ilRbacAdmin Class Reference
Class ilRbacAdmin Core functions for role based access control. More...
Collaboration diagram for ilRbacAdmin:
Public Member Functions | |
| __construct () | |
| Constructor @access public. More... | |
| setBlockedStatus (int $a_role_id, int $a_ref_id, bool $a_blocked_status) | |
| removeUser (int $a_usr_id) | |
| deletes a user from rbac_ua all user <-> role relations are deleted More... | |
| deleteRole (int $a_rol_id, int $a_ref_id) | |
| Deletes a role and deletes entries in rbac_pa, rbac_templates, rbac_ua, rbac_fa. More... | |
| deleteTemplate (int $a_obj_id) | |
| Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa. More... | |
| deleteLocalRole (int $a_rol_id, int $a_ref_id=0) | |
| Deletes a local role and entries in rbac_fa and rbac_templates. More... | |
| assignUserLimited (int $a_role_id, int $a_usr_id, int $a_limit, array $a_limited_roles=[]) | |
| assignUser (int $a_rol_id, int $a_usr_id) | |
| Assigns an user to a role. More... | |
| deassignUser (int $a_rol_id, int $a_usr_id) | |
| Deassigns a user from a role. More... | |
| grantPermission (int $a_rol_id, array $a_ops, int $a_ref_id) | |
| Grants a permission to an object and a specific role. More... | |
| revokePermission (int $a_ref_id, int $a_rol_id=0, bool $a_keep_protected=true) | |
| Revokes permissions of an object of one role. More... | |
| revokeSubtreePermissions (int $a_ref_id, int $a_role_id) | |
| Revoke subtree permissions. More... | |
| deleteSubtreeTemplates (int $a_ref_id, int $a_rol_id) | |
| Delete all template permissions of subtree nodes. More... | |
| revokePermissionList (array $a_ref_ids, int $a_rol_id) | |
| Revokes permissions of a LIST of objects of ONE role. More... | |
| copyRolePermissions (int $a_source_id, int $a_source_parent, int $a_dest_parent, int $a_dest_id, bool $a_consider_protected=true) | |
| Copies template permissions and permission of one role to another. More... | |
| copyRoleTemplatePermissions (int $a_source_id, int $a_source_parent, int $a_dest_parent, int $a_dest_id, bool $a_consider_protected=true) | |
| Copies template permissions of one role to another. More... | |
| copyRolePermissionIntersection (int $a_source1_id, int $a_source1_parent, int $a_source2_id, int $a_source2_parent, int $a_dest_parent, int $a_dest_id) | |
| Copies the intersection of the template permissions of two roles to a third role. More... | |
| copyRolePermissionUnion (int $a_source1_id, int $a_source1_parent, int $a_source2_id, int $a_source2_parent, int $a_dest_id, int $a_dest_parent) | |
| copyRolePermissionSubtract (int $a_source_id, int $a_source_parent, int $a_dest_id, int $a_dest_parent) | |
| Subtract role permissions. More... | |
| deleteRolePermission (int $a_rol_id, int $a_ref_id, ?string $a_type=null) | |
| Deletes all entries of a template. More... | |
| setRolePermission (int $a_rol_id, string $a_type, array $a_ops, int $a_ref_id) | |
| Inserts template permissions in rbac_templates for an specific object type. More... | |
| assignRoleToFolder (int $a_rol_id, int $a_parent, string $a_assign="y") | |
| Assigns a role to a role folder A role folder is an object to store roles. More... | |
| assignOperationToObject (int $a_type_id, int $a_ops_id) | |
| Assign an existing operation to an object Update of rbac_ta. More... | |
| deassignOperationFromObject (int $a_type_id, int $a_ops_id) | |
| Deassign an existing operation from an object Update of rbac_ta. More... | |
| setProtected (int $a_ref_id, int $a_role_id, string $a_value) | |
| Set protected. More... | |
| copyLocalRoles (int $a_source_id, int $a_target_id) | |
| Copy local roles This method creates a copy of all local role. More... | |
| initIntersectionPermissions (int $a_ref_id, int $a_role_id, int $a_role_parent, int $a_template_id, int $a_template_parent) | |
| adjustMovedObjectPermissions (int $ref_id, int $old_parent) | |
| Adjust permissions of moved objects. More... | |
Protected Member Functions | |
| applyMovedObjectDidacticTemplates (int $a_ref_id, int $a_old_parent) | |
| Apply didactic templates after object movement. More... | |
Protected Attributes | |
| ilDBInterface | $db |
| ilRbacReview | $rbacreview |
| ilLogger | $logger |
Detailed Description
Class ilRbacAdmin Core functions for role based access control.
Creation and maintenance of Relations. The main relations of Rbac are user <-> role (UR) assignment relation and the permission <-> role (PR) assignment relation. This class contains methods to 'create' and 'delete' instances of the (UR) relation e.g.: assignUser(), deassignUser() Required methods for the PR relation are grantPermission(), revokePermission()
Definition at line 30 of file class.ilRbacAdmin.php.
Constructor & Destructor Documentation
◆ __construct()
| ilRbacAdmin::__construct | ( | ) |
Constructor @access public.
Definition at line 40 of file class.ilRbacAdmin.php.
41 {
42 global $DIC;
43
44 $this->db = $DIC->database();
45 $this->rbacreview = $DIC->rbac()->review();
46 $this->logger = $DIC->logger()->ac();
47 }
References $DIC, and ILIAS\Repository\logger().
Here is the call graph for this function:
Member Function Documentation
◆ adjustMovedObjectPermissions()
| ilRbacAdmin::adjustMovedObjectPermissions | ( | int | $ref_id, |
| int | $old_parent | ||
| ) |
Adjust permissions of moved objects.
- Delete permissions of parent roles that do not exist in new context
- Delete role templates of parent roles that do not exist in new context
- Add permissions for parent roles that did not exist in old context
2023-08-15 sk: We need to switch off the cache here, as otherwise there seems to be no way to get an adequate reading of the new path. We switch it back on again at the end of this function.
We switch the cache back on again. See above.
Definition at line 868 of file class.ilRbacAdmin.php.
868 : void
869 {
870 global $DIC;
871
873
874 $new_parent = $tree->getParentId($ref_id);
875 $old_context_roles = $this->rbacreview->getParentRoleIds($old_parent, false);
876 $new_context_roles = $this->rbacreview->getParentRoleIds($new_parent, false);
877
883 $tree->useCache(false);
884
885 $for_addition = $for_deletion = [];
886 foreach ($new_context_roles as $new_role_id => $new_role) {
887 if (!isset($old_context_roles[$new_role_id])) {
888 $for_addition[] = $new_role_id;
889 } elseif ($new_role['parent'] != $old_context_roles[$new_role_id]['parent']) {
890 // handle stopped inheritance
891 $for_deletion[] = $new_role_id;
892 $for_addition[] = $new_role_id;
893 }
894 }
895 foreach ($old_context_roles as $old_role_id => $old_role) {
896 if (!isset($new_context_roles[$old_role_id])) {
897 $for_deletion[] = $old_role_id;
898 }
899 }
900 if ($for_deletion === [] && $for_addition === []) {
902 return;
903 }
904
905 $rbac_log_active = ilRbacLog::isActive();
906 if ($rbac_log_active) {
907 $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
908 }
909
912 if ($rbac_log_active) {
913 $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
914 }
915
916 // If $node_data['type'] is not set, this means there is a tree entry without
917 // object_reference and/or object_data entry
918 // Continue in this case
919 if (!($node_data['type'] ?? false)) {
920 continue;
921 }
922 if (!$node_id) {
923 continue;
924 }
925
926 foreach ($for_deletion as $role_id) {
927 $this->deleteLocalRole($role_id, $node_id);
929 }
930 foreach ($for_addition as $role_id) {
931 $role_parent_id = $this->rbacreview->getParentOfRole($role_id, $ref_id);
932 switch ($node_data['type']) {
933 case 'grp':
935
936 $this->initIntersectionPermissions(
937 $node_id,
938 $role_id,
939 $role_parent_id,
940 $tpl_id,
941 ROLE_FOLDER_ID
942 );
943 break;
944
945 case 'crs':
946 $tpl_id = ilObjCourse::lookupCourseNonMemberTemplatesId();
947 $this->initIntersectionPermissions(
948 $node_id,
949 $role_id,
950 $role_parent_id,
951 $tpl_id,
952 ROLE_FOLDER_ID
953 );
954 break;
955
956 default:
957 $this->grantPermission(
958 $role_id,
959 $this->rbacreview->getOperationsOfRole($role_id, $node_data['type'], $role_parent_id),
960 $node_id
961 );
962 break;
963
964 }
965 }
966
967 if ($rbac_log_active) {
968 $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
971 }
972 }
973
977 $tree->useCache();
978
980 }
static lookupCourseNonMemberTemplatesId()
Definition: class.ilObjCourse.php:1325
static lookupGroupStatusTemplateId(int $a_obj_id)
Definition: class.ilObjGroup.php:972
applyMovedObjectDidacticTemplates(int $a_ref_id, int $a_old_parent)
Apply didactic templates after object movement.
Definition: class.ilRbacAdmin.php:847
deleteLocalRole(int $a_rol_id, int $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates.
Definition: class.ilRbacAdmin.php:118
initIntersectionPermissions(int $a_ref_id, int $a_role_id, int $a_role_parent, int $a_template_id, int $a_template_parent)
Definition: class.ilRbacAdmin.php:780
revokePermission(int $a_ref_id, int $a_rol_id=0, bool $a_keep_protected=true)
Revokes permissions of an object of one role.
Definition: class.ilRbacAdmin.php:301
grantPermission(int $a_rol_id, array $a_ops, int $a_ref_id)
Grants a permission to an object and a specific role.
Definition: class.ilRbacAdmin.php:259
static add(int $a_action, int $a_ref_id, array $a_diff, bool $a_source_ref_id=false)
Definition: class.ilRbacLog.php:141
static gatherFaPa(int $a_ref_id, array $a_role_ids, bool $a_add_action=false)
Definition: class.ilRbacLog.php:42
References $DIC, $log, $ref_id, ilRbacLog\add(), ilRbacLog\diffFaPa(), ilRbacLog\gatherFaPa(), ILIAS\Repository\int(), ilRbacLog\isActive(), ilObjCourse\lookupCourseNonMemberTemplatesId(), ilObjGroup\lookupGroupStatusTemplateId(), ilRbacLog\MOVE_OBJECT, and ROLE_FOLDER_ID.
Referenced by ilContainerGUI\pasteObject(), and ilContainerGUI\performPasteIntoMultipleObjectsObject().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ applyMovedObjectDidacticTemplates()
|
protected |
Apply didactic templates after object movement.
- Deprecated:
- since version 5.1.0 will be removed with 5.4 and implemented using event handler
- Todo:
- implement using event handler
Definition at line 847 of file class.ilRbacAdmin.php.
847 : void
848 {
849 $tpl_id = ilDidacticTemplateObjSettings::lookupTemplateId($a_ref_id);
850 if (!$tpl_id) {
851 return;
852 }
855 continue;
856 }
857 $action->setRefId($a_ref_id);
858 $action->apply();
859 }
860 }
static getActionsByTemplateId(int $a_tpl_id)
Get actions of one template.
Definition: class.ilDidacticTemplateActionFactory.php:51
represents a creation of local roles action
Definition: class.ilDidacticTemplateLocalRoleAction.php:12
static lookupTemplateId(int $a_ref_id)
Definition: class.ilDidacticTemplateObjSettings.php:13
References ilDidacticTemplateActionFactory\getActionsByTemplateId(), and ilDidacticTemplateObjSettings\lookupTemplateId().
Here is the call graph for this function:
◆ assignOperationToObject()
| ilRbacAdmin::assignOperationToObject | ( | int | $a_type_id, |
| int | $a_ops_id | ||
| ) |
Assign an existing operation to an object Update of rbac_ta.
Definition at line 714 of file class.ilRbacAdmin.php.
714 : void
715 {
717 "VALUES(" . $this->db->quote($a_type_id, 'integer') . "," . $this->db->quote($a_ops_id, 'integer') . ")";
719 }
◆ assignRoleToFolder()
| ilRbacAdmin::assignRoleToFolder | ( | int | $a_rol_id, |
| int | $a_parent, | ||
| string | $a_assign = "y" |
||
| ) |
Assigns a role to a role folder A role folder is an object to store roles.
Every role is assigned to minimum one role folder If the inheritance of a role is stopped, a new role template will created, and the role is assigned to minimum two role folders. All roles with stopped inheritance need the flag '$a_assign = false'
Definition at line 677 of file class.ilRbacAdmin.php.
681 : void {
683 // ignore system role
684 return;
685 }
686 // if a wrong value is passed, always set assign to "n"
687 if ($a_assign != "y") {
688 $a_assign = "n";
689 }
690
691 // check if already assigned
693 'WHERE rol_id = ' . $this->db->quote($a_rol_id, 'integer') . ' ' .
694 'AND parent = ' . $this->db->quote($a_parent, 'integer');
697 return;
698 }
699 $query = sprintf(
700 'INSERT INTO rbac_fa (rol_id, parent, assign, protected) ' .
701 'VALUES (%s,%s,%s,%s)',
702 $this->db->quote($a_rol_id, 'integer'),
703 $this->db->quote($a_parent, 'integer'),
704 $this->db->quote($a_assign, 'text'),
705 $this->db->quote('n', 'text')
706 );
708 }
Referenced by ilPermissionGUI\savePermissions().
Here is the caller graph for this function:
◆ assignUser()
| ilRbacAdmin::assignUser | ( | int | $a_rol_id, |
| int | $a_usr_id | ||
| ) |
Assigns an user to a role.
Update of table rbac_ua
Definition at line 187 of file class.ilRbacAdmin.php.
187 : void
188 {
189 // check if already assigned user id and role_id
190 $alreadyAssigned = $this->rbacreview->isAssigned($a_usr_id, $a_rol_id);
191
192 // enhanced: only if we haven't had this role for this user
193 if (!$alreadyAssigned) {
195 "VALUES (" . $this->db->quote($a_usr_id, 'integer') . "," . $this->db->quote(
196 $a_rol_id,
197 'integer'
198 ) . ")";
200
201 $this->rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, true);
202 }
203
204 $mapping = ilLDAPRoleGroupMapping::_getInstance();
205 $mapping->assign($a_rol_id, $a_usr_id);
206
207 $ref_id = $this->rbacreview->getObjectReferenceOfRole($a_rol_id);
210
211 if (!$alreadyAssigned) {
214 'Services/AccessControl',
215 'assignUser',
216 array(
217 'obj_id' => $obj_id,
218 'usr_id' => $a_usr_id,
219 'role_id' => $a_rol_id,
221 )
222 );
223 }
224 }
static _getInstance()
Get singleton instance of this class.
Definition: class.ilLDAPRoleGroupMapping.php:58
static _lookupType(int $id, bool $reference=false)
Definition: class.ilObject.php:1091
References $GLOBALS, $query, $ref_id, $res, $type, ilLDAPRoleGroupMapping\_getInstance(), ilObject\_lookupObjId(), ilObject\_lookupType(), and ilLoggerFactory\getInstance().
Referenced by ilObjCategoryGUI\assignSaveObject().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ assignUserLimited()
| ilRbacAdmin::assignUserLimited | ( | int | $a_role_id, |
| int | $a_usr_id, | ||
| int | $a_limit, | ||
| array | $a_limited_roles = [] |
||
| ) |
Definition at line 143 of file class.ilRbacAdmin.php.
148 : bool {
150 $ilAtomQuery = $this->db->buildAtomQuery();
151 $ilAtomQuery->addTableLock('rbac_ua');
152 $ilAtomQuery->addQueryCallable(
153 function (ilDBInterface $ilDB) use (&$ret, $a_role_id, $a_usr_id, $a_limit, $a_limited_roles): void {
154 $ret = true;
155 $limit_query = 'SELECT COUNT(*) num FROM rbac_ua ' .
159 if ($row->num >= $a_limit) {
160 $ret = false;
161 return;
162 }
163
165 "VALUES (" .
167 ")";
169 }
170 );
171 $ilAtomQuery->run();
172
173 if (!$ret) {
174 return false;
175 }
176
177 $this->rbacreview->setAssignedCacheEntry($a_role_id, $a_usr_id, true);
178 $mapping = ilLDAPRoleGroupMapping::_getInstance();
179 $mapping->assign($a_role_id, $a_usr_id);
180
181 return true;
182 }
buildAtomQuery()
References $ilDB, $query, $res, and ilDBConstants\FETCHMODE_OBJECT.
◆ copyLocalRoles()
| ilRbacAdmin::copyLocalRoles | ( | int | $a_source_id, |
| int | $a_target_id | ||
| ) |
Copy local roles This method creates a copy of all local role.
Note: auto generated roles are excluded
Definition at line 751 of file class.ilRbacAdmin.php.
751 : void
752 {
753 $real_local = [];
754 foreach ($this->rbacreview->getRolesOfRoleFolder($a_source_id, false) as $role_data) {
755 $title = ilObject::_lookupTitle($role_data);
756 if (substr($title, 0, 3) == 'il_') {
757 continue;
758 }
759 $real_local[] = $role_data;
760 }
761 if ($real_local === []) {
762 return;
763 }
764 // Create role folder
765 foreach ($real_local as $role) {
767 $orig->read();
768
770 $roleObj->setTitle($orig->getTitle());
771 $roleObj->setDescription($orig->getDescription());
772 $roleObj->setImportId($orig->getImportId());
773 $roleObj->create();
774
777 }
778 }
assignRoleToFolder(int $a_rol_id, int $a_parent, string $a_assign="y")
Assigns a role to a role folder A role folder is an object to store roles.
Definition: class.ilRbacAdmin.php:677
copyRolePermissions(int $a_source_id, int $a_source_parent, int $a_dest_parent, int $a_dest_id, bool $a_consider_protected=true)
Copies template permissions and permission of one role to another.
Definition: class.ilRbacAdmin.php:413
References ilObject\_lookupTitle().
Here is the call graph for this function:
◆ copyRolePermissionIntersection()
| ilRbacAdmin::copyRolePermissionIntersection | ( | int | $a_source1_id, |
| int | $a_source1_parent, | ||
| int | $a_source2_id, | ||
| int | $a_source2_parent, | ||
| int | $a_dest_parent, | ||
| int | $a_dest_id | ||
| ) |
Copies the intersection of the template permissions of two roles to a third role.
Definition at line 491 of file class.ilRbacAdmin.php.
498 : void {
499 // exclude system role from rbac
502 return;
503 }
505 "FROM rbac_templates s1, rbac_templates s2 " .
506 "WHERE s1.rol_id = " . $this->db->quote($a_source1_id, 'integer') . " " .
507 "AND s1.parent = " . $this->db->quote($a_source1_parent, 'integer') . " " .
508 "AND s2.rol_id = " . $this->db->quote($a_source2_id, 'integer') . " " .
509 "AND s2.parent = " . $this->db->quote($a_source2_parent, 'integer') . " " .
510 "AND s1.type = s2.type " .
511 "AND s1.ops_id = s2.ops_id";
512
514 $operations = [];
515 $rowNum = 0;
517 $operations[$rowNum]['type'] = $row->type;
518 $operations[$rowNum]['ops_id'] = $row->ops_id;
519
520 $rowNum++;
521 }
522
523 // Delete template permissions of target
524 $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $this->db->quote($a_dest_id, 'integer') . ' ' .
525 'AND parent = ' . $this->db->quote($a_dest_parent, 'integer');
527
529 'VALUES (?,?,?,?)';
531 foreach ($operations as $set) {
532 $this->db->execute($sta, array(
533 $a_dest_id,
534 $set['type'],
535 $set['ops_id'],
536 $a_dest_parent
537 ));
538 }
539 }
References ilLogLevel\DEBUG, and ILIAS\Repository\logger().
Here is the call graph for this function:
◆ copyRolePermissions()
| ilRbacAdmin::copyRolePermissions | ( | int | $a_source_id, |
| int | $a_source_parent, | ||
| int | $a_dest_parent, | ||
| int | $a_dest_id, | ||
| bool | $a_consider_protected = true |
||
| ) |
Copies template permissions and permission of one role to another.
Definition at line 413 of file class.ilRbacAdmin.php.
419 : void {
420 // Copy template permissions
421 $this->copyRoleTemplatePermissions(
422 $a_source_id,
423 $a_source_parent,
424 $a_dest_parent,
425 $a_dest_id,
426 $a_consider_protected
427 );
428 $ops = $this->rbacreview->getRoleOperationsOnObject($a_source_id, $a_source_parent);
429
430 $this->revokePermission($a_dest_parent, $a_dest_id);
431 $this->grantPermission($a_dest_id, $ops, $a_dest_parent);
432 }
copyRoleTemplatePermissions(int $a_source_id, int $a_source_parent, int $a_dest_parent, int $a_dest_id, bool $a_consider_protected=true)
Copies template permissions of one role to another.
Definition: class.ilRbacAdmin.php:438
◆ copyRolePermissionSubtract()
| ilRbacAdmin::copyRolePermissionSubtract | ( | int | $a_source_id, |
| int | $a_source_parent, | ||
| int | $a_dest_id, | ||
| int | $a_dest_parent | ||
| ) |
Subtract role permissions.
Definition at line 594 of file class.ilRbacAdmin.php.
599 : void {
602 return;
603 }
604 $s1_ops = $this->rbacreview->getAllOperationsOfRole($a_source_id, $a_source_parent);
605 $d_ops = $this->rbacreview->getAllOperationsOfRole($a_dest_id, $a_dest_parent);
606
608 foreach ($ops as $op) {
611 'WHERE rol_id = ' . $this->db->quote($a_dest_id, 'integer') . ' ' .
613 'AND ops_id = ' . $this->db->quote($op, 'integer') . ' ' .
614 'AND parent = ' . $this->db->quote($a_dest_parent, 'integer');
615 $this->db->manipulate($query);
616 }
617 }
618 }
619 }
References ilLogLevel\DEBUG, and ILIAS\Repository\logger().
Here is the call graph for this function:
◆ copyRolePermissionUnion()
| ilRbacAdmin::copyRolePermissionUnion | ( | int | $a_source1_id, |
| int | $a_source1_parent, | ||
| int | $a_source2_id, | ||
| int | $a_source2_parent, | ||
| int | $a_dest_id, | ||
| int | $a_dest_parent | ||
| ) |
Definition at line 541 of file class.ilRbacAdmin.php.
548 : void {
549
550 // exclude system role from rbac
553 return;
554 }
555 $s1_ops = $this->rbacreview->getAllOperationsOfRole($a_source1_id, $a_source1_parent);
556 $s2_ops = $this->rbacreview->getAllOperationsOfRole($a_source2_id, $a_source2_parent);
557 $this->deleteRolePermission($a_dest_id, $a_dest_parent);
558
560 foreach ($ops as $op) {
561 // insert all permission of source 1
562 // #15469
564 'VALUES( ' .
565 $this->db->quote($a_dest_id, 'integer') . ', ' .
567 $this->db->quote($op, 'integer') . ', ' .
568 $this->db->quote($a_dest_parent, 'integer') . ' ' .
569 ')';
570 $this->db->manipulate($query);
571 }
572 }
573
574 // and the other direction...
576 foreach ($ops as $op) {
579 'VALUES( ' .
580 $this->db->quote($a_dest_id, 'integer') . ', ' .
582 $this->db->quote($op, 'integer') . ', ' .
583 $this->db->quote($a_dest_parent, 'integer') . ' ' .
584 ')';
585 $this->db->manipulate($query);
586 }
587 }
588 }
589 }
deleteRolePermission(int $a_rol_id, int $a_ref_id, ?string $a_type=null)
Deletes all entries of a template.
Definition: class.ilRbacAdmin.php:626
References ilLogLevel\DEBUG, and ILIAS\Repository\logger().
Here is the call graph for this function:
◆ copyRoleTemplatePermissions()
| ilRbacAdmin::copyRoleTemplatePermissions | ( | int | $a_source_id, |
| int | $a_source_parent, | ||
| int | $a_dest_parent, | ||
| int | $a_dest_id, | ||
| bool | $a_consider_protected = true |
||
| ) |
Copies template permissions of one role to another.
It's also possible to copy template permissions from/to RoleTemplateObject
Definition at line 438 of file class.ilRbacAdmin.php.
444 : void {
445 // exclude system role from rbac
448 return;
449 }
450
451 // Read operations
453 'WHERE rol_id = ' . $this->db->quote($a_source_id, 'integer') . ' ' .
454 'AND parent = ' . $this->db->quote($a_source_parent, 'integer');
456 $operations = [];
457 $rownum = 0;
459 $operations[$rownum]['type'] = $row->type;
460 $operations[$rownum]['ops_id'] = $row->ops_id;
461 $rownum++;
462 }
463
464 // Delete target permissions
465 $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $this->db->quote($a_dest_id, 'integer') . ' ' .
466 'AND parent = ' . $this->db->quote($a_dest_parent, 'integer');
468
469 foreach ($operations as $op) {
471 'VALUES (' .
472 $this->db->quote($a_dest_id, 'integer') . "," .
473 $this->db->quote($op['type'], 'text') . "," .
474 $this->db->quote($op['ops_id'], 'integer') . "," .
475 $this->db->quote($a_dest_parent, 'integer') . ")";
476 $this->db->manipulate($query);
477 }
478
479 // copy also protection status if applicable
480 if ($a_consider_protected == true) {
481 if ($this->rbacreview->isProtected($a_source_parent, $a_source_id)) {
483 }
484 }
485 }
setProtected(int $a_ref_id, int $a_role_id, string $a_value)
Set protected.
Definition: class.ilRbacAdmin.php:736
References ilLogLevel\DEBUG, and ILIAS\Repository\logger().
Referenced by ilPermissionGUI\savePermissions().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ deassignOperationFromObject()
| ilRbacAdmin::deassignOperationFromObject | ( | int | $a_type_id, |
| int | $a_ops_id | ||
| ) |
Deassign an existing operation from an object Update of rbac_ta.
Definition at line 725 of file class.ilRbacAdmin.php.
725 : void
726 {
728 "WHERE typ_id = " . $this->db->quote($a_type_id, 'integer') . " " .
729 "AND ops_id = " . $this->db->quote($a_ops_id, 'integer');
731 }
◆ deassignUser()
| ilRbacAdmin::deassignUser | ( | int | $a_rol_id, |
| int | $a_usr_id | ||
| ) |
Deassigns a user from a role.
Update of table rbac_ua
Definition at line 229 of file class.ilRbacAdmin.php.
229 : void
230 {
232 "WHERE usr_id = " . $this->db->quote($a_usr_id, 'integer') . " " .
233 "AND rol_id = " . $this->db->quote($a_rol_id, 'integer') . " ";
235
236 $this->rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, false);
237
238 $mapping = ilLDAPRoleGroupMapping::_getInstance();
239 $mapping->deassign($a_rol_id, $a_usr_id);
240
245
248 'obj_id' => $obj_id,
249 'usr_id' => $a_usr_id,
250 'role_id' => $a_rol_id,
252 ));
253 }
254 }
References $GLOBALS, $query, $ref_id, $res, $type, ilLDAPRoleGroupMapping\_getInstance(), ilObject\_lookupObjId(), ilObject\_lookupType(), and ilLoggerFactory\getInstance().
Referenced by ilObjCategoryGUI\assignSaveObject(), ilObjBlogGUI\removeContributor(), and removeUser().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ deleteLocalRole()
| ilRbacAdmin::deleteLocalRole | ( | int | $a_rol_id, |
| int | $a_ref_id = 0 |
||
| ) |
Deletes a local role and entries in rbac_fa and rbac_templates.
Definition at line 118 of file class.ilRbacAdmin.php.
118 : void
119 {
120 // exclude system role from rbac
124 return;
125 }
126
127 $clause = '';
128 if ($a_ref_id != 0) {
129 $clause = 'AND parent = ' . $this->db->quote($a_ref_id, 'integer') . ' ';
130 }
131
133 'WHERE rol_id = ' . $this->db->quote($a_rol_id, 'integer') . ' ' .
134 $clause;
136
138 'WHERE rol_id = ' . $this->db->quote($a_rol_id, 'integer') . ' ' .
139 $clause;
141 }
References $query, $res, ILIAS\Repository\logger(), ilLogLevel\NOTICE, and SYSTEM_ROLE_ID.
Referenced by deleteRole().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ deleteRole()
| ilRbacAdmin::deleteRole | ( | int | $a_rol_id, |
| int | $a_ref_id | ||
| ) |
Deletes a role and deletes entries in rbac_pa, rbac_templates, rbac_ua, rbac_fa.
Definition at line 74 of file class.ilRbacAdmin.php.
74 : void
75 {
78 throw new DomainException('System administrator role is not deletable.');
79 }
80
81 $mapping = ilLDAPRoleGroupMapping::_getInstance();
82 $mapping->deleteRole($a_rol_id);
83
84 // TODO: check assigned users before deletion
85 // This is done in ilObjRole. Should be better moved to this place?
86
87 // delete user assignements
89 "WHERE rol_id = " . $this->db->quote($a_rol_id, 'integer');
91
92 // delete permission assignments
94 "WHERE rol_id = " . $this->db->quote($a_rol_id, 'integer') . " ";
96
97 //delete rbac_templates and rbac_fa
98 $this->deleteLocalRole($a_rol_id);
99 }
References $query, $res, ilLDAPRoleGroupMapping\_getInstance(), ilLogLevel\DEBUG, deleteLocalRole(), ILIAS\Repository\logger(), and SYSTEM_ROLE_ID.
Here is the call graph for this function:
◆ deleteRolePermission()
| ilRbacAdmin::deleteRolePermission | ( | int | $a_rol_id, |
| int | $a_ref_id, | ||
| ?string | $a_type = null |
||
| ) |
Deletes all entries of a template.
If an object type is given for third parameter only the entries for that object type are deleted Update of table rbac_templates.
Definition at line 626 of file class.ilRbacAdmin.php.
630 : void {
633 return;
634 }
635 $and_type = '';
636 if ($a_type !== null) {
637 $and_type = " AND type=" . $this->db->quote($a_type, 'text') . " ";
638 }
640 'WHERE rol_id = ' . $this->db->quote($a_rol_id, 'integer') . ' ' .
641 'AND parent = ' . $this->db->quote($a_ref_id, 'integer') . ' ' .
642 $and_type;
644 }
References ilLogLevel\DEBUG, and ILIAS\Repository\logger().
Here is the call graph for this function:
◆ deleteSubtreeTemplates()
| ilRbacAdmin::deleteSubtreeTemplates | ( | int | $a_ref_id, |
| int | $a_rol_id | ||
| ) |
Delete all template permissions of subtree nodes.
Definition at line 377 of file class.ilRbacAdmin.php.
◆ deleteTemplate()
| ilRbacAdmin::deleteTemplate | ( | int | $a_obj_id | ) |
Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa.
Definition at line 104 of file class.ilRbacAdmin.php.
104 : void
105 {
107 'WHERE rol_id = ' . $this->db->quote($a_obj_id, 'integer');
109
111 'WHERE rol_id = ' . $this->db->quote($a_obj_id, 'integer');
113 }
◆ grantPermission()
| ilRbacAdmin::grantPermission | ( | int | $a_rol_id, |
| array | $a_ops, | ||
| int | $a_ref_id | ||
| ) |
Grants a permission to an object and a specific role.
Update of table rbac_pa
Definition at line 259 of file class.ilRbacAdmin.php.
259 : void
260 {
261 // exclude system role from rbac
264 return;
265 }
266
267 // convert all values to integer
270 }
271
272 $ops_ids = serialize($a_ops);
273
275 'WHERE rol_id = %s ' .
276 'AND ref_id = %s';
277 $res = $this->db->queryF(
278 $query,
279 array('integer', 'integer'),
280 array($a_rol_id, $a_ref_id)
281 );
282
283 if ($a_ops === []) {
284 return;
285 }
286
288 "VALUES " .
289 "(" . $this->db->quote($a_rol_id, 'integer') . "," . $this->db->quote(
290 $ops_ids,
291 'text'
292 ) . "," . $this->db->quote($a_ref_id, 'integer') . ")";
294 }
References ILIAS\LTI\ToolProvider\$key, $query, $res, ilLogLevel\DEBUG, ILIAS\Repository\int(), ILIAS\Repository\logger(), and SYSTEM_ROLE_ID.
Referenced by ilPermissionGUI\savePermissions().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ initIntersectionPermissions()
| ilRbacAdmin::initIntersectionPermissions | ( | int | $a_ref_id, |
| int | $a_role_id, | ||
| int | $a_role_parent, | ||
| int | $a_template_id, | ||
| int | $a_template_parent | ||
| ) |
Definition at line 780 of file class.ilRbacAdmin.php.
786 : void {
787 if ($this->rbacreview->isProtected($a_role_parent, $a_role_id)) {
788 // Assign object permissions
789 $new_ops = $this->rbacreview->getOperationsOfRole(
790 $a_role_id,
792 $a_role_parent
793 );
794
795 // set new permissions for object
796 $this->grantPermission(
797 $a_role_id,
798 (array) $new_ops,
799 $a_ref_id
800 );
801 return;
802 }
803 if (!$a_template_id) {
805 return;
806 }
807 // create template permission intersection
808 $this->copyRolePermissionIntersection(
809 $a_template_id,
810 $a_template_parent,
811 $a_role_id,
812 $a_role_parent,
813 $a_ref_id,
814 $a_role_id
815 );
816
817 // assign role to folder
818 $this->assignRoleToFolder(
819 $a_role_id,
820 $a_ref_id,
821 'n'
822 );
823
824 // Assign object permissions
825 $new_ops = $this->rbacreview->getOperationsOfRole(
826 $a_role_id,
828 $a_ref_id
829 );
830
831 // revoke existing permissions
832 $this->revokePermission($a_ref_id, $a_role_id);
833
834 // set new permissions for object
835 $this->grantPermission(
836 $a_role_id,
837 (array) $new_ops,
838 $a_ref_id
839 );
840 }
static getLogger(string $a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:89
copyRolePermissionIntersection(int $a_source1_id, int $a_source1_parent, int $a_source2_id, int $a_source2_parent, int $a_dest_parent, int $a_dest_id)
Copies the intersection of the template permissions of two roles to a third role.
Definition: class.ilRbacAdmin.php:491
References ilObject\_lookupType().
Here is the call graph for this function:
◆ removeUser()
| ilRbacAdmin::removeUser | ( | int | $a_usr_id | ) |
deletes a user from rbac_ua all user <-> role relations are deleted
Definition at line 62 of file class.ilRbacAdmin.php.
62 : void
63 {
64 foreach ($this->rbacreview->assignedRoles($a_usr_id) as $role_id) {
65 $this->deassignUser($role_id, $a_usr_id);
66 }
69 }
deassignUser(int $a_rol_id, int $a_usr_id)
Deassigns a user from a role.
Definition: class.ilRbacAdmin.php:229
References $query, $res, and deassignUser().
Here is the call graph for this function:
◆ revokePermission()
| ilRbacAdmin::revokePermission | ( | int | $a_ref_id, |
| int | $a_rol_id = 0, |
||
| bool | $a_keep_protected = true |
||
| ) |
Revokes permissions of an object of one role.
Update of table rbac_pa. Revokes all permission for all roles for that object (with this reference). When a role_id is given this applies only to that role
Definition at line 301 of file class.ilRbacAdmin.php.
301 : void
302 {
305 return;
306 }
307
308 // bypass protected status of roles
309 if ($a_keep_protected != true) {
310 if ($a_rol_id) {
311 $and1 = " AND rol_id = " . $this->db->quote($a_rol_id, 'integer') . " ";
312 } else {
313 $and1 = "";
314 }
315
317 "WHERE ref_id = " . $this->db->quote($a_ref_id, 'integer') .
318 $and1;
320 return;
321 }
322
323 // consider protected status of roles
324
325 // in any case, get all roles in scope first
326 $roles_in_scope = $this->rbacreview->getParentRoleIds($a_ref_id);
327
328 if (!$a_rol_id) {
329 $role_ids = [];
330
331 foreach ($roles_in_scope as $role) {
332 if ($role['protected'] == true) {
333 continue;
334 }
335
336 $role_ids[] = $role['obj_id'];
337 }
338
339 // return if no role in array
340 if ($role_ids === []) {
341 return;
342 }
343
345 'WHERE ' . $this->db->in('rol_id', $role_ids, false, 'integer') . ' ' .
346 'AND ref_id = ' . $this->db->quote($a_ref_id, 'integer');
348 } else {
349 // exclude protected permission settings from revoking
350 if ($roles_in_scope[$a_rol_id]['protected'] == true) {
351 return;
352 }
353
355 "WHERE ref_id = " . $this->db->quote($a_ref_id, 'integer') . " " .
356 "AND rol_id = " . $this->db->quote($a_rol_id, 'integer') . " ";
358 }
359 }
References $query, $res, ilLogLevel\DEBUG, ILIAS\Repository\logger(), and SYSTEM_ROLE_ID.
Referenced by ilObject\delete(), and ilPermissionGUI\savePermissions().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ revokePermissionList()
| ilRbacAdmin::revokePermissionList | ( | array | $a_ref_ids, |
| int | $a_rol_id | ||
| ) |
Revokes permissions of a LIST of objects of ONE role.
Update of table rbac_pa.
Definition at line 397 of file class.ilRbacAdmin.php.
397 : void
398 {
399 // exclude system role from rbac
402 return;
403 }
405 "WHERE " . $this->db->in('ref_id', $a_ref_ids, false, 'integer') . ' ' .
406 "AND rol_id = " . $this->db->quote($a_rol_id, 'integer');
408 }
References $query, $res, ilLogLevel\DEBUG, ILIAS\Repository\logger(), and SYSTEM_ROLE_ID.
Here is the call graph for this function:
◆ revokeSubtreePermissions()
| ilRbacAdmin::revokeSubtreePermissions | ( | int | $a_ref_id, |
| int | $a_role_id | ||
| ) |
Revoke subtree permissions.
Definition at line 364 of file class.ilRbacAdmin.php.
364 : void
365 {
367 'WHERE ref_id IN ' .
369 'AND rol_id = ' . $this->db->quote($a_role_id, 'integer');
370
371 $this->db->manipulate($query);
372 }
◆ setBlockedStatus()
| ilRbacAdmin::setBlockedStatus | ( | int | $a_role_id, |
| int | $a_ref_id, | ||
| bool | $a_blocked_status | ||
| ) |
Definition at line 49 of file class.ilRbacAdmin.php.
49 : void
50 {
52 $query = 'UPDATE rbac_fa set blocked = ' . $this->db->quote($a_blocked_status, 'integer') . ' ' .
53 'WHERE rol_id = ' . $this->db->quote($a_role_id, 'integer') . ' ' .
54 'AND parent = ' . $this->db->quote($a_ref_id, 'integer');
55 $this->db->manipulate($query);
56 }
References $query, and ilLoggerFactory\getLogger().
Here is the call graph for this function:
◆ setProtected()
| ilRbacAdmin::setProtected | ( | int | $a_ref_id, |
| int | $a_role_id, | ||
| string | $a_value | ||
| ) |
Set protected.
Definition at line 736 of file class.ilRbacAdmin.php.
736 : void
737 {
738 // ref_id not used yet. protected permission acts 'global' for each role,
739 // regardless of any broken inheritance before
741 'SET protected = ' . $this->db->quote($a_value, 'text') . ' ' .
742 'WHERE rol_id = ' . $this->db->quote($a_role_id, 'integer');
744 }
Referenced by ilPermissionGUI\savePermissions().
Here is the caller graph for this function:
◆ setRolePermission()
| ilRbacAdmin::setRolePermission | ( | int | $a_rol_id, |
| string | $a_type, | ||
| array | $a_ops, | ||
| int | $a_ref_id | ||
| ) |
Inserts template permissions in rbac_templates for an specific object type.
Update of table rbac_templates
Definition at line 650 of file class.ilRbacAdmin.php.
650 : void
651 {
653 $this->logger->logStack();
654 return;
655 }
656 foreach ($a_ops as $op) {
657 $this->db->replace(
658 'rbac_templates',
659 [
660 'rol_id' => ['integer', $a_rol_id],
661 'type' => ['text', $a_type],
662 'ops_id' => ['integer', $op],
663 'parent' => ['integer', $a_ref_id]
664 ],
665 []
666 );
667 }
668 }
References ILIAS\Repository\logger(), and SYSTEM_ROLE_ID.
Here is the call graph for this function:
Field Documentation
◆ $db
|
protected |
Definition at line 32 of file class.ilRbacAdmin.php.
◆ $logger
|
protected |
Definition at line 34 of file class.ilRbacAdmin.php.
◆ $rbacreview
|
protected |
Definition at line 33 of file class.ilRbacAdmin.php.
The documentation for this class was generated from the following file:
- Services/AccessControl/classes/class.ilRbacAdmin.php
