilDB->manipulate($query);
552
553 $query = 'DELETE FROM rbac_fa ' .
554 'WHERE parent IN ( ' .
555 $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
556 'AND rol_id = ' . $ilDB->quote($a_rol_id, 'integer');
557
558 $ilDB->manipulate($query);
559
560 return true;
561 }

References $DIC, $GLOBALS, $ilDB, and $query.

◆ deleteTemplate()

ilRbacAdmin::deleteTemplate (   $a_obj_id)

Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa @access public.

Parameters
integerobject_id of role template
Returns
boolean

Definition at line 145 of file class.ilRbacAdmin.php.

146 {
147 global $DIC;
148
149 $ilDB = $DIC['ilDB'];
150
151 if (!isset($a_obj_id)) {
152 $message = get_class($this) . "::deleteTemplate(): No obj_id given!";
153 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
154 }
155
156 $query = 'DELETE FROM rbac_templates ' .
157 'WHERE rol_id = ' . $ilDB->quote($a_obj_id, 'integer');
158 $res = $ilDB->manipulate($query);
159
160 $query = 'DELETE FROM rbac_fa ' .
161 'WHERE rol_id = ' . $ilDB->quote($a_obj_id, 'integer');
162 $res = $ilDB->manipulate($query);
163
164 return true;
165 }

References $DIC, $ilDB, $message, $query, and $res.

◆ grantPermission()

ilRbacAdmin::grantPermission (   $a_rol_id,
  $a_ops,
  $a_ref_id 
)

Grants a permission to an object and a specific role.

Update of table rbac_pa @access public

Parameters
integerobject id of role
arrayarray of operation ids
integerreference id of that object which is granted the permissions
Returns
boolean

Definition at line 370 of file class.ilRbacAdmin.php.

371 {
372 global $DIC;
373
374 $ilDB = $DIC['ilDB'];
375
376 if (!isset($a_rol_id) || !isset($a_ops) || !isset($a_ref_id)) {
377 $this->ilErr->raiseError(get_class($this) . "::grantPermission(): Missing parameter! " .
378 "role_id: " . $a_rol_id . " ref_id: " . $a_ref_id . " operations: ", $this->ilErr->WARNING);
379 }
380
381 if (!is_array($a_ops)) {
382 $this->ilErr->raiseError(
383 get_class($this) . "::grantPermission(): Wrong datatype for operations!",
384 $this->ilErr->WARNING
385 );
386 }
387
388 // exclude system role from rbac
389 if ($a_rol_id == SYSTEM_ROLE_ID) {
390 return true;
391 }
392
393 // convert all values to integer
394 foreach ($a_ops as $key => $operation) {
395 $a_ops[$key] = (int) $operation;
396 }
397
398 // Serialization des ops_id Arrays
399 $ops_ids = serialize($a_ops);
400
401 $query = 'DELETE FROM rbac_pa ' .
402 'WHERE rol_id = %s ' .
403 'AND ref_id = %s';
404 $res = $ilDB->queryF(
405 $query,
406 array('integer','integer'),
407 array($a_rol_id,$a_ref_id)
408 );
409
410 if (!count($a_ops)) {
411 return false;
412 }
413
414 $query = "INSERT INTO rbac_pa (rol_id, ops_id, ref_id) " .
415 "VALUES " .
416 "(" . $ilDB->quote($a_rol_id, 'integer') . ", " . $ilDB->quote($ops_ids, 'text') . ", " . $ilDB->quote($a_ref_id, 'integer') . ")";
417 $res = $ilDB->manipulate($query);
418
419 return true;
420 }

References $DIC, $ilDB, $query, $res, and SYSTEM_ROLE_ID.

Referenced by adjustMovedObjectPermissions(), copyRolePermissions(), and initIntersectionPermissions().

+ Here is the caller graph for this function:

◆ initIntersectionPermissions()

ilRbacAdmin::initIntersectionPermissions (   $a_ref_id,
  $a_role_id,
  $a_role_parent,
  $a_template_id,
  $a_template_parent 
)

Init intersection permissions.

@global type $rbacreview

Parameters
type$a_ref_id
type$a_role_id
type$a_role_parent
type$a_template_id
type$a_template_parent
Returns
type

Definition at line 1166 of file class.ilRbacAdmin.php.

1167 {
1168 global $DIC;
1169
1170 $rbacreview = $DIC['rbacreview'];
1171
1172 if ($rbacreview->isProtected($a_role_parent, $a_role_id)) {
1173 // Assign object permissions
1174 $new_ops = $rbacreview->getOperationsOfRole(
1175 $a_role_id,
1176 ilObject::_lookupType($a_ref_id, true),
1177 $a_role_parent
1178 );
1179
1180 // set new permissions for object
1181 $this->grantPermission(
1182 $a_role_id,
1183 (array) $new_ops,
1184 $a_ref_id
1185 );
1186 return;
1187 }
1188 if (!$a_template_id) {
1189 ilLoggerFactory::getLogger('ac')->info('No template id given. Aborting.');
1190 return;
1191 }
1192 // create template permission intersection
1193 $this->copyRolePermissionIntersection(
1194 $a_template_id,
1195 $a_template_parent,
1196 $a_role_id,
1197 $a_role_parent,
1198 $a_ref_id,
1199 $a_role_id
1200 );
1201
1202 // assign role to folder
1203 $this->assignRoleToFolder(
1204 $a_role_id,
1205 $a_ref_id,
1206 'n'
1207 );
1208
1209 // Assign object permissions
1210 $new_ops = $rbacreview->getOperationsOfRole(
1211 $a_role_id,
1212 ilObject::_lookupType($a_ref_id, true),
1213 $a_ref_id
1214 );
1215
1216 // revoke existing permissions
1217 $this->revokePermission($a_ref_id, $a_role_id);
1218
1219 // set new permissions for object
1220 $this->grantPermission(
1221 $a_role_id,
1222 (array) $new_ops,
1223 $a_ref_id
1224 );
1225
1226 return;
1227 }
ilRbacAdmin\copyRolePermissionIntersection
copyRolePermissionIntersection($a_source1_id, $a_source1_parent, $a_source2_id, $a_source2_parent, $a_dest_parent, $a_dest_id)
Copies the intersection of the template permissions of two roles to a third role.
Definition: class.ilRbacAdmin.php:706

References $DIC, ilObject\_lookupType(), assignRoleToFolder(), copyRolePermissionIntersection(), ilLoggerFactory\getLogger(), grantPermission(), and revokePermission().

Referenced by adjustMovedObjectPermissions().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ removeUser()

ilRbacAdmin::removeUser (   $a_usr_id)

deletes a user from rbac_ua all user <-> role relations are deleted @access public

Parameters
intuser_id
Returns
boolean true on success

Definition at line 69 of file class.ilRbacAdmin.php.

70 {
71 global $DIC;
72
73 $ilDB = $DIC->database();
74 $review = $DIC->rbac()->review();
75
76 if (!isset($a_usr_id)) {
77 $message = get_class($this) . "::removeUser(): No usr_id given!";
78 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
79 }
80
81 foreach ($review->assignedRoles($a_usr_id) as $role_id) {
82 $this->deassignUser($role_id, $a_usr_id);
83 }
84
85 $query = "DELETE FROM rbac_ua WHERE usr_id = " . $ilDB->quote($a_usr_id, 'integer');
86 $res = $ilDB->manipulate($query);
87
88 return true;
89 }
ilRbacAdmin\deassignUser
deassignUser($a_rol_id, $a_usr_id)
Deassigns a user from a role.
Definition: class.ilRbacAdmin.php:322

References $DIC, $ilDB, $message, $query, $res, and deassignUser().

+ Here is the call graph for this function:

◆ revokePermission()

ilRbacAdmin::revokePermission (   $a_ref_id,
  $a_rol_id = 0,
  $a_keep_protected = true 
)

Revokes permissions of an object of one role.

Update of table rbac_pa. Revokes all permission for all roles for that object (with this reference). When a role_id is given this applies only to that role @access public

Parameters
integerreference id of object where permissions should be revoked
integerrole_id (optional: if you want to revoke permissions of object only for a specific role)
Returns
boolean

Definition at line 431 of file class.ilRbacAdmin.php.

432 {
433 global $DIC;
434
435 $rbacreview = $DIC['rbacreview'];
436 $log = $DIC['log'];
437 $ilDB = $DIC['ilDB'];
438 $ilLog = $DIC['ilLog'];
439
440 if (!isset($a_ref_id)) {
441 $ilLog->logStack();
442 $message = get_class($this) . "::revokePermission(): Missing parameter! ref_id: " . $a_ref_id;
443 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
444 }
445
446 // bypass protected status of roles
447 if ($a_keep_protected != true) {
448 // exclude system role from rbac
449 if ($a_rol_id == SYSTEM_ROLE_ID) {
450 return true;
451 }
452
453 if ($a_rol_id) {
454 $and1 = " AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
455 } else {
456 $and1 = "";
457 }
458
459 $query = "DELETE FROM rbac_pa " .
460 "WHERE ref_id = " . $ilDB->quote($a_ref_id, 'integer') .
461 $and1;
462
463 $res = $ilDB->manipulate($query);
464
465 return true;
466 }
467
468 // consider protected status of roles
469
470 // in any case, get all roles in scope first
471 $roles_in_scope = $rbacreview->getParentRoleIds($a_ref_id);
472
473 if (!$a_rol_id) {
474 $role_ids = [];
475
476 foreach ($roles_in_scope as $role) {
477 if ($role['protected'] == true) {
478 continue;
479 }
480
481 $role_ids[] = $role['obj_id'];
482 }
483
484 // return if no role in array
485 if (!$role_ids) {
486 return true;
487 }
488
489 $query = 'DELETE FROM rbac_pa ' .
490 'WHERE ' . $ilDB->in('rol_id', $role_ids, false, 'integer') . ' ' .
491 'AND ref_id = ' . $ilDB->quote($a_ref_id, 'integer');
492 $res = $ilDB->manipulate($query);
493 } else {
494 // exclude system role from rbac
495 if ($a_rol_id == SYSTEM_ROLE_ID) {
496 return true;
497 }
498
499 // exclude protected permission settings from revoking
500 if ($roles_in_scope[$a_rol_id]['protected'] == true) {
501 return true;
502 }
503
504 $query = "DELETE FROM rbac_pa " .
505 "WHERE ref_id = " . $ilDB->quote($a_ref_id, 'integer') . " " .
506 "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer') . " ";
507 $res = $ilDB->manipulate($query);
508 }
509
510 return true;
511 }

References $DIC, $ilDB, $log, $message, $query, $res, and SYSTEM_ROLE_ID.

Referenced by adjustMovedObjectPermissions(), copyRolePermissions(), and initIntersectionPermissions().

+ Here is the caller graph for this function:

◆ revokePermissionList()

ilRbacAdmin::revokePermissionList (   $a_ref_ids,
  $a_rol_id 
)

Revokes permissions of a LIST of objects of ONE role.

Update of table rbac_pa. @access public

Parameters
arraylist of reference_ids to revoke permissions
integerrole_id
Returns
boolean

Definition at line 570 of file class.ilRbacAdmin.php.

571 {
572 global $DIC;
573
574 $ilDB = $DIC['ilDB'];
575
576 if (!isset($a_ref_ids) || !is_array($a_ref_ids)) {
577 $message = get_class($this) . "::revokePermissionList(): Missing parameter or parameter is not an array! reference_list: " . var_dump($a_ref_ids);
578 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
579 }
580
581 if (!isset($a_rol_id)) {
582 $message = get_class($this) . "::revokePermissionList(): Missing parameter! rol_id: " . $a_rol_id;
583 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
584 }
585
586 // exclude system role from rbac
587 if ($a_rol_id == SYSTEM_ROLE_ID) {
588 return true;
589 }
590
591 $query = "DELETE FROM rbac_pa " .
592 "WHERE " . $ilDB->in('ref_id', $a_ref_ids, false, 'integer') . ' ' .
593 "AND rol_id = " . $ilDB->quote($a_rol_id, 'integer');
594 $res = $ilDB->manipulate($query);
595
596 return true;
597 }

References $DIC, $ilDB, $message, $query, $res, and SYSTEM_ROLE_ID.

◆ revokeSubtreePermissions()

ilRbacAdmin::revokeSubtreePermissions (   $a_ref_id,
  $a_role_id 
)

Revoke subtree permissions.

Parameters
object$a_ref_id
object$a_role_id
Returns

Definition at line 519 of file class.ilRbacAdmin.php.

520 {
521 global $DIC;
522
523 $ilDB = $DIC['ilDB'];
524
525 $query = 'DELETE FROM rbac_pa ' .
526 'WHERE ref_id IN ' .
527 '( ' . $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
528 'AND rol_id = ' . $ilDB->quote($a_role_id, 'integer');
529
530 $ilDB->manipulate($query);
531 return true;
532 }

References $DIC, $GLOBALS, $ilDB, and $query.

◆ setBlockedStatus()

ilRbacAdmin::setBlockedStatus (   $a_role_id,
  $a_ref_id,
  $a_blocked_status 
)

Set blocked status.

Parameters
type$a_role_id
type$a_ref_id
type$a_blocked_status

Definition at line 49 of file class.ilRbacAdmin.php.

50 {
51 global $DIC;
52
53 $ilDB = $DIC['ilDB'];
54
55 ilLoggerFactory::getLogger('crs')->logStack();
56 $query = 'UPDATE rbac_fa set blocked = ' . $ilDB->quote($a_blocked_status, 'integer') . ' ' .
57 'WHERE rol_id = ' . $ilDB->quote($a_role_id, 'integer') . ' ' .
58 'AND parent = ' . $ilDB->quote($a_ref_id, 'integer');
59 $ilDB->manipulate($query);
60 }

References $DIC, $ilDB, $query, and ilLoggerFactory\getLogger().

+ Here is the call graph for this function:

◆ setProtected()

ilRbacAdmin::setProtected (   $a_ref_id,
  $a_role_id,
  $a_value 
)

Set protected @global $ilDB.

Parameters
type$a_ref_id
type$a_role_id
type$a_valuey or n
Returns
boolean

Definition at line 1093 of file class.ilRbacAdmin.php.

1094 {
1095 global $DIC;
1096
1097 $ilDB = $DIC['ilDB'];
1098
1099 // ref_id not used yet. protected permission acts 'global' for each role,
1100 // regardless of any broken inheritance before
1101 $query = 'UPDATE rbac_fa ' .
1102 'SET protected = ' . $ilDB->quote($a_value, 'text') . ' ' .
1103 'WHERE rol_id = ' . $ilDB->quote($a_role_id, 'integer');
1104 $res = $ilDB->manipulate($query);
1105 return true;
1106 }

References $DIC, $ilDB, $query, and $res.

Referenced by copyRoleTemplatePermissions().

+ Here is the caller graph for this function:

◆ setRolePermission()

ilRbacAdmin::setRolePermission (   $a_rol_id,
  $a_type,
  $a_ops,
  $a_ref_id 
)

Inserts template permissions in rbac_templates for an specific object type.

Update of table rbac_templates @access public

Parameters
integerrole_id
stringobject type
arrayoperation_ids
integerref_id of role folder object
Returns
boolean

Definition at line 925 of file class.ilRbacAdmin.php.

926 {
927 global $DIC;
928
929 $ilDB = $DIC['ilDB'];
930
931 if (!isset($a_rol_id) || !isset($a_type) || !isset($a_ops) || !isset($a_ref_id)) {
932 $message = get_class($this) . "::setRolePermission(): Missing parameter!" .
933 " role_id: " . $a_rol_id .
934 " type: " . $a_type .
935 " operations: " . $a_ops .
936 " ref_id: " . $a_ref_id;
937 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
938 }
939
940 if (!is_string($a_type) || empty($a_type)) {
941 $message = get_class($this) . "::setRolePermission(): a_type is no string or empty!";
942 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
943 }
944
945 if (!is_array($a_ops) || empty($a_ops)) {
946 $message = get_class($this) . "::setRolePermission(): a_ops is no array or empty!";
947 $this->ilErr->raiseError($message, $this->ilErr->WARNING);
948 }
949
950 // exclude system role from rbac
951 if ($a_rol_id == SYSTEM_ROLE_ID) {
952 return true;
953 }
954
955 foreach ($a_ops as $op) {
956 $ilDB->replace(
957 'rbac_templates',
958 [
959 'rol_id' => ['integer', $a_rol_id],
960 'type' => ['text', $a_type],
961 'ops_id' => ['integer', $op],
962 'parent' => ['integer', $a_ref_id]
963 ],
964 []
965 );
966 }
967 return true;
968 }

References $DIC, $ilDB, $message, and SYSTEM_ROLE_ID.

The documentation for this class was generated from the following file: