19 declare(strict_types=1);
50 public function __construct(
int $a_id = 0,
bool $a_call_by_reference =
false)
54 $this->
logger = $DIC->logger()->ac();
61 string $a_description,
67 $ilDB = $DIC->database();
70 $res =
$ilDB->query(
"SELECT obj_id FROM object_data " .
71 " WHERE type=" .
$ilDB->quote(
"rolt",
"text") .
72 " AND title=" .
$ilDB->quote($a_tpl_name,
"text"));
75 $tpl_id = (
int) $row->obj_id;
82 $role->setTitle($a_title);
83 $role->setDescription($a_description);
86 $GLOBALS[
'DIC'][
'rbacadmin']->assignRoleToFolder($role->getId(), $a_ref_id,
'y');
87 $GLOBALS[
'DIC'][
'rbacadmin']->copyRoleTemplatePermissions(
94 $ops =
$GLOBALS[
'DIC'][
'rbacreview']->getOperationsOfRole(
99 $GLOBALS[
'DIC'][
'rbacadmin']->grantPermission(
113 if (substr($this->
getTitle(), 0, 3) ==
'il_') {
114 $ilErr->setMessage(
'msg_role_reserved_prefix');
133 $this->assign_users = $a_assign_users;
145 $ilDB = $DIC->database();
146 $query =
"SELECT assign_users FROM role_data WHERE role_id = " .
$ilDB->quote($a_role_id,
'integer') .
" ";
148 while ($row =
$ilDB->fetchObject(
$res)) {
149 return (
bool) $row->assign_users;
160 $query =
"SELECT * FROM role_data WHERE role_id= " . $this->db->quote($this->
id,
'integer') .
" ";
162 if (
$res->numRows() > 0) {
163 $row = $this->db->fetchAssoc(
$res);
175 $query =
"UPDATE role_data SET " .
176 "allow_register= " . $this->db->quote($this->allow_register,
'integer') .
", " .
178 "WHERE role_id= " . $this->db->quote($this->
id,
'integer') .
" ";
192 $this->
id = parent::create();
193 $query =
"INSERT INTO role_data " .
194 "(role_id,allow_register,assign_users) " .
196 "(" . $this->db->quote($this->
id,
'integer') .
"," .
206 $this->allow_register = $a_allow_register;
221 $ilDB = $DIC->database();
222 $query =
"SELECT * FROM role_data " .
223 "JOIN object_data ON object_data.obj_id = role_data.role_id " .
224 "WHERE allow_register = 1";
228 while ($role =
$ilDB->fetchAssoc(
$res)) {
229 $roles[] = array(
"id" => (
int) $role[
"obj_id"],
230 "title" => (
string) $role[
"title"],
231 "auth_mode" => (
string) $role[
'auth_mode']
244 $ilDB = $DIC[
'ilDB'];
246 $query =
"SELECT * FROM role_data " .
247 " WHERE role_id =" .
$ilDB->quote($a_role_id,
'integer');
250 if ($role_rec =
$ilDB->fetchAssoc(
$res)) {
251 if ($role_rec[
"allow_register"]) {
264 $this->parent = $a_parent_ref;
280 public function delete():
bool 285 if ($this->rbac_review->hasMultipleAssignments($this->getId())) {
286 $this->
logger->warning(
'Found role with multiple assignments: role_id: ' . $this->
getId());
287 $this->
logger->warning(
'Aborted deletion of role.');
291 if ($this->rbac_review->isAssignable($this->getId(), $this->
getParent())) {
292 $this->
logger->debug(
'Handling assignable role...');
300 $last_role_user_ids = [];
306 $user_ids = $this->rbac_review->assignedUsers($this->
getId());
308 foreach ($user_ids as $user_id) {
310 $role_ids = $this->rbac_review->assignedRoles($user_id);
313 if (count($role_ids) == 1) {
314 $last_role_user_ids[] = $user_id;
320 if ($last_role_user_ids !== []) {
322 foreach ($last_role_user_ids as $user_id) {
330 $users = implode(
', ', $user_names);
331 $this->
logger->info(
'Cannot delete last global role of users.');
332 $this->
ilias->raiseError($this->
lng->txt(
"msg_user_last_role1") .
" " .
333 $users .
"<br/>" . $this->
lng->txt(
"msg_user_last_role2"), $this->
ilias->error_obj->WARNING);
335 $this->
logger->debug(
'Starting deletion of assignable role: role_id: ' . $this->
getId());
336 $this->rbac_admin->deleteRole($this->
getId(), $this->
getParent());
345 $query =
"DELETE FROM role_data WHERE role_id = " . $this->db->quote($this->
getId(),
'integer');
349 $this->
logger->debug(
'Starting deletion of linked role: role_id ' . $this->
getId());
351 $this->rbac_admin->deleteLocalRole($this->
getId(), $this->
getParent());
361 return count($this->rbac_review->assignedUsers($this->getId()));
368 $lng = $DIC->language();
369 $objDefinition = $DIC[
'objDefinition'];
371 $role_title = self::_removeObjectId($a_role_title);
373 if (preg_match(
"/^il_([a-z]{1,4})_./", $role_title,
$type)) {
375 if ($objDefinition->isPlugin(
$type[1])) {
380 return $a_role_title;
388 $role_title_parts = explode(
'_', $a_role_title);
390 $test2 = (
int) ($role_title_parts[3] ?? 0);
392 unset($role_title_parts[3]);
395 return implode(
'_', $role_title_parts);
401 public static function getSubObjects(
string $a_obj_type,
bool $a_add_admin_objects): array
407 $objDefinition = $DIC[
'objDefinition'];
408 $lng = $DIC->language();
409 $subs = $objDefinition->getSubObjectsRecursively($a_obj_type,
true, $a_add_admin_objects);
419 foreach ($subs as $subtype => $def) {
420 if (in_array($def[
"name"], $filter)) {
424 if ($objDefinition->isPlugin($subtype)) {
426 } elseif ($objDefinition->isSystemObject($subtype)) {
427 $translation =
$lng->
txt(
"obj_" . $subtype);
429 $translation =
$lng->
txt(
'objs_' . $subtype);
432 $sorted[$subtype] = $def;
433 $sorted[$subtype][
'translation'] = $translation;
443 $ilDB = $DIC->database();
444 foreach ($a_roles as $role_id => $auth_mode) {
445 $query =
"UPDATE role_data SET " .
446 "auth_mode= " .
$ilDB->quote($auth_mode,
'text') .
" " .
447 "WHERE role_id= " .
$ilDB->quote($role_id,
'integer') .
" ";
456 $ilDB = $DIC[
'ilDB'];
458 $query =
"SELECT auth_mode FROM role_data " .
459 "WHERE role_id= " .
$ilDB->quote($a_role_id,
'integer') .
" ";
463 return $row[
'auth_mode'];
476 $ilDB = $DIC[
'ilDB'];
478 $query =
"SELECT * FROM role_data " .
479 "WHERE auth_mode = " .
$ilDB->quote($a_auth_mode,
'text');
482 while ($row =
$ilDB->fetchObject(
$res)) {
483 $roles[] = $row->role_id;
495 $ilDB = $DIC[
'ilDB'];
497 $query =
"UPDATE role_data SET auth_mode = 'default' WHERE auth_mode = " .
$ilDB->quote($a_auth_mode,
'text');
503 $operation_info = $this->rbac_review->getOperationAssignment();
504 $rbac_objects = $rbac_operations = [];
505 foreach ($operation_info as $info) {
506 if ($this->obj_definition->getDevMode($info[
'type'])) {
509 $rbac_objects[$info[
'typ_id']] = array(
"obj_id" => $info[
'typ_id'],
510 "type" => $info[
'type']
514 $txt = $this->obj_definition->isPlugin($info[
'type'])
516 : $this->
lng->txt($info[
'type'] .
"_" . $info[
'operation']);
517 if (substr($info[
'operation'], 0, 7) ==
"create_" &&
518 $this->obj_definition->isPlugin(substr($info[
'operation'], 7))) {
520 substr($info[
'operation'], 7),
521 $info[
'type'] .
"_" . $info[
'operation']
524 $rbac_operations[$info[
'typ_id']][$info[
'ops_id']] = array(
525 "ops_id" => $info[
'ops_id'],
526 "title" => $info[
'operation'],
530 return array($rbac_objects, $rbac_operations);
546 array $a_exclusion_filter = [],
547 int $a_operation_mode = self::MODE_READ_OPERATIONS,
548 array $a_operation_stack = []
551 $nodes = $this->tree->getRbacSubtreeInfo($a_start_node);
554 $all_local_policies = $this->rbac_review->getObjectsWithStopedInheritance($this->
getId());
557 $local_policies = [];
558 foreach ($all_local_policies as $lp) {
559 if (isset($nodes[$lp])) {
560 $local_policies[] = $lp;
566 case self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES:
567 case self::MODE_PROTECTED_DELETE_LOCAL_POLICIES:
585 $rbacadmin = $DIC[
'rbacadmin'];
587 $local_policies = [];
588 foreach ($a_policies as $policy) {
590 $local_policies[] = $policy;
593 if (!in_array(
'all', $a_filter) && !in_array(
597 $local_policies[] = $policy;
600 $rbacadmin->deleteLocalRole($this->
getId(), $policy);
602 return $local_policies;
612 array $a_exclusion_filter = [],
613 int $a_operation_mode = self::MODE_READ_OPERATIONS,
614 array $a_operation_stack = []
616 $operation_stack = [];
620 $start_node = current($a_nodes);
621 $node_stack[] = $start_node;
624 if ($a_operation_mode == self::MODE_READ_OPERATIONS) {
627 $operation_stack = $a_operation_stack;
630 $this->
logger->debug(
'adjust permissions operation stack');
635 $local_policy =
false;
636 foreach ($a_nodes as $node) {
637 $cmp_node = end($node_stack);
638 while ($relation = $this->tree->getRelationOfNodes($node, $cmp_node)) {
642 $this->
logger->debug(
'Handling sibling/none relation.');
643 array_pop($operation_stack);
644 array_pop($policy_stack);
645 array_pop($node_stack);
646 $cmp_node = end($node_stack);
647 $local_policy =
false;
654 $this->
logger->debug(
'Handling child/equals/parent ' . $relation);
664 if ($node[
'child'] == $start_node[
'child']) {
666 if ($rbac_log_active) {
667 $rbac_log_roles = $this->rbac_review->getParentRoleIds($node[
'child'],
false);
672 $perms = end($operation_stack);
675 (array) ($perms[$node[
'type']] ?? []),
680 if ($rbac_log_active) {
690 if (in_array($node[
'child'], $a_policies) && $node[
'child'] !=
SYSTEM_FOLDER_ID) {
691 $local_policy =
true;
694 $node_stack[] = $node;
703 if ($rbac_log_active) {
704 $rbac_log_roles = $this->rbac_review->getParentRoleIds($node[
'child'],
false);
710 ($a_mode == self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES || $a_mode == self::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES) &&
711 ($node[
'type'] ==
'crs' || $node[
'type'] ==
'grp')
714 $perms = end($operation_stack);
717 $perms[$node[
'type']] ?? [],
723 $node_stack[] = $node;
728 $perms = end($operation_stack);
731 (array) ($perms[$node[
'type']] ?? []),
735 if ($rbac_log_active) {
745 array $a_permissions,
747 int $a_operation_mode
751 $admin = $DIC->rbac()->admin();
752 $review = $DIC->rbac()->review();
753 if ($a_operation_mode == self::MODE_READ_OPERATIONS) {
754 $admin->grantPermission(
759 } elseif ($a_operation_mode == self::MODE_ADD_OPERATIONS) {
760 $current_operations = $review->getRoleOperationsOnObject(
764 $this->
logger->debug(
'Current operations');
765 $this->
logger->dump($current_operations);
767 $new_ops = array_unique(array_merge($a_permissions, $current_operations));
768 $this->
logger->debug(
'New operations');
769 $this->
logger->dump($new_ops);
771 $admin->grantPermission(
776 } elseif ($a_operation_mode == self::MODE_REMOVE_OPERATIONS) {
777 $current_operations = $review->getRoleOperationsOnObject(
781 $this->
logger->debug(
'Current operations');
782 $this->
logger->dump($current_operations);
784 $new_ops = array_diff($current_operations, $a_permissions);
786 $admin->grantPermission(
796 if (in_array($a_type, $a_exclusion_filter)) {
800 if (in_array(
'all', $a_filter)) {
803 return in_array($a_type, $a_filter);
814 $has_policies = null;
817 $has_policies =
true;
820 $has_policies = $this->rbac_review->getLocalPolicies($a_node);
821 $policy_origin = $a_node;
824 $parent_roles = $this->rbac_review->getParentRoleIds($a_node,
false);
825 if ($parent_roles[$this->
getId()]) {
826 $a_stack[] = $this->rbac_review->getAllOperationsOfRole(
828 $parent_roles[$this->
getId()][
'parent']
835 if (!$has_policies) {
839 $a_stack[] = $this->rbac_review->getAllOperationsOfRole(
848 $has_policies = null;
851 $has_policies =
true;
854 $has_policies = $this->rbac_review->getLocalPolicies($a_node);
855 $policy_origin = $a_node;
858 if (!$has_policies) {
862 $a_stack[] = $policy_origin;
871 array $a_current_ops,
875 static $course_non_member_id = null;
876 static $group_non_member_id = null;
877 static $group_open_id = null;
878 static $group_closed_id = null;
887 if (!$group_closed_id) {
888 $query =
"SELECT obj_id FROM object_data WHERE type='rolt' AND title='il_grp_status_closed'";
891 $group_closed_id = (
int) $row->obj_id;
894 $template_id = $group_closed_id;
895 #var_dump("GROUP CLOSED id:" . $template_id); 900 if (!$group_open_id) {
901 $query =
"SELECT obj_id FROM object_data WHERE type='rolt' AND title='il_grp_status_open'";
904 $group_open_id = (
int) $row->obj_id;
907 $template_id = $group_open_id;
913 if (!$course_non_member_id) {
914 $query =
"SELECT obj_id FROM object_data WHERE type='rolt' AND title='il_crs_non_member'";
917 $course_non_member_id = (
int) $row->obj_id;
920 $template_id = $course_non_member_id;
925 if ($template_id && $policy_stack !== []) {
926 $this->rbac_admin->copyRolePermissionIntersection(
936 if ($a_id && !
$GLOBALS[
'DIC'][
'rbacreview']->isRoleAssignedToObject($this->
getId(), $a_id)) {
937 $this->rbac_admin->assignRoleToFolder($this->
getId(), $a_id,
"n");
static isAutoGenerated(int $a_role_id)
static gatherFaPa(int $a_ref_id, array $a_role_ids, bool $a_add_action=false)
static getLogger(string $a_component_id)
Get component logger.
txt(string $a_topic, string $a_default_lang_fallback_mod="")
gets the text for a given topic if the topic is not in the list, the topic itself with "-" will be re...
static _lookupRegisterAllowed()
get all roles that are activated in user registration
changeExistingObjectsGrantPermissions(int $a_role_id, array $a_permissions, int $a_ref_id, int $a_operation_mode)
static ecsConfigured()
Checks if an ecs server is configured.
createPermissionIntersection(array $policy_stack, array $a_current_ops, int $a_id, string $a_type)
Create permission intersection.
static _removeObjectId(string $a_role_title)
const MODE_PROTECTED_DELETE_LOCAL_POLICIES
static _deleteByRole(int $a_role_id)
deleteLocalPolicies(int $a_start, array $a_policies, array $a_filter)
setAllowRegister(bool $a_allow_register)
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
setParent(int $a_parent_ref)
set reference id of parent object this is neccessary for non RBAC protected objects!!! ...
static createDefaultRole(string $a_title, string $a_description, string $a_tpl_name, int $a_ref_id)
adjustPermissions(int $a_mode, array $a_nodes, array $a_policies, array $a_filter, array $a_exclusion_filter=[], int $a_operation_mode=self::MODE_READ_OPERATIONS, array $a_operation_stack=[])
const MODE_REMOVE_OPERATIONS
static getPossibleRemoteTypes(bool $a_with_captions=false)
Get all possible remote object types.
static diffFaPa(array $a_old, array $a_new)
static lookupGroupTye(int $a_id)
static _getRolesByAuthMode(string $a_auth_mode)
Get roles by auth mode public.
const MODE_PROTECTED_KEEP_LOCAL_POLICIES
static _lookupObjId(int $ref_id)
const MODE_READ_OPERATIONS
toggleAssignUsersStatus(bool $a_assign_users)
static add(int $a_action, int $a_ref_id, array $a_diff, bool $a_source_ref_id=false)
static _lookupTitle(int $obj_id)
isHandledObjectType(array $a_filter, array $a_exclusion_filter, string $a_type)
static _getTranslation(string $a_role_title)
static _resetAuthMode(string $a_auth_mode)
Reset auth mode to default.
if(!defined('PATH_SEPARATOR')) $GLOBALS['_PEAR_default_error_mode']
header include for all ilias files.
updateOperationStack(array &$a_stack, int $a_node, bool $a_init=false)
Update operation stack.
static _getAuthMode(int $a_role_id)
getParent()
get reference id of parent object
const MODE_ADD_OPERATIONS
static lookupTxtById(string $plugin_id, string $lang_var)
__getPermissionDefinitions()
getCountMembers()
Get number of users assigned to role.
__construct(int $a_id=0, bool $a_call_by_reference=false)
Constructor public.
const MODE_UNPROTECTED_DELETE_LOCAL_POLICIES
static _updateAuthMode(array $a_roles)
__construct(Container $dic, ilPlugin $plugin)
const MODE_UNPROTECTED_KEEP_LOCAL_POLICIES
const EDIT_TEMPLATE_EXISTING
read()
loads "role" from database private
updatePolicyStack(array &$a_stack, int $a_node)
static _getAssignUsersStatus(int $a_role_id)
getUntranslatedTitle()
Get untranslated object title WebDAV needs to access the untranslated title of an object...
static _lookupType(int $id, bool $reference=false)
static _lookupAllowRegister(int $a_role_id)
check whether role is allowed in user registration or not
changeExistingObjects(int $a_start_node, int $a_mode, array $a_filter, array $a_exclusion_filter=[], int $a_operation_mode=self::MODE_READ_OPERATIONS, array $a_operation_stack=[])
Change existing objects.
static sortArray(array $array, string $a_array_sortby_key, string $a_array_sortorder="asc", bool $a_numeric=false, bool $a_keep_keys=false)
static _lookupLogin(int $a_user_id)
1.8.13 (using Doxyfile)