ILIAS  release_8 Revision v8.24
class.ilOrgUnitPositionAccess.php
Go to the documentation of this file.
1<?php
23class ilOrgUnitPositionAccess implements ilOrgUnitPositionAccessHandler, ilOrgUnitPositionAndRBACAccessHandler
24{
25 protected static array $ref_id_obj_type_map = array();
26 private \ilOrgUnitUserAssignmentQueries $ua;
27 private \ilOrgUnitGlobalSettings $set;
28 private ilAccess $access;
29 private ilObjUser $user;
30
31 public function __construct(ilAccess $access)
32 {
33 global $DIC;
34 $this->set = ilOrgUnitGlobalSettings::getInstance();
35 $this->ua = ilOrgUnitUserAssignmentQueries::getInstance();
36 $this->access = $access;
37 $this->user = $DIC->user();
38 }
39
40
42 public function filterUserIdsForCurrentUsersPositionsAndPermission(
43 array $user_ids,
44 string $permission
45 ): array {
46 $current_user_id = $this->getCurrentUsersId();
47 return $this->filterUserIdsForUsersPositionsAndPermission($user_ids, $current_user_id, $permission);
48 }
49
50
51
53 public function filterUserIdsForUsersPositionsAndPermission(
54 array $user_ids,
55 int $for_user_id,
56 string $permission
57 ): array {
58 $assignment_of_user = $this->ua->getAssignmentsOfUserId($for_user_id);
59 $other_users_in_same_org_units = [];
60 foreach ($assignment_of_user as $assignment) {
61 $other_users_in_same_org_units += $this->ua->getUserIdsOfOrgUnit($assignment->getOrguId());
62 }
63
64 return array_intersect($user_ids, $other_users_in_same_org_units);
65 }
66
68 public function isCurrentUserBasedOnPositionsAllowedTo(string $permission, array $on_user_ids): bool
69 {
70 $current_user_id = $this->getCurrentUsersId();
71
72 return $this->isUserBasedOnPositionsAllowedTo($current_user_id, $permission, $on_user_ids);
73 }
74
75
77 public function isUserBasedOnPositionsAllowedTo(
78 int $which_user_id,
79 string $permission,
80 array $on_user_ids
81 ): bool {
82 $filtered_user_ids = $this->filterUserIdsForUsersPositionsAndPermission(
83 $on_user_ids,
84 $which_user_id,
85 $permission
86 );
87
88 return ($on_user_ids === array_intersect($on_user_ids, $filtered_user_ids)
89 && $filtered_user_ids === array_intersect($filtered_user_ids, $on_user_ids));
90 }
91
92
94 public function filterUserIdsByPositionOfCurrentUser(string $pos_perm, int $ref_id, array $user_ids): array
95 {
96 $current_user_id = $this->getCurrentUsersId();
97
98 return $this->filterUserIdsByPositionOfUser($current_user_id, $pos_perm, $ref_id, $user_ids);
99 }
100
101
103 public function filterUserIdsByPositionOfUser(
104 int $user_id,
105 string $pos_perm,
106 int $ref_id,
107 array $user_ids
108 ): array {
109 // $all_available_users = $this->ua->getUserIdsOfOrgUnit()
110 $operation = ilOrgUnitOperationQueries::findByOperationString($pos_perm, $this->getTypeForRefId($ref_id));
111 if (!$operation) {
112 return [];
113 }
114
115 $allowed_user_ids = [];
116 foreach ($this->ua->getPositionsOfUserId($user_id) as $position) {
117 $permissions = ilOrgUnitPermissionQueries::getSetForRefId($ref_id, $position->getId());
118 $permissions->afterObjectLoad();
119 if (!$permissions->isOperationIdSelected($operation->getOperationId())) {
120 continue;
121 }
122
123 $position->afterObjectLoad();
124 foreach ($position->getAuthorities() as $authority) {
125 switch ($authority->getOver()) {
126 case ilOrgUnitAuthority::OVER_EVERYONE:
127 switch ($authority->getScope()) {
128 case ilOrgUnitAuthority::SCOPE_SAME_ORGU:
129 $allowed = $this->ua->getUserIdsOfOrgUnitsOfUsersPosition($position->getId(), $user_id);
130 $allowed_user_ids = array_merge($allowed_user_ids, $allowed);
131 break;
132 case ilOrgUnitAuthority::SCOPE_SUBSEQUENT_ORGUS:
133 $allowed = $this->ua->getUserIdsOfOrgUnitsOfUsersPosition(
134 $position->getId(),
135 $user_id,
136 true
137 );
138 $allowed_user_ids = array_merge($allowed_user_ids, $allowed);
139 break;
140 }
141 break;
142 default:
143 switch ($authority->getScope()) {
144 case ilOrgUnitAuthority::SCOPE_SAME_ORGU:
145 $allowed = $this->ua->getUserIdsOfUsersOrgUnitsInPosition(
146 $user_id,
147 $authority->getPositionId(),
148 $authority->getOver(),
149 false
150 );
151 $allowed_user_ids = array_merge($allowed_user_ids, $allowed);
152 break;
153 case ilOrgUnitAuthority::SCOPE_SUBSEQUENT_ORGUS:
154 $allowed = $this->ua->getUserIdsOfUsersOrgUnitsInPosition(
155 $user_id,
156 $authority->getPositionId(),
157 $authority->getOver(),
158 true
159 );
160 $allowed_user_ids = array_merge($allowed_user_ids, $allowed);
161 break;
162 }
163 break;
164 }
165 }
166 }
167 $allowed_user_ids[] = $this->user->getId();
168 return array_intersect($user_ids, $allowed_user_ids);
169 }
170
171
172 public function checkPositionAccess(string $pos_perm, int $ref_id): bool
173 {
174 if (!$this->isPositionActiveForRefId($ref_id)) {
175 return false;
176 }
177
178 $operation = ilOrgUnitOperationQueries::findByOperationString($pos_perm, $this->getTypeForRefId($ref_id));
179 if (!$operation) {
180 return false;
181 }
182 $current_user_id = $this->getCurrentUsersId();
183
184 foreach ($this->ua->getPositionsOfUserId($current_user_id) as $position) {
185 $permissions = ilOrgUnitPermissionQueries::getSetForRefId($ref_id, $position->getId());
186 if ($permissions->isOperationIdSelected($operation->getOperationId())) {
187 return true;
188 }
189 }
190
191 return false;
192 }
193
194
195 public function hasCurrentUserAnyPositionAccess(int $ref_id): bool
196 {
197 if (!$this->isPositionActiveForRefId($ref_id)) {
198 return false;
199 }
200
201 $current_user_id = $this->getCurrentUsersId();
202
203 foreach ($this->ua->getPositionsOfUserId($current_user_id) as $position) {
204 $permissions = ilOrgUnitPermissionQueries::getSetForRefId($ref_id, $position->getId());
205 if (count($permissions->getOperations()) > 0) {
206 return true;
207 }
208 }
209
210 return false;
211 }
212
213
214 public function checkRbacOrPositionPermissionAccess(string $rbac_perm, string $pos_perm, int $ref_id): bool
215 {
216 // If RBAC allows, just return true
217 if ($this->access->checkAccess($rbac_perm, '', $ref_id)) {
218 return true;
219 }
220
221 if (!$this->isPositionActiveForRefId($ref_id)) {
222 return false;
223 }
224
225 return $this->checkPositionAccess($pos_perm, $ref_id);
226 }
227
228
229 public function filterUserIdsByRbacOrPositionOfCurrentUser(
230 string $rbac_perm,
231 string $pos_perm,
232 int $ref_id,
233 array $user_ids
234 ): array {
235 global $DIC;
236
237 // If RBAC allows, just return true
238 if ($this->access->checkAccess($rbac_perm, '', $ref_id)) {
239 return $user_ids;
240 }
241
242 return $this->filterUserIdsByPositionOfCurrentUser($pos_perm, $ref_id, $user_ids);
243 }
244
245
246 public function hasUserRBACorAnyPositionAccess(string $rbac_perm, int $ref_id): bool
247 {
248 if ($this->access->checkAccess($rbac_perm, '', $ref_id)) {
249 return true;
250 }
251
252 return $this->hasCurrentUserAnyPositionAccess($ref_id);
253 }
254
255
256 //
257 // Helpers
258 //
259
260 private function getCurrentUsersId(): int
261 {
262 return $this->user->getId();
263 }
264
265
266 private function getTypeForRefId(int $ref_id): string
267 {
268 if (!isset(self::$ref_id_obj_type_map[$ref_id])) {
269 self::$ref_id_obj_type_map[$ref_id] = ilObject2::_lookupType($ref_id, true);
270 }
271
272 return self::$ref_id_obj_type_map[$ref_id];
273 }
274
275 private function getObjIdForRefId(int $ref_id): int
276 {
277 return ilObject2::_lookupObjectId($ref_id);
278 }
279
280 private function isPositionActiveForRefId(int $ref_id): bool
281 {
282 $obj_id = $this->getObjIdForRefId($ref_id); // TODO this will change to ref_id!!
283
284 return $this->set->isPositionAccessActiveForObject($obj_id);
285 }
286}
ilAccess
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilAccess.php:28
ilObjUser
User class.
Definition: class.ilObjUser.php:28
ilObject\_lookupObjectId
static _lookupObjectId(int $ref_id)
Definition: class.ilObject.php:1123
ilObject\_lookupType
static _lookupType(int $id, bool $reference=false)
Definition: class.ilObject.php:1091
ilOrgUnitOperationQueries
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilOrgUnitOperationQueries.php:24
ilOrgUnitOperationQueries\findByOperationString
static findByOperationString(string $operation_string, string $context_name)
Definition: class.ilOrgUnitOperationQueries.php:106
ilOrgUnitPositionAccess
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilOrgUnitPositionAccess.php:24
ilOrgUnitPositionAccess\filterUserIdsByRbacOrPositionOfCurrentUser
filterUserIdsByRbacOrPositionOfCurrentUser(string $rbac_perm, string $pos_perm, int $ref_id, array $user_ids)
Definition: class.ilOrgUnitPositionAccess.php:229
ilOrgUnitPositionAccess\isUserBasedOnPositionsAllowedTo
isUserBasedOnPositionsAllowedTo(int $which_user_id, string $permission, array $on_user_ids)
Definition: class.ilOrgUnitPositionAccess.php:77
ilOrgUnitPositionAccess\filterUserIdsByPositionOfCurrentUser
filterUserIdsByPositionOfCurrentUser(string $pos_perm, int $ref_id, array $user_ids)
Definition: class.ilOrgUnitPositionAccess.php:94
ilOrgUnitPositionAccess\isCurrentUserBasedOnPositionsAllowedTo
isCurrentUserBasedOnPositionsAllowedTo(string $permission, array $on_user_ids)
Definition: class.ilOrgUnitPositionAccess.php:68
ilOrgUnitPositionAccess\hasUserRBACorAnyPositionAccess
hasUserRBACorAnyPositionAccess(string $rbac_perm, int $ref_id)
Definition: class.ilOrgUnitPositionAccess.php:246
ilOrgUnitPositionAccess\checkRbacOrPositionPermissionAccess
checkRbacOrPositionPermissionAccess(string $rbac_perm, string $pos_perm, int $ref_id)
Definition: class.ilOrgUnitPositionAccess.php:214
ilOrgUnitPositionAccess\$ua
ilOrgUnitUserAssignmentQueries $ua
Definition: class.ilOrgUnitPositionAccess.php:26
ilOrgUnitPositionAccess\checkPositionAccess
checkPositionAccess(string $pos_perm, int $ref_id)
Definition: class.ilOrgUnitPositionAccess.php:172
ilOrgUnitPositionAccess\filterUserIdsForCurrentUsersPositionsAndPermission
filterUserIdsForCurrentUsersPositionsAndPermission(array $user_ids, string $permission)
Definition: class.ilOrgUnitPositionAccess.php:42
ilOrgUnitPositionAccess\filterUserIdsForUsersPositionsAndPermission
filterUserIdsForUsersPositionsAndPermission(array $user_ids, int $for_user_id, string $permission)
Definition: class.ilOrgUnitPositionAccess.php:53
ilOrgUnitPositionAccess\filterUserIdsByPositionOfUser
filterUserIdsByPositionOfUser(int $user_id, string $pos_perm, int $ref_id, array $user_ids)
Definition: class.ilOrgUnitPositionAccess.php:103
$DIC
global $DIC
Definition: feed.php:28
ilOrgUnitPositionAccessHandler
Interface ilOrgUnitPositionAccessHandler Provides access checks due to a users OrgUnit-Positions.
Definition: class.ilOrgUnitPositionAccessHandler.php:9
ilOrgUnitPositionAndRBACAccessHandler
Interface ilOrgUnitPositionAndRBACAccessHandler Provides access checks due to a users OrgUnit-Positio...
Definition: class.ilOrgUnitPositionAndRBACAccessHandler.php:9
$ref_id
$ref_id
Definition: ltiauth.php:67