ILIAS  release_8 Revision v8.24
class.ilRbacAdmin.php
Go to the documentation of this file.
1<?php
2
18declare(strict_types=1);
19
30class ilRbacAdmin
31{
32 protected ilDBInterface $db;
33 protected ilRbacReview $rbacreview;
34 protected ilLogger $logger;
35
40 public function __construct()
41 {
42 global $DIC;
43
44 $this->db = $DIC->database();
45 $this->rbacreview = $DIC->rbac()->review();
46 $this->logger = $DIC->logger()->ac();
47 }
48
49 public function setBlockedStatus(int $a_role_id, int $a_ref_id, bool $a_blocked_status): void
50 {
51 ilLoggerFactory::getLogger('crs')->logStack();
52 $query = 'UPDATE rbac_fa set blocked = ' . $this->db->quote($a_blocked_status, 'integer') . ' ' .
53 'WHERE rol_id = ' . $this->db->quote($a_role_id, 'integer') . ' ' .
54 'AND parent = ' . $this->db->quote($a_ref_id, 'integer');
55 $this->db->manipulate($query);
56 }
57
62 public function removeUser(int $a_usr_id): void
63 {
64 foreach ($this->rbacreview->assignedRoles($a_usr_id) as $role_id) {
65 $this->deassignUser($role_id, $a_usr_id);
66 }
67 $query = "DELETE FROM rbac_ua WHERE usr_id = " . $this->db->quote($a_usr_id, 'integer');
68 $res = $this->db->manipulate($query);
69 }
70
74 public function deleteRole(int $a_rol_id, int $a_ref_id): void
75 {
76 if ($a_rol_id == SYSTEM_ROLE_ID) {
77 $this->logger->logStack(ilLogLevel::DEBUG);
78 throw new DomainException('System administrator role is not deletable.');
79 }
80
81 $mapping = ilLDAPRoleGroupMapping::_getInstance();
82 $mapping->deleteRole($a_rol_id);
83
84 // TODO: check assigned users before deletion
85 // This is done in ilObjRole. Should be better moved to this place?
86
87 // delete user assignements
88 $query = "DELETE FROM rbac_ua " .
89 "WHERE rol_id = " . $this->db->quote($a_rol_id, 'integer');
90 $res = $this->db->manipulate($query);
91
92 // delete permission assignments
93 $query = "DELETE FROM rbac_pa " .
94 "WHERE rol_id = " . $this->db->quote($a_rol_id, 'integer') . " ";
95 $res = $this->db->manipulate($query);
96
97 //delete rbac_templates and rbac_fa
98 $this->deleteLocalRole($a_rol_id);
99 }
100
104 public function deleteTemplate(int $a_obj_id): void
105 {
106 $query = 'DELETE FROM rbac_templates ' .
107 'WHERE rol_id = ' . $this->db->quote($a_obj_id, 'integer');
108 $res = $this->db->manipulate($query);
109
110 $query = 'DELETE FROM rbac_fa ' .
111 'WHERE rol_id = ' . $this->db->quote($a_obj_id, 'integer');
112 $res = $this->db->manipulate($query);
113 }
114
118 public function deleteLocalRole(int $a_rol_id, int $a_ref_id = 0): void
119 {
120 // exclude system role from rbac
121 if ($a_rol_id == SYSTEM_ROLE_ID) {
122 $this->logger->logStack(ilLogLevel::NOTICE);
123 $this->logger->notice('System administrator role is not deletable.');
124 return;
125 }
126
127 $clause = '';
128 if ($a_ref_id != 0) {
129 $clause = 'AND parent = ' . $this->db->quote($a_ref_id, 'integer') . ' ';
130 }
131
132 $query = 'DELETE FROM rbac_fa ' .
133 'WHERE rol_id = ' . $this->db->quote($a_rol_id, 'integer') . ' ' .
134 $clause;
135 $res = $this->db->manipulate($query);
136
137 $query = 'DELETE FROM rbac_templates ' .
138 'WHERE rol_id = ' . $this->db->quote($a_rol_id, 'integer') . ' ' .
139 $clause;
140 $res = $this->db->manipulate($query);
141 }
142
143 public function assignUserLimited(
144 int $a_role_id,
145 int $a_usr_id,
146 int $a_limit,
147 array $a_limited_roles = []
148 ): bool {
149 $ilDB = $this->db;
150 $ilAtomQuery = $this->db->buildAtomQuery();
151 $ilAtomQuery->addTableLock('rbac_ua');
152 $ilAtomQuery->addQueryCallable(
153 function (ilDBInterface $ilDB) use (&$ret, $a_role_id, $a_usr_id, $a_limit, $a_limited_roles): void {
154 $ret = true;
155 $limit_query = 'SELECT COUNT(*) num FROM rbac_ua ' .
156 'WHERE ' . $ilDB->in('rol_id', (array) $a_limited_roles, false, 'integer');
157 $res = $ilDB->query($limit_query);
158 $row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT);
159 if ($row->num >= $a_limit) {
160 $ret = false;
161 return;
162 }
163
164 $query = "INSERT INTO rbac_ua (usr_id, rol_id) " .
165 "VALUES (" .
166 $ilDB->quote($a_usr_id, 'integer') . "," . $ilDB->quote($a_role_id, 'integer') .
167 ")";
168 $res = $ilDB->manipulate($query);
169 }
170 );
171 $ilAtomQuery->run();
172
173 if (!$ret) {
174 return false;
175 }
176
177 $this->rbacreview->setAssignedCacheEntry($a_role_id, $a_usr_id, true);
178 $mapping = ilLDAPRoleGroupMapping::_getInstance();
179 $mapping->assign($a_role_id, $a_usr_id);
180
181 return true;
182 }
183
187 public function assignUser(int $a_rol_id, int $a_usr_id): void
188 {
189 // check if already assigned user id and role_id
190 $alreadyAssigned = $this->rbacreview->isAssigned($a_usr_id, $a_rol_id);
191
192 // enhanced: only if we haven't had this role for this user
193 if (!$alreadyAssigned) {
194 $query = "INSERT INTO rbac_ua (usr_id, rol_id) " .
195 "VALUES (" . $this->db->quote($a_usr_id, 'integer') . "," . $this->db->quote(
196 $a_rol_id,
197 'integer'
198 ) . ")";
199 $res = $this->db->manipulate($query);
200
201 $this->rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, true);
202 }
203
204 $mapping = ilLDAPRoleGroupMapping::_getInstance();
205 $mapping->assign($a_rol_id, $a_usr_id);
206
207 $ref_id = $this->rbacreview->getObjectReferenceOfRole($a_rol_id);
208 $obj_id = ilObject::_lookupObjId($ref_id);
209 $type = ilObject::_lookupType($obj_id);
210
211 if (!$alreadyAssigned) {
212 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event assign user');
213 $GLOBALS['DIC']['ilAppEventHandler']->raise(
214 'Services/AccessControl',
215 'assignUser',
216 array(
217 'obj_id' => $obj_id,
218 'usr_id' => $a_usr_id,
219 'role_id' => $a_rol_id,
220 'type' => $type
221 )
222 );
223 }
224 }
225
229 public function deassignUser(int $a_rol_id, int $a_usr_id): void
230 {
231 $query = "DELETE FROM rbac_ua " .
232 "WHERE usr_id = " . $this->db->quote($a_usr_id, 'integer') . " " .
233 "AND rol_id = " . $this->db->quote($a_rol_id, 'integer') . " ";
234 $res = $this->db->manipulate($query);
235
236 $this->rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, false);
237
238 $mapping = ilLDAPRoleGroupMapping::_getInstance();
239 $mapping->deassign($a_rol_id, $a_usr_id);
240
241 if ($res) {
242 $ref_id = $GLOBALS['DIC']['rbacreview']->getObjectReferenceOfRole($a_rol_id);
243 $obj_id = ilObject::_lookupObjId($ref_id);
244 $type = ilObject::_lookupType($obj_id);
245
246 ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event deassign user');
247 $GLOBALS['DIC']['ilAppEventHandler']->raise('Services/AccessControl', 'deassignUser', array(
248 'obj_id' => $obj_id,
249 'usr_id' => $a_usr_id,
250 'role_id' => $a_rol_id,
251 'type' => $type,
252 ));
253 }
254 }
255
259 public function grantPermission(int $a_rol_id, array $a_ops, int $a_ref_id): void
260 {
261 // exclude system role from rbac
262 if ($a_rol_id == SYSTEM_ROLE_ID) {
263 $this->logger->logStack(ilLogLevel::DEBUG);
264 return;
265 }
266
267 // convert all values to integer
268 foreach ($a_ops as $key => $operation) {
269 $a_ops[$key] = (int) $operation;
270 }
271
272 $ops_ids = serialize($a_ops);
273
274 $query = 'DELETE FROM rbac_pa ' .
275 'WHERE rol_id = %s ' .
276 'AND ref_id = %s';
277 $res = $this->db->queryF(
278 $query,
279 array('integer', 'integer'),
280 array($a_rol_id, $a_ref_id)
281 );
282
283 if ($a_ops === []) {
284 return;
285 }
286
287 $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) " .
288 "VALUES " .
289 "(" . $this->db->quote($a_rol_id, 'integer') . "," . $this->db->quote(
290 $ops_ids,
291 'text'
292 ) . "," . $this->db->quote($a_ref_id, 'integer') . ")";
293 $res = $this->db->manipulate($query);
294 }
295
301 public function revokePermission(int $a_ref_id, int $a_rol_id = 0, bool $a_keep_protected = true): void
302 {
303 if ($a_rol_id == SYSTEM_ROLE_ID) {
304 $this->logger->logStack(ilLogLevel::DEBUG);
305 return;
306 }
307
308 // bypass protected status of roles
309 if ($a_keep_protected != true) {
310 if ($a_rol_id) {
311 $and1 = " AND rol_id = " . $this->db->quote($a_rol_id, 'integer') . " ";
312 } else {
313 $and1 = "";
314 }
315
316 $query = "DELETE FROM rbac_pa " .
317 "WHERE ref_id = " . $this->db->quote($a_ref_id, 'integer') .
318 $and1;
319 $res = $this->db->manipulate($query);
320 return;
321 }
322
323 // consider protected status of roles
324
325 // in any case, get all roles in scope first
326 $roles_in_scope = $this->rbacreview->getParentRoleIds($a_ref_id);
327
328 if (!$a_rol_id) {
329 $role_ids = [];
330
331 foreach ($roles_in_scope as $role) {
332 if ($role['protected'] == true) {
333 continue;
334 }
335
336 $role_ids[] = $role['obj_id'];
337 }
338
339 // return if no role in array
340 if ($role_ids === []) {
341 return;
342 }
343
344 $query = 'DELETE FROM rbac_pa ' .
345 'WHERE ' . $this->db->in('rol_id', $role_ids, false, 'integer') . ' ' .
346 'AND ref_id = ' . $this->db->quote($a_ref_id, 'integer');
347 $res = $this->db->manipulate($query);
348 } else {
349 // exclude protected permission settings from revoking
350 if ($roles_in_scope[$a_rol_id]['protected'] == true) {
351 return;
352 }
353
354 $query = "DELETE FROM rbac_pa " .
355 "WHERE ref_id = " . $this->db->quote($a_ref_id, 'integer') . " " .
356 "AND rol_id = " . $this->db->quote($a_rol_id, 'integer') . " ";
357 $res = $this->db->manipulate($query);
358 }
359 }
360
364 public function revokeSubtreePermissions(int $a_ref_id, int $a_role_id): void
365 {
366 $query = 'DELETE FROM rbac_pa ' .
367 'WHERE ref_id IN ' .
368 '( ' . $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
369 'AND rol_id = ' . $this->db->quote($a_role_id, 'integer');
370
371 $this->db->manipulate($query);
372 }
373
377 public function deleteSubtreeTemplates(int $a_ref_id, int $a_rol_id): void
378 {
379 $query = 'DELETE FROM rbac_templates ' .
380 'WHERE parent IN ( ' .
381 $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
382 'AND rol_id = ' . $this->db->quote($a_rol_id, 'integer');
383
384 $this->db->manipulate($query);
385
386 $query = 'DELETE FROM rbac_fa ' .
387 'WHERE parent IN ( ' .
388 $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
389 'AND rol_id = ' . $this->db->quote($a_rol_id, 'integer');
390
391 $this->db->manipulate($query);
392 }
393
397 public function revokePermissionList(array $a_ref_ids, int $a_rol_id): void
398 {
399 // exclude system role from rbac
400 if ($a_rol_id == SYSTEM_ROLE_ID) {
401 $this->logger->logStack(ilLogLevel::DEBUG);
402 return;
403 }
404 $query = "DELETE FROM rbac_pa " .
405 "WHERE " . $this->db->in('ref_id', $a_ref_ids, false, 'integer') . ' ' .
406 "AND rol_id = " . $this->db->quote($a_rol_id, 'integer');
407 $res = $this->db->manipulate($query);
408 }
409
413 public function copyRolePermissions(
414 int $a_source_id,
415 int $a_source_parent,
416 int $a_dest_parent,
417 int $a_dest_id,
418 bool $a_consider_protected = true
419 ): void {
420 // Copy template permissions
421 $this->copyRoleTemplatePermissions(
422 $a_source_id,
423 $a_source_parent,
424 $a_dest_parent,
425 $a_dest_id,
426 $a_consider_protected
427 );
428 $ops = $this->rbacreview->getRoleOperationsOnObject($a_source_id, $a_source_parent);
429
430 $this->revokePermission($a_dest_parent, $a_dest_id);
431 $this->grantPermission($a_dest_id, $ops, $a_dest_parent);
432 }
433
438 public function copyRoleTemplatePermissions(
439 int $a_source_id,
440 int $a_source_parent,
441 int $a_dest_parent,
442 int $a_dest_id,
443 bool $a_consider_protected = true
444 ): void {
445 // exclude system role from rbac
446 if ($a_dest_id == SYSTEM_ROLE_ID) {
447 $this->logger->logStack(ilLogLevel::DEBUG);
448 return;
449 }
450
451 // Read operations
452 $query = 'SELECT * FROM rbac_templates ' .
453 'WHERE rol_id = ' . $this->db->quote($a_source_id, 'integer') . ' ' .
454 'AND parent = ' . $this->db->quote($a_source_parent, 'integer');
455 $res = $this->db->query($query);
456 $operations = [];
457 $rownum = 0;
458 while ($row = $this->db->fetchObject($res)) {
459 $operations[$rownum]['type'] = $row->type;
460 $operations[$rownum]['ops_id'] = $row->ops_id;
461 $rownum++;
462 }
463
464 // Delete target permissions
465 $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $this->db->quote($a_dest_id, 'integer') . ' ' .
466 'AND parent = ' . $this->db->quote($a_dest_parent, 'integer');
467 $res = $this->db->manipulate($query);
468
469 foreach ($operations as $op) {
470 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
471 'VALUES (' .
472 $this->db->quote($a_dest_id, 'integer') . "," .
473 $this->db->quote($op['type'], 'text') . "," .
474 $this->db->quote($op['ops_id'], 'integer') . "," .
475 $this->db->quote($a_dest_parent, 'integer') . ")";
476 $this->db->manipulate($query);
477 }
478
479 // copy also protection status if applicable
480 if ($a_consider_protected == true) {
481 if ($this->rbacreview->isProtected($a_source_parent, $a_source_id)) {
482 $this->setProtected($a_dest_parent, $a_dest_id, 'y');
483 }
484 }
485 }
486
491 public function copyRolePermissionIntersection(
492 int $a_source1_id,
493 int $a_source1_parent,
494 int $a_source2_id,
495 int $a_source2_parent,
496 int $a_dest_parent,
497 int $a_dest_id
498 ): void {
499 // exclude system role from rbac
500 if ($a_dest_id == SYSTEM_ROLE_ID) {
501 $this->logger->logStack(ilLogLevel::DEBUG);
502 return;
503 }
504 $query = "SELECT s1.type, s1.ops_id " .
505 "FROM rbac_templates s1, rbac_templates s2 " .
506 "WHERE s1.rol_id = " . $this->db->quote($a_source1_id, 'integer') . " " .
507 "AND s1.parent = " . $this->db->quote($a_source1_parent, 'integer') . " " .
508 "AND s2.rol_id = " . $this->db->quote($a_source2_id, 'integer') . " " .
509 "AND s2.parent = " . $this->db->quote($a_source2_parent, 'integer') . " " .
510 "AND s1.type = s2.type " .
511 "AND s1.ops_id = s2.ops_id";
512
513 $res = $this->db->query($query);
514 $operations = [];
515 $rowNum = 0;
516 while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
517 $operations[$rowNum]['type'] = $row->type;
518 $operations[$rowNum]['ops_id'] = $row->ops_id;
519
520 $rowNum++;
521 }
522
523 // Delete template permissions of target
524 $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $this->db->quote($a_dest_id, 'integer') . ' ' .
525 'AND parent = ' . $this->db->quote($a_dest_parent, 'integer');
526 $res = $this->db->manipulate($query);
527
528 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
529 'VALUES (?,?,?,?)';
530 $sta = $this->db->prepareManip($query, array('integer', 'text', 'integer', 'integer'));
531 foreach ($operations as $set) {
532 $this->db->execute($sta, array(
533 $a_dest_id,
534 $set['type'],
535 $set['ops_id'],
536 $a_dest_parent
537 ));
538 }
539 }
540
541 public function copyRolePermissionUnion(
542 int $a_source1_id,
543 int $a_source1_parent,
544 int $a_source2_id,
545 int $a_source2_parent,
546 int $a_dest_id,
547 int $a_dest_parent
548 ): void {
549
550 // exclude system role from rbac
551 if ($a_dest_id == SYSTEM_ROLE_ID) {
552 $this->logger->logStack(ilLogLevel::DEBUG);
553 return;
554 }
555 $s1_ops = $this->rbacreview->getAllOperationsOfRole($a_source1_id, $a_source1_parent);
556 $s2_ops = $this->rbacreview->getAllOperationsOfRole($a_source2_id, $a_source2_parent);
557 $this->deleteRolePermission($a_dest_id, $a_dest_parent);
558
559 foreach ($s1_ops as $type => $ops) {
560 foreach ($ops as $op) {
561 // insert all permission of source 1
562 // #15469
563 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
564 'VALUES( ' .
565 $this->db->quote($a_dest_id, 'integer') . ', ' .
566 $this->db->quote($type, 'text') . ', ' .
567 $this->db->quote($op, 'integer') . ', ' .
568 $this->db->quote($a_dest_parent, 'integer') . ' ' .
569 ')';
570 $this->db->manipulate($query);
571 }
572 }
573
574 // and the other direction...
575 foreach ($s2_ops as $type => $ops) {
576 foreach ($ops as $op) {
577 if (!isset($s1_ops[$type]) || !in_array($op, $s1_ops[$type])) {
578 $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
579 'VALUES( ' .
580 $this->db->quote($a_dest_id, 'integer') . ', ' .
581 $this->db->quote($type, 'text') . ', ' .
582 $this->db->quote($op, 'integer') . ', ' .
583 $this->db->quote($a_dest_parent, 'integer') . ' ' .
584 ')';
585 $this->db->manipulate($query);
586 }
587 }
588 }
589 }
590
594 public function copyRolePermissionSubtract(
595 int $a_source_id,
596 int $a_source_parent,
597 int $a_dest_id,
598 int $a_dest_parent
599 ): void {
600 if ($a_dest_id == SYSTEM_ROLE_ID) {
601 $this->logger->logStack(ilLogLevel::DEBUG);
602 return;
603 }
604 $s1_ops = $this->rbacreview->getAllOperationsOfRole($a_source_id, $a_source_parent);
605 $d_ops = $this->rbacreview->getAllOperationsOfRole($a_dest_id, $a_dest_parent);
606
607 foreach ($s1_ops as $type => $ops) {
608 foreach ($ops as $op) {
609 if (isset($d_ops[$type]) && in_array($op, $d_ops[$type])) {
610 $query = 'DELETE FROM rbac_templates ' .
611 'WHERE rol_id = ' . $this->db->quote($a_dest_id, 'integer') . ' ' .
612 'AND type = ' . $this->db->quote($type, 'text') . ' ' .
613 'AND ops_id = ' . $this->db->quote($op, 'integer') . ' ' .
614 'AND parent = ' . $this->db->quote($a_dest_parent, 'integer');
615 $this->db->manipulate($query);
616 }
617 }
618 }
619 }
620
626 public function deleteRolePermission(
627 int $a_rol_id,
628 int $a_ref_id,
629 ?string $a_type = null
630 ): void {
631 if ($a_rol_id == SYSTEM_ROLE_ID) {
632 $this->logger->logStack(ilLogLevel::DEBUG);
633 return;
634 }
635 $and_type = '';
636 if ($a_type !== null) {
637 $and_type = " AND type=" . $this->db->quote($a_type, 'text') . " ";
638 }
639 $query = 'DELETE FROM rbac_templates ' .
640 'WHERE rol_id = ' . $this->db->quote($a_rol_id, 'integer') . ' ' .
641 'AND parent = ' . $this->db->quote($a_ref_id, 'integer') . ' ' .
642 $and_type;
643 $res = $this->db->manipulate($query);
644 }
645
650 public function setRolePermission(int $a_rol_id, string $a_type, array $a_ops, int $a_ref_id): void
651 {
652 if ($a_rol_id == SYSTEM_ROLE_ID) {
653 $this->logger->logStack();
654 return;
655 }
656 foreach ($a_ops as $op) {
657 $this->db->replace(
658 'rbac_templates',
659 [
660 'rol_id' => ['integer', $a_rol_id],
661 'type' => ['text', $a_type],
662 'ops_id' => ['integer', $op],
663 'parent' => ['integer', $a_ref_id]
664 ],
665 []
666 );
667 }
668 }
669
677 public function assignRoleToFolder(
678 int $a_rol_id,
679 int $a_parent,
680 string $a_assign = "y"
681 ): void {
682 if ($a_rol_id == SYSTEM_ROLE_ID) {
683 // ignore system role
684 return;
685 }
686 // if a wrong value is passed, always set assign to "n"
687 if ($a_assign != "y") {
688 $a_assign = "n";
689 }
690
691 // check if already assigned
692 $query = 'SELECT rol_id FROM rbac_fa ' .
693 'WHERE rol_id = ' . $this->db->quote($a_rol_id, 'integer') . ' ' .
694 'AND parent = ' . $this->db->quote($a_parent, 'integer');
695 $res = $this->db->query($query);
696 if ($res->numRows()) {
697 return;
698 }
699 $query = sprintf(
700 'INSERT INTO rbac_fa (rol_id, parent, assign, protected) ' .
701 'VALUES (%s,%s,%s,%s)',
702 $this->db->quote($a_rol_id, 'integer'),
703 $this->db->quote($a_parent, 'integer'),
704 $this->db->quote($a_assign, 'text'),
705 $this->db->quote('n', 'text')
706 );
707 $res = $this->db->manipulate($query);
708 }
709
714 public function assignOperationToObject(int $a_type_id, int $a_ops_id): void
715 {
716 $query = "INSERT INTO rbac_ta (typ_id, ops_id) " .
717 "VALUES(" . $this->db->quote($a_type_id, 'integer') . "," . $this->db->quote($a_ops_id, 'integer') . ")";
718 $res = $this->db->manipulate($query);
719 }
720
725 public function deassignOperationFromObject(int $a_type_id, int $a_ops_id): void
726 {
727 $query = "DELETE FROM rbac_ta " .
728 "WHERE typ_id = " . $this->db->quote($a_type_id, 'integer') . " " .
729 "AND ops_id = " . $this->db->quote($a_ops_id, 'integer');
730 $res = $this->db->manipulate($query);
731 }
732
736 public function setProtected(int $a_ref_id, int $a_role_id, string $a_value): void
737 {
738 // ref_id not used yet. protected permission acts 'global' for each role,
739 // regardless of any broken inheritance before
740 $query = 'UPDATE rbac_fa ' .
741 'SET protected = ' . $this->db->quote($a_value, 'text') . ' ' .
742 'WHERE rol_id = ' . $this->db->quote($a_role_id, 'integer');
743 $res = $this->db->manipulate($query);
744 }
745
751 public function copyLocalRoles(int $a_source_id, int $a_target_id): void
752 {
753 $real_local = [];
754 foreach ($this->rbacreview->getRolesOfRoleFolder($a_source_id, false) as $role_data) {
755 $title = ilObject::_lookupTitle($role_data);
756 if (substr($title, 0, 3) == 'il_') {
757 continue;
758 }
759 $real_local[] = $role_data;
760 }
761 if ($real_local === []) {
762 return;
763 }
764 // Create role folder
765 foreach ($real_local as $role) {
766 $orig = new ilObjRole($role);
767 $orig->read();
768
769 $roleObj = new ilObjRole();
770 $roleObj->setTitle($orig->getTitle());
771 $roleObj->setDescription($orig->getDescription());
772 $roleObj->setImportId($orig->getImportId());
773 $roleObj->create();
774
775 $this->assignRoleToFolder($roleObj->getId(), $a_target_id, "y");
776 $this->copyRolePermissions($role, $a_source_id, $a_target_id, $roleObj->getId(), true);
777 }
778 }
779
780 public function initIntersectionPermissions(
781 int $a_ref_id,
782 int $a_role_id,
783 int $a_role_parent,
784 int $a_template_id,
785 int $a_template_parent
786 ): void {
787 if ($this->rbacreview->isProtected($a_role_parent, $a_role_id)) {
788 // Assign object permissions
789 $new_ops = $this->rbacreview->getOperationsOfRole(
790 $a_role_id,
791 ilObject::_lookupType($a_ref_id, true),
792 $a_role_parent
793 );
794
795 // set new permissions for object
796 $this->grantPermission(
797 $a_role_id,
798 (array) $new_ops,
799 $a_ref_id
800 );
801 return;
802 }
803 if (!$a_template_id) {
804 ilLoggerFactory::getLogger('ac')->info('No template id given. Aborting.');
805 return;
806 }
807 // create template permission intersection
808 $this->copyRolePermissionIntersection(
809 $a_template_id,
810 $a_template_parent,
811 $a_role_id,
812 $a_role_parent,
813 $a_ref_id,
814 $a_role_id
815 );
816
817 // assign role to folder
818 $this->assignRoleToFolder(
819 $a_role_id,
820 $a_ref_id,
821 'n'
822 );
823
824 // Assign object permissions
825 $new_ops = $this->rbacreview->getOperationsOfRole(
826 $a_role_id,
827 ilObject::_lookupType($a_ref_id, true),
828 $a_ref_id
829 );
830
831 // revoke existing permissions
832 $this->revokePermission($a_ref_id, $a_role_id);
833
834 // set new permissions for object
835 $this->grantPermission(
836 $a_role_id,
837 (array) $new_ops,
838 $a_ref_id
839 );
840 }
841
847 protected function applyMovedObjectDidacticTemplates(int $a_ref_id, int $a_old_parent): void
848 {
849 $tpl_id = ilDidacticTemplateObjSettings::lookupTemplateId($a_ref_id);
850 if (!$tpl_id) {
851 return;
852 }
853 foreach (ilDidacticTemplateActionFactory::getActionsByTemplateId($tpl_id) as $action) {
854 if ($action instanceof ilDidacticTemplateLocalRoleAction) {
855 continue;
856 }
857 $action->setRefId($a_ref_id);
858 $action->apply();
859 }
860 }
861
868 public function adjustMovedObjectPermissions(int $ref_id, int $old_parent): void
869 {
870 global $DIC;
871
872 $tree = $DIC['tree'];
873
874 $new_parent = $tree->getParentId($ref_id);
875 $old_context_roles = $this->rbacreview->getParentRoleIds($old_parent, false);
876 $new_context_roles = $this->rbacreview->getParentRoleIds($new_parent, false);
877
883 $tree->useCache(false);
884
885 $for_addition = $for_deletion = [];
886 foreach ($new_context_roles as $new_role_id => $new_role) {
887 if (!isset($old_context_roles[$new_role_id])) {
888 $for_addition[] = $new_role_id;
889 } elseif ($new_role['parent'] != $old_context_roles[$new_role_id]['parent']) {
890 // handle stopped inheritance
891 $for_deletion[] = $new_role_id;
892 $for_addition[] = $new_role_id;
893 }
894 }
895 foreach ($old_context_roles as $old_role_id => $old_role) {
896 if (!isset($new_context_roles[$old_role_id])) {
897 $for_deletion[] = $old_role_id;
898 }
899 }
900 if ($for_deletion === [] && $for_addition === []) {
901 $this->applyMovedObjectDidacticTemplates($ref_id, $old_parent);
902 return;
903 }
904
905 $rbac_log_active = ilRbacLog::isActive();
906 if ($rbac_log_active) {
907 $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
908 }
909
910 foreach ($tree->getSubTree($tree->getNodeData($ref_id), true) as $node_data) {
911 $node_id = (int) $node_data['child'];
912 if ($rbac_log_active) {
913 $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
914 }
915
916 // If $node_data['type'] is not set, this means there is a tree entry without
917 // object_reference and/or object_data entry
918 // Continue in this case
919 if (!($node_data['type'] ?? false)) {
920 continue;
921 }
922 if (!$node_id) {
923 continue;
924 }
925
926 foreach ($for_deletion as $role_id) {
927 $this->deleteLocalRole($role_id, $node_id);
928 $this->revokePermission($node_id, $role_id, false);
929 }
930 foreach ($for_addition as $role_id) {
931 $role_parent_id = $this->rbacreview->getParentOfRole($role_id, $ref_id);
932 switch ($node_data['type']) {
933 case 'grp':
934 $tpl_id = ilObjGroup::lookupGroupStatusTemplateId((int) $node_data['obj_id']);
935
936 $this->initIntersectionPermissions(
937 $node_id,
938 $role_id,
939 $role_parent_id,
940 $tpl_id,
941 ROLE_FOLDER_ID
942 );
943 break;
944
945 case 'crs':
946 $tpl_id = ilObjCourse::lookupCourseNonMemberTemplatesId();
947 $this->initIntersectionPermissions(
948 $node_id,
949 $role_id,
950 $role_parent_id,
951 $tpl_id,
952 ROLE_FOLDER_ID
953 );
954 break;
955
956 default:
957 $this->grantPermission(
958 $role_id,
959 $this->rbacreview->getOperationsOfRole($role_id, $node_data['type'], $role_parent_id),
960 $node_id
961 );
962 break;
963
964 }
965 }
966
967 if ($rbac_log_active) {
968 $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
969 $log = ilRbacLog::diffFaPa($log_old, $log_new);
970 ilRbacLog::add(ilRbacLog::MOVE_OBJECT, $node_id, $log);
971 }
972 }
973
977 $tree->useCache();
978
979 $this->applyMovedObjectDidacticTemplates($ref_id, $old_parent);
980 }
981}
$GLOBALS
if(!defined('PATH_SEPARATOR')) $GLOBALS['_PEAR_default_error_mode']
Definition: PEAR.php:64
ilDidacticTemplateActionFactory\getActionsByTemplateId
static getActionsByTemplateId(int $a_tpl_id)
Get actions of one template.
Definition: class.ilDidacticTemplateActionFactory.php:51
ilDidacticTemplateLocalRoleAction
represents a creation of local roles action
Definition: class.ilDidacticTemplateLocalRoleAction.php:12
ilLDAPRoleGroupMapping\_getInstance
static _getInstance()
Get singleton instance of this class.
Definition: class.ilLDAPRoleGroupMapping.php:58
ilLoggerFactory\getLogger
static getLogger(string $a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:89
ilLogger
Component logger with individual log levels by component id.
Definition: class.ilLogger.php:17
ilObjCourse\lookupCourseNonMemberTemplatesId
static lookupCourseNonMemberTemplatesId()
Definition: class.ilObjCourse.php:1325
ilObjGroup\lookupGroupStatusTemplateId
static lookupGroupStatusTemplateId(int $a_obj_id)
Definition: class.ilObjGroup.php:972
ilObjRole
Class ilObjRole.
Definition: class.ilObjRole.php:27
ilObject\_lookupType
static _lookupType(int $id, bool $reference=false)
Definition: class.ilObject.php:1091
ilObject\_lookupObjId
static _lookupObjId(int $ref_id)
Definition: class.ilObject.php:930
ilObject\_lookupTitle
static _lookupTitle(int $obj_id)
Definition: class.ilObject.php:837
ilRbacAdmin
Class ilRbacAdmin Core functions for role based access control.
Definition: class.ilRbacAdmin.php:31
ilRbacAdmin\setBlockedStatus
setBlockedStatus(int $a_role_id, int $a_ref_id, bool $a_blocked_status)
Definition: class.ilRbacAdmin.php:49
ilRbacAdmin\removeUser
removeUser(int $a_usr_id)
deletes a user from rbac_ua all user <-> role relations are deleted
Definition: class.ilRbacAdmin.php:62
ilRbacAdmin\copyRolePermissionUnion
copyRolePermissionUnion(int $a_source1_id, int $a_source1_parent, int $a_source2_id, int $a_source2_parent, int $a_dest_id, int $a_dest_parent)
Definition: class.ilRbacAdmin.php:541
ilRbacAdmin\assignOperationToObject
assignOperationToObject(int $a_type_id, int $a_ops_id)
Assign an existing operation to an object Update of rbac_ta.
Definition: class.ilRbacAdmin.php:714
ilRbacAdmin\applyMovedObjectDidacticTemplates
applyMovedObjectDidacticTemplates(int $a_ref_id, int $a_old_parent)
Apply didactic templates after object movement.
Definition: class.ilRbacAdmin.php:847
ilRbacAdmin\__construct
__construct()
Constructor @access public.
Definition: class.ilRbacAdmin.php:40
ilRbacAdmin\adjustMovedObjectPermissions
adjustMovedObjectPermissions(int $ref_id, int $old_parent)
Adjust permissions of moved objects.
Definition: class.ilRbacAdmin.php:868
ilRbacAdmin\setProtected
setProtected(int $a_ref_id, int $a_role_id, string $a_value)
Set protected.
Definition: class.ilRbacAdmin.php:736
ilRbacAdmin\deassignOperationFromObject
deassignOperationFromObject(int $a_type_id, int $a_ops_id)
Deassign an existing operation from an object Update of rbac_ta.
Definition: class.ilRbacAdmin.php:725
ilRbacAdmin\deassignUser
deassignUser(int $a_rol_id, int $a_usr_id)
Deassigns a user from a role.
Definition: class.ilRbacAdmin.php:229
ilRbacAdmin\deleteSubtreeTemplates
deleteSubtreeTemplates(int $a_ref_id, int $a_rol_id)
Delete all template permissions of subtree nodes.
Definition: class.ilRbacAdmin.php:377
ilRbacAdmin\copyRolePermissionSubtract
copyRolePermissionSubtract(int $a_source_id, int $a_source_parent, int $a_dest_id, int $a_dest_parent)
Subtract role permissions.
Definition: class.ilRbacAdmin.php:594
ilRbacAdmin\assignRoleToFolder
assignRoleToFolder(int $a_rol_id, int $a_parent, string $a_assign="y")
Assigns a role to a role folder A role folder is an object to store roles.
Definition: class.ilRbacAdmin.php:677
ilRbacAdmin\deleteRolePermission
deleteRolePermission(int $a_rol_id, int $a_ref_id, ?string $a_type=null)
Deletes all entries of a template.
Definition: class.ilRbacAdmin.php:626
ilRbacAdmin\deleteLocalRole
deleteLocalRole(int $a_rol_id, int $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates.
Definition: class.ilRbacAdmin.php:118
ilRbacAdmin\revokeSubtreePermissions
revokeSubtreePermissions(int $a_ref_id, int $a_role_id)
Revoke subtree permissions.
Definition: class.ilRbacAdmin.php:364
ilRbacAdmin\initIntersectionPermissions
initIntersectionPermissions(int $a_ref_id, int $a_role_id, int $a_role_parent, int $a_template_id, int $a_template_parent)
Definition: class.ilRbacAdmin.php:780
ilRbacAdmin\copyRolePermissionIntersection
copyRolePermissionIntersection(int $a_source1_id, int $a_source1_parent, int $a_source2_id, int $a_source2_parent, int $a_dest_parent, int $a_dest_id)
Copies the intersection of the template permissions of two roles to a third role.
Definition: class.ilRbacAdmin.php:491
ilRbacAdmin\$rbacreview
ilRbacReview $rbacreview
Definition: class.ilRbacAdmin.php:33
ilRbacAdmin\copyLocalRoles
copyLocalRoles(int $a_source_id, int $a_target_id)
Copy local roles This method creates a copy of all local role.
Definition: class.ilRbacAdmin.php:751
ilRbacAdmin\$db
ilDBInterface $db
Definition: class.ilRbacAdmin.php:32
ilRbacAdmin\revokePermissionList
revokePermissionList(array $a_ref_ids, int $a_rol_id)
Revokes permissions of a LIST of objects of ONE role.
Definition: class.ilRbacAdmin.php:397
ilRbacAdmin\deleteRole
deleteRole(int $a_rol_id, int $a_ref_id)
Deletes a role and deletes entries in rbac_pa, rbac_templates, rbac_ua, rbac_fa.
Definition: class.ilRbacAdmin.php:74
ilRbacAdmin\revokePermission
revokePermission(int $a_ref_id, int $a_rol_id=0, bool $a_keep_protected=true)
Revokes permissions of an object of one role.
Definition: class.ilRbacAdmin.php:301
ilRbacAdmin\copyRoleTemplatePermissions
copyRoleTemplatePermissions(int $a_source_id, int $a_source_parent, int $a_dest_parent, int $a_dest_id, bool $a_consider_protected=true)
Copies template permissions of one role to another.
Definition: class.ilRbacAdmin.php:438
ilRbacAdmin\setRolePermission
setRolePermission(int $a_rol_id, string $a_type, array $a_ops, int $a_ref_id)
Inserts template permissions in rbac_templates for an specific object type.
Definition: class.ilRbacAdmin.php:650
ilRbacAdmin\deleteTemplate
deleteTemplate(int $a_obj_id)
Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa.
Definition: class.ilRbacAdmin.php:104
ilRbacAdmin\copyRolePermissions
copyRolePermissions(int $a_source_id, int $a_source_parent, int $a_dest_parent, int $a_dest_id, bool $a_consider_protected=true)
Copies template permissions and permission of one role to another.
Definition: class.ilRbacAdmin.php:413
ilRbacAdmin\grantPermission
grantPermission(int $a_rol_id, array $a_ops, int $a_ref_id)
Grants a permission to an object and a specific role.
Definition: class.ilRbacAdmin.php:259
ilRbacAdmin\assignUserLimited
assignUserLimited(int $a_role_id, int $a_usr_id, int $a_limit, array $a_limited_roles=[])
Definition: class.ilRbacAdmin.php:143
ilRbacAdmin\assignUser
assignUser(int $a_rol_id, int $a_usr_id)
Assigns an user to a role.
Definition: class.ilRbacAdmin.php:187
ilRbacLog\MOVE_OBJECT
const MOVE_OBJECT
Definition: class.ilRbacLog.php:29
ilRbacLog\diffFaPa
static diffFaPa(array $a_old, array $a_new)
Definition: class.ilRbacLog.php:75
ilRbacLog\add
static add(int $a_action, int $a_ref_id, array $a_diff, bool $a_source_ref_id=false)
Definition: class.ilRbacLog.php:141
ilRbacLog\gatherFaPa
static gatherFaPa(int $a_ref_id, array $a_role_ids, bool $a_add_action=false)
Definition: class.ilRbacLog.php:42
ilRbacLog\isActive
static isActive()
Definition: class.ilRbacLog.php:37
ilRbacReview
class ilRbacReview Contains Review functions of core Rbac.
Definition: class.ilRbacReview.php:34
if
if(!file_exists(getcwd() . '/ilias.ini.php'))
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: confirmReg.php:20
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:29
ROLE_FOLDER_ID
const ROLE_FOLDER_ID
Definition: constants.php:34
$DIC
global $DIC
Definition: feed.php:28
ilDBInterface
Interface ilDBInterface.
Definition: interface.ilDBInterface.php:27
$ref_id
$ref_id
Definition: ltiauth.php:67
$res
$res
Definition: ltiservices.php:69
ILIAS\LTI\ToolProvider\$key
string $key
Consumer key/client ID value.
Definition: System.php:193
$query
$query
Definition: proxy_ylocal.php:13
$type
$type
Definition: proxy_ylocal.php:10
$log
$log
Definition: result.php:33