86        $this->results = array();
 
   93        $this->condition = 
true;
 
   96        $this->obj_id_cache = array();
 
   97        $this->obj_type_cache = array();
 
   98        $this->obj_tree_cache = array();
 
  109    public function storeAccessResult($a_permission, $a_cmd, $a_ref_id, $a_access_granted, $a_user_id = 
"", $a_info = 
"")
 
  115        if ($a_user_id == 
"") {
 
  126            $this->results[$a_ref_id][$a_permission][$a_cmd][$a_user_id] =
 
  127                    array(
"granted" => $a_access_granted, 
"info" => $a_info,
 
  130            $this->current_result_element = array($a_access_granted,$a_ref_id,$a_permission,$a_cmd,$a_user_id);
 
  131            $this->last_result = $this->results[$a_ref_id][$a_permission][$a_cmd][$a_user_id];
 
  132            $this->last_info = $a_info;
 
  144        $this->prevent_caching_last_result = $a_val;
 
  152        return $this->prevent_caching_last_result;
 
  164        if ($a_user_id == 
"") {
 
  173        if (isset($this->results[$a_ref_id][$a_permission][$a_cmd][$a_user_id])) {
 
  174            return $this->results[$a_ref_id][$a_permission][$a_cmd][$a_user_id];
 
  188        $query = 
"DELETE FROM acc_cache WHERE user_id = " . 
$ilDB->quote(
$ilUser->getId(), 
'integer');
 
  191        $ilDB->insert(
'acc_cache', array(
 
  192            'user_id' => array(
'integer',
$ilUser->getId()),
 
  193            'time' => array(
'integer',time()),
 
  194            'result' => array(
'clob',serialize($this->results))
 
  208            $query = 
"SELECT * FROM acc_cache WHERE user_id = " .
 
  212            if ((time() - $rec[
"time"]) < $a_secs) {
 
  213                $this->results = unserialize($rec[
"result"]);
 
  232        $this->results = $a_results;
 
  240        $this->current_info->addInfoItem($a_type, $a_text, $a_data);
 
  246    public function checkAccess($a_permission, $a_cmd, $a_ref_id, $a_type = 
"", $a_obj_id = 
"", $a_tree_id = 
"")
 
  252        return $this->
checkAccessOfUser(
$ilUser->getId(), $a_permission, $a_cmd, $a_ref_id, $a_type, $a_obj_id, $a_tree_id);
 
  258    public function checkAccessOfUser($a_user_id, $a_permission, $a_cmd, $a_ref_id, $a_type = 
"", $a_obj_id = 
"", $a_tree_id = 
"")
 
  267        $ilBench->start(
"AccessControl", 
"0400_clear_info");
 
  268        $this->current_info->clear();
 
  269        $ilBench->stop(
"AccessControl", 
"0400_clear_info");
 
  273        $cached = $this->
doCacheCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id);
 
  274        if ($cached[
"hit"]) {
 
  276            if (!$cached[
"granted"]) {
 
  279            if ($cached[
"prevent_db_cache"]) {
 
  282            return $cached[
"granted"];
 
  285        $ilBench->start(
"AccessControl", 
"0500_lookup_id_and_type");
 
  287        if ($a_obj_id == 
"") {
 
  288            if (isset($this->obj_id_cache[$a_ref_id]) && $this->obj_id_cache[$a_ref_id] > 0) {
 
  289                $a_obj_id = $this->obj_id_cache[$a_ref_id];
 
  292                $this->obj_id_cache[$a_ref_id] = $a_obj_id;
 
  296            if (isset($this->obj_type_cache[$a_ref_id]) && $this->obj_type_cache[$a_ref_id] != 
"") {
 
  297                $a_type = $this->obj_type_cache[$a_ref_id];
 
  300                $this->obj_type_cache[$a_ref_id] = $a_type;
 
  304        $ilBench->stop(
"AccessControl", 
"0500_lookup_id_and_type");
 
  308        if ($a_tree_id != 1 &&
 
  309            !$this->
doTreeCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id)) {
 
  316        if (!$this->
doRBACCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id, $a_type)) {
 
  339        $par_check = $this->
doPathCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id);
 
  347        if (!$this->
doConditionCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id, $a_obj_id, $a_type)) {
 
  355        if (!$this->
doStatusCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id, $a_obj_id, $a_type)) {
 
  375        return is_object($this->last_info) ? $this->last_info->getInfoItems() : array();
 
  383        return $this->last_result;
 
  390        if ($a_ref_id == 
"") {
 
  394        return $this->results[$a_ref_id];
 
  400    public function doCacheCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id)
 
  407        $ilBench->start(
"AccessControl", 
"1000_checkAccess_get_cache_result");
 
  410        if (is_array($stored_access)) {
 
  411            $this->current_info = $stored_access[
"info"];
 
  413            $ilBench->stop(
"AccessControl", 
"1000_checkAccess_get_cache_result");
 
  414            return array(
"hit" => 
true, 
"granted" => $stored_access[
"granted"],
 
  415                "prevent_db_cache" => $stored_access[
"prevent_db_cache"]);
 
  419        $ilBench->stop(
"AccessControl", 
"1000_checkAccess_get_cache_result");
 
  420        return array(
"hit" => 
false, 
"granted" => 
false,
 
  421            "prevent_db_cache" => 
false);
 
  427    public function doTreeCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id)
 
  437        $tree_cache_key = $a_user_id . 
':' . $a_ref_id;
 
  438        if (array_key_exists($tree_cache_key, $this->obj_tree_cache)) {
 
  440            if (!$this->obj_tree_cache[$tree_cache_key]) {
 
  443            $this->
storeAccessResult($a_permission, $a_cmd, $a_ref_id, $this->obj_tree_cache[$tree_cache_key], $a_user_id);
 
  445            return $this->obj_tree_cache[$tree_cache_key];
 
  448        $ilBench->start(
"AccessControl", 
"2000_checkAccess_in_tree");
 
  450        if (!
$tree->isInTree($a_ref_id) or 
$tree->isDeleted($a_ref_id)) {
 
  455            if (count($this->obj_tree_cache) < 1000) {
 
  456                $this->obj_tree_cache[$tree_cache_key] = 
false;
 
  460            $this->current_info->addInfoItem(
IL_DELETED, 
$lng->txt(
"object_deleted"));
 
  463            $ilBench->stop(
"AccessControl", 
"2000_checkAccess_in_tree");
 
  472        if (count($this->obj_tree_cache) < 1000) {
 
  473            $this->obj_tree_cache[$tree_cache_key] = 
true;
 
  479        $ilBench->stop(
"AccessControl", 
"2000_checkAccess_in_tree");
 
  486    public function doRBACCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id, $a_type)
 
  493        $ilLog = 
$DIC[
'ilLog'];
 
  495        $ilBench->start(
"AccessControl", 
"2500_checkAccess_rbac_check");
 
  497        if ($a_permission == 
"") {
 
  499                '%s::doRBACCheck(): No operations given! $a_ref_id: %s',
 
  503            $ilLog->write(
$message, $ilLog->FATAL);
 
  507        if (isset($this->stored_rbac_access[$a_user_id . 
"-" . $a_permission . 
"-" . $a_ref_id])) {
 
  508            $access = $this->stored_rbac_access[$a_user_id . 
"-" . $a_permission . 
"-" . $a_ref_id];
 
  510            $access = $this->rbacsystem->checkAccessOfUser($a_user_id, $a_permission, $a_ref_id, $a_type);
 
  511            if (!is_array($this->stored_rbac_access) || count($this->stored_rbac_access) < 1000) {
 
  512                if ($a_permission != 
"create") {
 
  513                    $this->stored_rbac_access[$a_user_id . 
"-" . $a_permission . 
"-" . $a_ref_id] = $access;
 
  522        if ($a_permission != 
"create") {
 
  525        $ilBench->stop(
"AccessControl", 
"2500_checkAccess_rbac_check");
 
  533    public function doPathCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id, $a_all = 
false)
 
  540        $ilObjDataCache = 
$DIC[
'ilObjDataCache'];
 
  543        $ilBench->start(
"AccessControl", 
"3100_checkAccess_check_parents_get_path");
 
  554        $ilBench->stop(
"AccessControl", 
"3100_checkAccess_check_parents_get_path");
 
  556        foreach (
$path as $id) {
 
  557            if ($a_ref_id == $id) {
 
  563            if ($access == 
false) {
 
  568                if ($a_all == 
false) {
 
  580    public function doActivationCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id, $a_obj_id, $a_type)
 
  588        $objDefinition = 
$DIC[
'objDefinition'];
 
  590        $cache_perm = 
'other';
 
  592        if ($a_permission === 
'visible' || $a_permission === 
'leave') {
 
  593            $cache_perm = $a_permission;
 
  596        if (isset($this->ac_cache[$cache_perm][$a_ref_id][$a_user_id])) {
 
  597            return $this->ac_cache[$cache_perm][$a_ref_id][$a_user_id];
 
  601        if ($a_permission === 
'write') {
 
  606        if ($a_user_id == 
$ilUser->getId()) {
 
  609            if ($memview->isActiveForRefId($a_ref_id) &&
 
  610                $memview->getContainer() == $a_ref_id) {
 
  617            $this->ac_cache[$cache_perm][$a_ref_id][$a_user_id] = 
true;
 
  623            $objDefinition->supportsOfflineHandling($a_type) &&
 
  626            $this->ac_cache[$cache_perm][$a_ref_id][$a_user_id] = 
false;
 
  633        if ($item_data === 
null ||
 
  635            $this->ac_cache[$cache_perm][$a_ref_id][$a_user_id] = 
true;
 
  640        if (($item_data[
'timing_start'] == 0 || time() >= $item_data[
'timing_start']) and
 
  641           ($item_data[
'timing_end'] == 0 || time() <= $item_data[
'timing_end'])) {
 
  642            $this->ac_cache[$cache_perm][$a_ref_id][$a_user_id] = 
true;
 
  648            $this->ac_cache[$cache_perm][$a_ref_id][$a_user_id] = 
true;
 
  649            $ilBench->stop(
"AccessControl", 
"3150_checkAccess_check_course_activation");
 
  654        if (($a_permission === 
'visible' || $a_permission === 
'leave')
 
  655            && $item_data[
'visible']) {
 
  656            $this->ac_cache[$cache_perm][$a_ref_id][$a_user_id] = 
true;
 
  661        if ($a_permission == 
'read_learning_progress') {
 
  662            $this->ac_cache[$cache_perm][$a_ref_id][$a_user_id] = 
true;
 
  663            $ilBench->stop(
"AccessControl", 
"3150_checkAccess_check_course_activation");
 
  668        $this->ac_cache[$cache_perm][$a_ref_id][$a_user_id] = 
false;
 
  675    public function doConditionCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id, $a_obj_id, $a_type)
 
  684            ($a_permission == 
'visible') and
 
  685            !$this->
checkAccessOfUser($a_user_id, 
"write", 
"", $a_ref_id, $a_type, $a_obj_id)
 
  687            if (ilConditionHandler::lookupEffectiveHiddenStatusByTarget($a_ref_id)) {
 
  689                    $conditions = ilConditionHandler::_getEffectiveConditionsOfTarget($a_ref_id, $a_obj_id, $a_type);
 
  691                        $this->current_info->addInfoItem(
 
  693                            $lng->txt(
"missing_precondition") . 
": " .
 
  702                $ilBench->stop(
"AccessControl", 
"4000_checkAccess_condition_check");
 
  707        if (($a_permission == 
"read" or $a_permission == 
'join') &&
 
  708            !$this->
checkAccessOfUser($a_user_id, 
"write", 
"", $a_ref_id, $a_type, $a_obj_id)) {
 
  709            $ilBench->start(
"AccessControl", 
"4000_checkAccess_condition_check");
 
  711                $conditions = ilConditionHandler::_getEffectiveConditionsOfTarget($a_ref_id, $a_obj_id, $a_type);
 
  713                    $this->current_info->addInfoItem(
 
  715                        $lng->txt(
"missing_precondition") . 
": " .
 
  722                $ilBench->stop(
"AccessControl", 
"4000_checkAccess_condition_check");
 
  725            $ilBench->stop(
"AccessControl", 
"4000_checkAccess_condition_check");
 
  734    public function doStatusCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id, $a_obj_id, $a_type)
 
  739        $objDefinition = 
$DIC[
'objDefinition'];
 
  741        $ilPluginAdmin = 
$DIC[
'ilPluginAdmin'];
 
  743        $ilBench->start(
"AccessControl", 
"5000_checkAccess_object_check");
 
  746        if ($objDefinition->isPluginTypeName($a_type) && !$objDefinition->isPlugin($a_type)) {
 
  753        $class = $objDefinition->getClassName($a_type);
 
  754        $location = $objDefinition->getLocation($a_type);
 
  755        $full_class = 
"ilObj" . $class . 
"Access";
 
  758        if ($objDefinition->isPluginTypeName($a_type)) {
 
  759            include_once(
$location . 
"/class." . $full_class . 
".php");
 
  763            $this->ac_logger->error(
"Cannot find class for object type $a_type, obj id $a_obj_id, ref id $a_ref_id. Abort status check.");
 
  767        $full_class = 
new $full_class();
 
  769        $obj_access = call_user_func(
 
  770            array($full_class, 
"_checkAccess"),
 
  777        if (!($obj_access === 
true)) {
 
  784            $ilBench->stop(
"AccessControl", 
"5000_checkAccess_object_check");
 
  789        $ilBench->stop(
"AccessControl", 
"5000_checkAccess_object_check");
 
  798        $this->results = array();
 
  799        $this->last_result = 
"";
 
  801        $this->stored_rbac_access = [];
 
  808        $this->$a_str = $a_bool;
 
An exception for terminatinating execution or to throw for unit testing.
const IL_MISSING_PRECONDITION
const IL_NO_PARENT_ACCESS
filterUserIdsByPositionOfUser($user_id, $pos_perm, $ref_id, array $user_ids)
getAvailablePositionRelatedPermissions for available permissionsint[]
doConditionCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id, $a_obj_id, $a_type)
condition check (currently only implemented for read permission)bool
checkRbacOrPositionPermissionAccess($rbac_perm, $pos_perm, $ref_id)
bool
checkAccessOfUser($a_user_id, $a_permission, $a_cmd, $a_ref_id, $a_type="", $a_obj_id="", $a_tree_id="")
check access for an object (provide $a_type and $a_obj_id if available for better performance)
hasCurrentUserAnyPositionAccess($ref_id)
bool
getResultAll($a_ref_id="")
doCacheCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id)
look if result for current query is already in cachebool
doTreeCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id)
check if object is in tree and not deletedbool
doPathCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id, $a_all=false)
check read permission for all parentsbool
getResultLast()
get last info object
isCurrentUserBasedOnPositionsAllowedTo($permission, array $on_user_ids)
getAvailablePositionRelatedPermissions for available permissionsbool
doRBACCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id, $a_type)
rbac check for current object -> type should be used for create permissionbool
getPreventCachingLastResult()
Get prevent caching last result.boolean true if last result should not be cached
filterUserIdsByPositionOfCurrentUser($pos_perm, $ref_id, array $user_ids)
getAvailablePositionRelatedPermissions for available permissionsint[]
checkPositionAccess($pos_perm, $ref_id)
getAvailablePositionRelatedPermissions for available permissionsbool
hasUserRBACorAnyPositionAccess($rbac_perm, $ref_id)
bool
filterUserIdsForUsersPositionsAndPermission(array $user_ids, $for_user_id, $permission)
getAvailablePositionRelatedPermissions for available permissionsilOrgUnitAccessException when a unkno...
addInfoItem($a_type, $a_text, $a_data="")
add an info item to current info object
getStoredAccessResult($a_permission, $a_cmd, $a_ref_id, $a_user_id="")
get stored access result@access privatearray result array: "granted" (boolean) => true if access is g...
getInfo()
get last info object
filterUserIdsForCurrentUsersPositionsAndPermission(array $user_ids, $permission)
getAvailablePositionRelatedPermissions for available permissionsilOrgUnitAccessException when a unkno...
filterUserIdsByRbacOrPositionOfCurrentUser($rbac_perm, $pos_perm, $ref_id, array $user_ids)
int[]
setPreventCachingLastResult($a_val)
Set prevent caching last result.
isUserBasedOnPositionsAllowedTo($which_user_id, $permission, array $on_user_ids)
getAvailablePositionRelatedPermissions for available permissionsbool
checkAccess($a_permission, $a_cmd, $a_ref_id, $a_type="", $a_obj_id="", $a_tree_id="")
check access for an object (provide $a_type and $a_obj_id if available for better performance)
storeAccessResult($a_permission, $a_cmd, $a_ref_id, $a_access_granted, $a_user_id="", $a_info="")
store access result@access private
static _checkAllConditionsOfTarget($a_target_ref_id, $a_target_id, $a_target_type="", $a_usr_id=0)
checks wether all conditions of a target object are fulfilled
static getLogger($a_component_id)
Get component logger.
static getItem($a_ref_id)
Get item data.
static _lookupObjId($a_id)
static _lookupTitle($a_id)
lookup object title
static lookupOfflineStatus($a_obj_id)
Lookup offline status using objectDataCache.
static _lookupType($a_id, $a_reference=false)
lookup object type
Class ilOrgUnitPositionAccess.
filterUserIdsForUsersPositionsAndPermission(array $user_ids, $for_user_id, $permission)
getAvailablePositionRelatedPermissions for available permissionsilOrgUnitAccessException when a unkno...
checkPositionAccess($pos_perm, $ref_id)
getAvailablePositionRelatedPermissions for available permissionsbool
isCurrentUserBasedOnPositionsAllowedTo($permission, array $on_user_ids)
getAvailablePositionRelatedPermissions for available permissionsbool
filterUserIdsByPositionOfCurrentUser($pos_perm, $ref_id, array $user_ids)
getAvailablePositionRelatedPermissions for available permissionsint[]
filterUserIdsForCurrentUsersPositionsAndPermission(array $user_ids, $permission)
getAvailablePositionRelatedPermissions for available permissionsilOrgUnitAccessException when a unkno...
filterUserIdsByPositionOfUser($user_id, $pos_perm, $ref_id, array $user_ids)
getAvailablePositionRelatedPermissions for available permissionsint[]
hasCurrentUserAnyPositionAccess($ref_id)
bool
checkRbacOrPositionPermissionAccess($rbac_perm, $pos_perm, $ref_id)
bool
filterUserIdsByRbacOrPositionOfCurrentUser($rbac_perm, $pos_perm, $ref_id, array $user_ids)
int[]
hasUserRBACorAnyPositionAccess($rbac_perm, $ref_id)
bool
isUserBasedOnPositionsAllowedTo($which_user_id, $permission, array $on_user_ids)
getAvailablePositionRelatedPermissions for available permissionsbool
Interface ilAccessHandler.
doActivationCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id, $a_obj_id, $a_type)
check for activation and centralized offline status.
doStatusCheck($a_permission, $a_cmd, $a_ref_id, $a_user_id, $a_obj_id, $a_type)
object type specific check
foreach($_POST as $key=> $value) $res