ILIAS  release_8 Revision v8.19-1-g4e8f2f9140c
All Data Structures Namespaces Files Functions Variables Modules Pages
Public Member Functions | Protected Member Functions | Protected Attributes
ilRbacAdmin Class Reference

Class ilRbacAdmin Core functions for role based access control. More...

+ Collaboration diagram for ilRbacAdmin:

Public Member Functions

 __construct ()
 Constructor public. More...
 
 setBlockedStatus (int $a_role_id, int $a_ref_id, bool $a_blocked_status)
 
 removeUser (int $a_usr_id)
 deletes a user from rbac_ua all user <-> role relations are deleted More...
 
 deleteRole (int $a_rol_id, int $a_ref_id)
 Deletes a role and deletes entries in rbac_pa, rbac_templates, rbac_ua, rbac_fa. More...
 
 deleteTemplate (int $a_obj_id)
 Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa. More...
 
 deleteLocalRole (int $a_rol_id, int $a_ref_id=0)
 Deletes a local role and entries in rbac_fa and rbac_templates. More...
 
 assignUserLimited (int $a_role_id, int $a_usr_id, int $a_limit, array $a_limited_roles=[])
 
 assignUser (int $a_rol_id, int $a_usr_id)
 Assigns an user to a role. More...
 
 deassignUser (int $a_rol_id, int $a_usr_id)
 Deassigns a user from a role. More...
 
 grantPermission (int $a_rol_id, array $a_ops, int $a_ref_id)
 Grants a permission to an object and a specific role. More...
 
 revokePermission (int $a_ref_id, int $a_rol_id=0, bool $a_keep_protected=true)
 Revokes permissions of an object of one role. More...
 
 revokeSubtreePermissions (int $a_ref_id, int $a_role_id)
 Revoke subtree permissions. More...
 
 deleteSubtreeTemplates (int $a_ref_id, int $a_rol_id)
 Delete all template permissions of subtree nodes. More...
 
 revokePermissionList (array $a_ref_ids, int $a_rol_id)
 Revokes permissions of a LIST of objects of ONE role. More...
 
 copyRolePermissions (int $a_source_id, int $a_source_parent, int $a_dest_parent, int $a_dest_id, bool $a_consider_protected=true)
 Copies template permissions and permission of one role to another. More...
 
 copyRoleTemplatePermissions (int $a_source_id, int $a_source_parent, int $a_dest_parent, int $a_dest_id, bool $a_consider_protected=true)
 Copies template permissions of one role to another. More...
 
 copyRolePermissionIntersection (int $a_source1_id, int $a_source1_parent, int $a_source2_id, int $a_source2_parent, int $a_dest_parent, int $a_dest_id)
 Copies the intersection of the template permissions of two roles to a third role. More...
 
 copyRolePermissionUnion (int $a_source1_id, int $a_source1_parent, int $a_source2_id, int $a_source2_parent, int $a_dest_id, int $a_dest_parent)
 
 copyRolePermissionSubtract (int $a_source_id, int $a_source_parent, int $a_dest_id, int $a_dest_parent)
 Subtract role permissions. More...
 
 deleteRolePermission (int $a_rol_id, int $a_ref_id, ?string $a_type=null)
 Deletes all entries of a template. More...
 
 setRolePermission (int $a_rol_id, string $a_type, array $a_ops, int $a_ref_id)
 Inserts template permissions in rbac_templates for an specific object type. More...
 
 assignRoleToFolder (int $a_rol_id, int $a_parent, string $a_assign="y")
 Assigns a role to a role folder A role folder is an object to store roles. More...
 
 assignOperationToObject (int $a_type_id, int $a_ops_id)
 Assign an existing operation to an object Update of rbac_ta. More...
 
 deassignOperationFromObject (int $a_type_id, int $a_ops_id)
 Deassign an existing operation from an object Update of rbac_ta. More...
 
 setProtected (int $a_ref_id, int $a_role_id, string $a_value)
 Set protected. More...
 
 copyLocalRoles (int $a_source_id, int $a_target_id)
 Copy local roles This method creates a copy of all local role. More...
 
 initIntersectionPermissions (int $a_ref_id, int $a_role_id, int $a_role_parent, int $a_template_id, int $a_template_parent)
 
 adjustMovedObjectPermissions (int $ref_id, int $old_parent)
 Adjust permissions of moved objects. More...
 

Protected Member Functions

 applyMovedObjectDidacticTemplates (int $a_ref_id, int $a_old_parent)
 Apply didactic templates after object movement. More...
 

Protected Attributes

ilDBInterface $db
 
ilRbacReview $rbacreview
 
ilLogger $logger
 

Detailed Description

Class ilRbacAdmin Core functions for role based access control.

Creation and maintenance of Relations. The main relations of Rbac are user <-> role (UR) assignment relation and the permission <-> role (PR) assignment relation. This class contains methods to 'create' and 'delete' instances of the (UR) relation e.g.: assignUser(), deassignUser() Required methods for the PR relation are grantPermission(), revokePermission()

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om

Definition at line 30 of file class.ilRbacAdmin.php.

Constructor & Destructor Documentation

◆ __construct()

ilRbacAdmin::__construct ( )

Constructor public.

Definition at line 40 of file class.ilRbacAdmin.php.

References $DIC, and ILIAS\Repository\logger().

41  {
42  global $DIC;
43 
44  $this->db = $DIC->database();
45  $this->rbacreview = $DIC->rbac()->review();
46  $this->logger = $DIC->logger()->ac();
47  }
$DIC
global $DIC
Definition: feed.php:28
+ Here is the call graph for this function:

Member Function Documentation

◆ adjustMovedObjectPermissions()

ilRbacAdmin::adjustMovedObjectPermissions ( int  $ref_id,
int  $old_parent 
)

Adjust permissions of moved objects.

  • Delete permissions of parent roles that do not exist in new context
  • Delete role templates of parent roles that do not exist in new context
  • Add permissions for parent roles that did not exist in old context

2023-08-15 sk: We need to switch off the cache here, as otherwise there seems to be no way to get an adequate reading of the new path. We switch it back on again at the end of this function.

We switch the cache back on again. See above.

Definition at line 868 of file class.ilRbacAdmin.php.

References $DIC, $log, ilRbacLog\add(), applyMovedObjectDidacticTemplates(), deleteLocalRole(), ilRbacLog\diffFaPa(), ilRbacLog\gatherFaPa(), grantPermission(), initIntersectionPermissions(), ILIAS\Repository\int(), ilRbacLog\isActive(), ilObjCourse\lookupCourseNonMemberTemplatesId(), ilObjGroup\lookupGroupStatusTemplateId(), ilRbacLog\MOVE_OBJECT, revokePermission(), and ROLE_FOLDER_ID.

Referenced by ilContainerGUI\pasteObject(), and ilContainerGUI\performPasteIntoMultipleObjectsObject().

868  : void
869  {
870  global $DIC;
871 
872  $tree = $DIC['tree'];
873 
874  $new_parent = $tree->getParentId($ref_id);
875  $old_context_roles = $this->rbacreview->getParentRoleIds($old_parent, false);
876  $new_context_roles = $this->rbacreview->getParentRoleIds($new_parent, false);
877 
883  $tree->useCache(false);
884 
885  $for_addition = $for_deletion = [];
886  foreach ($new_context_roles as $new_role_id => $new_role) {
887  if (!isset($old_context_roles[$new_role_id])) {
888  $for_addition[] = $new_role_id;
889  } elseif ($new_role['parent'] != $old_context_roles[$new_role_id]['parent']) {
890  // handle stopped inheritance
891  $for_deletion[] = $new_role_id;
892  $for_addition[] = $new_role_id;
893  }
894  }
895  foreach ($old_context_roles as $old_role_id => $old_role) {
896  if (!isset($new_context_roles[$old_role_id])) {
897  $for_deletion[] = $old_role_id;
898  }
899  }
900  if ($for_deletion === [] && $for_addition === []) {
901  $this->applyMovedObjectDidacticTemplates($ref_id, $old_parent);
902  return;
903  }
904 
905  $rbac_log_active = ilRbacLog::isActive();
906  if ($rbac_log_active) {
907  $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
908  }
909 
910  foreach ($tree->getSubTree($tree->getNodeData($ref_id), true) as $node_data) {
911  $node_id = (int) $node_data['child'];
912  if ($rbac_log_active) {
913  $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
914  }
915 
916  // If $node_data['type'] is not set, this means there is a tree entry without
917  // object_reference and/or object_data entry
918  // Continue in this case
919  if (!($node_data['type'] ?? false)) {
920  continue;
921  }
922  if (!$node_id) {
923  continue;
924  }
925 
926  foreach ($for_deletion as $role_id) {
927  $this->deleteLocalRole($role_id, $node_id);
928  $this->revokePermission($node_id, $role_id, false);
929  }
930  foreach ($for_addition as $role_id) {
931  $role_parent_id = $this->rbacreview->getParentOfRole($role_id, $ref_id);
932  switch ($node_data['type']) {
933  case 'grp':
934  $tpl_id = ilObjGroup::lookupGroupStatusTemplateId((int) $node_data['obj_id']);
935 
936  $this->initIntersectionPermissions(
937  $node_id,
938  $role_id,
939  $role_parent_id,
940  $tpl_id,
941  ROLE_FOLDER_ID
942  );
943  break;
944 
945  case 'crs':
946  $tpl_id = ilObjCourse::lookupCourseNonMemberTemplatesId();
947  $this->initIntersectionPermissions(
948  $node_id,
949  $role_id,
950  $role_parent_id,
951  $tpl_id,
952  ROLE_FOLDER_ID
953  );
954  break;
955 
956  default:
957  $this->grantPermission(
958  $role_id,
959  $this->rbacreview->getOperationsOfRole($role_id, $node_data['type'], $role_parent_id),
960  $node_id
961  );
962  break;
963 
964  }
965  }
966 
967  if ($rbac_log_active) {
968  $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
969  $log = ilRbacLog::diffFaPa($log_old, $log_new);
970  ilRbacLog::add(ilRbacLog::MOVE_OBJECT, $node_id, $log);
971  }
972  }
973 
977  $tree->useCache();
978 
979  $this->applyMovedObjectDidacticTemplates($ref_id, $old_parent);
980  }
ilRbacLog\gatherFaPa
static gatherFaPa(int $a_ref_id, array $a_role_ids, bool $a_add_action=false)
Definition: class.ilRbacLog.php:42
ilRbacAdmin\grantPermission
grantPermission(int $a_rol_id, array $a_ops, int $a_ref_id)
Grants a permission to an object and a specific role.
Definition: class.ilRbacAdmin.php:259
ilRbacAdmin\applyMovedObjectDidacticTemplates
applyMovedObjectDidacticTemplates(int $a_ref_id, int $a_old_parent)
Apply didactic templates after object movement.
Definition: class.ilRbacAdmin.php:847
ilObjCourse\lookupCourseNonMemberTemplatesId
static lookupCourseNonMemberTemplatesId()
Definition: class.ilObjCourse.php:1325
ilRbacLog\isActive
static isActive()
Definition: class.ilRbacLog.php:37
ilRbacAdmin\revokePermission
revokePermission(int $a_ref_id, int $a_rol_id=0, bool $a_keep_protected=true)
Revokes permissions of an object of one role.
Definition: class.ilRbacAdmin.php:301
ilObjGroup\lookupGroupStatusTemplateId
static lookupGroupStatusTemplateId(int $a_obj_id)
Definition: class.ilObjGroup.php:972
ilRbacLog\diffFaPa
static diffFaPa(array $a_old, array $a_new)
Definition: class.ilRbacLog.php:75
$DIC
global $DIC
Definition: feed.php:28
$ref_id
$ref_id
Definition: ltiauth.php:67
ilRbacLog\add
static add(int $a_action, int $a_ref_id, array $a_diff, bool $a_source_ref_id=false)
Definition: class.ilRbacLog.php:141
$log
$log
Definition: result.php:33
ilRbacAdmin\initIntersectionPermissions
initIntersectionPermissions(int $a_ref_id, int $a_role_id, int $a_role_parent, int $a_template_id, int $a_template_parent)
Definition: class.ilRbacAdmin.php:780
ROLE_FOLDER_ID
const ROLE_FOLDER_ID
Definition: constants.php:34
ilRbacAdmin\deleteLocalRole
deleteLocalRole(int $a_rol_id, int $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates.
Definition: class.ilRbacAdmin.php:118
ilRbacLog\MOVE_OBJECT
const MOVE_OBJECT
Definition: class.ilRbacLog.php:29
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ applyMovedObjectDidacticTemplates()

ilRbacAdmin::applyMovedObjectDidacticTemplates ( int  $a_ref_id,
int  $a_old_parent 
)
protected

Apply didactic templates after object movement.

Deprecated:
since version 5.1.0 will be removed with 5.4 and implemented using event handler
Todo:
implement using event handler

Definition at line 847 of file class.ilRbacAdmin.php.

References ilDidacticTemplateActionFactory\getActionsByTemplateId(), and ilDidacticTemplateObjSettings\lookupTemplateId().

Referenced by adjustMovedObjectPermissions().

847  : void
848  {
849  $tpl_id = ilDidacticTemplateObjSettings::lookupTemplateId($a_ref_id);
850  if (!$tpl_id) {
851  return;
852  }
853  foreach (ilDidacticTemplateActionFactory::getActionsByTemplateId($tpl_id) as $action) {
854  if ($action instanceof ilDidacticTemplateLocalRoleAction) {
855  continue;
856  }
857  $action->setRefId($a_ref_id);
858  $action->apply();
859  }
860  }
ilDidacticTemplateActionFactory\getActionsByTemplateId
static getActionsByTemplateId(int $a_tpl_id)
Get actions of one template.
Definition: class.ilDidacticTemplateActionFactory.php:51
ilDidacticTemplateLocalRoleAction
represents a creation of local roles action
Definition: class.ilDidacticTemplateLocalRoleAction.php:11
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ assignOperationToObject()

ilRbacAdmin::assignOperationToObject ( int  $a_type_id,
int  $a_ops_id 
)

Assign an existing operation to an object Update of rbac_ta.

Definition at line 714 of file class.ilRbacAdmin.php.

References $query, and $res.

714  : void
715  {
716  $query = "INSERT INTO rbac_ta (typ_id, ops_id) " .
717  "VALUES(" . $this->db->quote($a_type_id, 'integer') . "," . $this->db->quote($a_ops_id, 'integer') . ")";
718  $res = $this->db->manipulate($query);
719  }
$res
$res
Definition: ltiservices.php:69
$query
$query
Definition: proxy_ylocal.php:13

◆ assignRoleToFolder()

ilRbacAdmin::assignRoleToFolder ( int  $a_rol_id,
int  $a_parent,
string  $a_assign = "y" 
)

Assigns a role to a role folder A role folder is an object to store roles.

Every role is assigned to minimum one role folder If the inheritance of a role is stopped, a new role template will created, and the role is assigned to minimum two role folders. All roles with stopped inheritance need the flag '$a_assign = false'

Definition at line 677 of file class.ilRbacAdmin.php.

References $query, $res, and SYSTEM_ROLE_ID.

Referenced by copyLocalRoles(), initIntersectionPermissions(), and ilPermissionGUI\savePermissions().

681  : void {
682  if ($a_rol_id == SYSTEM_ROLE_ID) {
683  // ignore system role
684  return;
685  }
686  // if a wrong value is passed, always set assign to "n"
687  if ($a_assign != "y") {
688  $a_assign = "n";
689  }
690 
691  // check if already assigned
692  $query = 'SELECT rol_id FROM rbac_fa ' .
693  'WHERE rol_id = ' . $this->db->quote($a_rol_id, 'integer') . ' ' .
694  'AND parent = ' . $this->db->quote($a_parent, 'integer');
695  $res = $this->db->query($query);
696  if ($res->numRows()) {
697  return;
698  }
699  $query = sprintf(
700  'INSERT INTO rbac_fa (rol_id, parent, assign, protected) ' .
701  'VALUES (%s,%s,%s,%s)',
702  $this->db->quote($a_rol_id, 'integer'),
703  $this->db->quote($a_parent, 'integer'),
704  $this->db->quote($a_assign, 'text'),
705  $this->db->quote('n', 'text')
706  );
707  $res = $this->db->manipulate($query);
708  }
$res
$res
Definition: ltiservices.php:69
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:29
$query
$query
Definition: proxy_ylocal.php:13
+ Here is the caller graph for this function:

◆ assignUser()

ilRbacAdmin::assignUser ( int  $a_rol_id,
int  $a_usr_id 
)

Assigns an user to a role.

Update of table rbac_ua

Definition at line 187 of file class.ilRbacAdmin.php.

References $GLOBALS, $query, $ref_id, $res, $type, ilLDAPRoleGroupMapping\_getInstance(), ilObject\_lookupObjId(), ilObject\_lookupType(), and ilLoggerFactory\getInstance().

Referenced by ilObjBlogGUI\addContributor(), and ilObjCategoryGUI\assignSaveObject().

187  : void
188  {
189  // check if already assigned user id and role_id
190  $alreadyAssigned = $this->rbacreview->isAssigned($a_usr_id, $a_rol_id);
191 
192  // enhanced: only if we haven't had this role for this user
193  if (!$alreadyAssigned) {
194  $query = "INSERT INTO rbac_ua (usr_id, rol_id) " .
195  "VALUES (" . $this->db->quote($a_usr_id, 'integer') . "," . $this->db->quote(
196  $a_rol_id,
197  'integer'
198  ) . ")";
199  $res = $this->db->manipulate($query);
200 
201  $this->rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, true);
202  }
203 
204  $mapping = ilLDAPRoleGroupMapping::_getInstance();
205  $mapping->assign($a_rol_id, $a_usr_id);
206 
207  $ref_id = $this->rbacreview->getObjectReferenceOfRole($a_rol_id);
208  $obj_id = ilObject::_lookupObjId($ref_id);
209  $type = ilObject::_lookupType($obj_id);
210 
211  if (!$alreadyAssigned) {
212  ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event assign user');
213  $GLOBALS['DIC']['ilAppEventHandler']->raise(
214  'Services/AccessControl',
215  'assignUser',
216  array(
217  'obj_id' => $obj_id,
218  'usr_id' => $a_usr_id,
219  'role_id' => $a_rol_id,
220  'type' => $type
221  )
222  );
223  }
224  }
$res
$res
Definition: ltiservices.php:69
$type
$type
Definition: proxy_ylocal.php:10
ilObject\_lookupObjId
static _lookupObjId(int $ref_id)
Definition: class.ilObject.php:930
ilLDAPRoleGroupMapping\_getInstance
static _getInstance()
Get singleton instance of this class.
Definition: class.ilLDAPRoleGroupMapping.php:58
$ref_id
$ref_id
Definition: ltiauth.php:67
$GLOBALS
if(!defined('PATH_SEPARATOR')) $GLOBALS['_PEAR_default_error_mode']
Definition: PEAR.php:64
$query
$query
Definition: proxy_ylocal.php:13
ilObject\_lookupType
static _lookupType(int $id, bool $reference=false)
Definition: class.ilObject.php:1091
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ assignUserLimited()

ilRbacAdmin::assignUserLimited ( int  $a_role_id,
int  $a_usr_id,
int  $a_limit,
array  $a_limited_roles = [] 
)

Definition at line 143 of file class.ilRbacAdmin.php.

References $db, $ilDB, $query, $res, ilLDAPRoleGroupMapping\_getInstance(), ilDBInterface\buildAtomQuery(), ilDBConstants\FETCHMODE_OBJECT, ilDBInterface\in(), ilDBInterface\manipulate(), ilDBInterface\query(), and ilDBInterface\quote().

148  : bool {
149  $ilDB = $this->db;
150  $ilAtomQuery = $this->db->buildAtomQuery();
151  $ilAtomQuery->addTableLock('rbac_ua');
152  $ilAtomQuery->addQueryCallable(
153  function (ilDBInterface $ilDB) use (&$ret, $a_role_id, $a_usr_id, $a_limit, $a_limited_roles): void {
154  $ret = true;
155  $limit_query = 'SELECT COUNT(*) num FROM rbac_ua ' .
156  'WHERE ' . $ilDB->in('rol_id', (array) $a_limited_roles, false, 'integer');
157  $res = $ilDB->query($limit_query);
158  $row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT);
159  if ($row->num >= $a_limit) {
160  $ret = false;
161  return;
162  }
163 
164  $query = "INSERT INTO rbac_ua (usr_id, rol_id) " .
165  "VALUES (" .
166  $ilDB->quote($a_usr_id, 'integer') . "," . $ilDB->quote($a_role_id, 'integer') .
167  ")";
168  $res = $ilDB->manipulate($query);
169  }
170  );
171  $ilAtomQuery->run();
172 
173  if (!$ret) {
174  return false;
175  }
176 
177  $this->rbacreview->setAssignedCacheEntry($a_role_id, $a_usr_id, true);
178  $mapping = ilLDAPRoleGroupMapping::_getInstance();
179  $mapping->assign($a_role_id, $a_usr_id);
180 
181  return true;
182  }
$res
$res
Definition: ltiservices.php:69
ilDBInterface\quote
quote($value, string $type)
ilLDAPRoleGroupMapping\_getInstance
static _getInstance()
Get singleton instance of this class.
Definition: class.ilLDAPRoleGroupMapping.php:58
ilRbacAdmin\$db
ilDBInterface $db
Definition: class.ilRbacAdmin.php:32
ilDBInterface\query
query(string $query)
Run a (read-only) Query on the database.
$query
$query
Definition: proxy_ylocal.php:13
ilDBInterface\in
in(string $field, array $values, bool $negate=false, string $type="")
ilDBInterface\manipulate
manipulate(string $query)
Run a (write) Query on the database.
+ Here is the call graph for this function:

◆ copyLocalRoles()

ilRbacAdmin::copyLocalRoles ( int  $a_source_id,
int  $a_target_id 
)

Copy local roles This method creates a copy of all local role.

Note: auto generated roles are excluded

Definition at line 751 of file class.ilRbacAdmin.php.

References ilObject\_lookupTitle(), assignRoleToFolder(), and copyRolePermissions().

Referenced by ilObject\_prepareCloneSelection().

751  : void
752  {
753  $real_local = [];
754  foreach ($this->rbacreview->getRolesOfRoleFolder($a_source_id, false) as $role_data) {
755  $title = ilObject::_lookupTitle($role_data);
756  if (substr($title, 0, 3) == 'il_') {
757  continue;
758  }
759  $real_local[] = $role_data;
760  }
761  if ($real_local === []) {
762  return;
763  }
764  // Create role folder
765  foreach ($real_local as $role) {
766  $orig = new ilObjRole($role);
767  $orig->read();
768 
769  $roleObj = new ilObjRole();
770  $roleObj->setTitle($orig->getTitle());
771  $roleObj->setDescription($orig->getDescription());
772  $roleObj->setImportId($orig->getImportId());
773  $roleObj->create();
774 
775  $this->assignRoleToFolder($roleObj->getId(), $a_target_id, "y");
776  $this->copyRolePermissions($role, $a_source_id, $a_target_id, $roleObj->getId(), true);
777  }
778  }
ilObjRole
Class ilObjRole.
Definition: class.ilObjRole.php:26
ilRbacAdmin\copyRolePermissions
copyRolePermissions(int $a_source_id, int $a_source_parent, int $a_dest_parent, int $a_dest_id, bool $a_consider_protected=true)
Copies template permissions and permission of one role to another.
Definition: class.ilRbacAdmin.php:413
ilObject\_lookupTitle
static _lookupTitle(int $obj_id)
Definition: class.ilObject.php:837
ilRbacAdmin\assignRoleToFolder
assignRoleToFolder(int $a_rol_id, int $a_parent, string $a_assign="y")
Assigns a role to a role folder A role folder is an object to store roles.
Definition: class.ilRbacAdmin.php:677
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ copyRolePermissionIntersection()

ilRbacAdmin::copyRolePermissionIntersection ( int  $a_source1_id,
int  $a_source1_parent,
int  $a_source2_id,
int  $a_source2_parent,
int  $a_dest_parent,
int  $a_dest_id 
)

Copies the intersection of the template permissions of two roles to a third role.

Definition at line 491 of file class.ilRbacAdmin.php.

References $query, $res, ilLogLevel\DEBUG, ilDBConstants\FETCHMODE_OBJECT, ILIAS\Repository\logger(), and SYSTEM_ROLE_ID.

Referenced by initIntersectionPermissions().

498  : void {
499  // exclude system role from rbac
500  if ($a_dest_id == SYSTEM_ROLE_ID) {
501  $this->logger->logStack(ilLogLevel::DEBUG);
502  return;
503  }
504  $query = "SELECT s1.type, s1.ops_id " .
505  "FROM rbac_templates s1, rbac_templates s2 " .
506  "WHERE s1.rol_id = " . $this->db->quote($a_source1_id, 'integer') . " " .
507  "AND s1.parent = " . $this->db->quote($a_source1_parent, 'integer') . " " .
508  "AND s2.rol_id = " . $this->db->quote($a_source2_id, 'integer') . " " .
509  "AND s2.parent = " . $this->db->quote($a_source2_parent, 'integer') . " " .
510  "AND s1.type = s2.type " .
511  "AND s1.ops_id = s2.ops_id";
512 
513  $res = $this->db->query($query);
514  $operations = [];
515  $rowNum = 0;
516  while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
517  $operations[$rowNum]['type'] = $row->type;
518  $operations[$rowNum]['ops_id'] = $row->ops_id;
519 
520  $rowNum++;
521  }
522 
523  // Delete template permissions of target
524  $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $this->db->quote($a_dest_id, 'integer') . ' ' .
525  'AND parent = ' . $this->db->quote($a_dest_parent, 'integer');
526  $res = $this->db->manipulate($query);
527 
528  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
529  'VALUES (?,?,?,?)';
530  $sta = $this->db->prepareManip($query, array('integer', 'text', 'integer', 'integer'));
531  foreach ($operations as $set) {
532  $this->db->execute($sta, array(
533  $a_dest_id,
534  $set['type'],
535  $set['ops_id'],
536  $a_dest_parent
537  ));
538  }
539  }
$res
$res
Definition: ltiservices.php:69
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:29
$query
$query
Definition: proxy_ylocal.php:13
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ copyRolePermissions()

ilRbacAdmin::copyRolePermissions ( int  $a_source_id,
int  $a_source_parent,
int  $a_dest_parent,
int  $a_dest_id,
bool  $a_consider_protected = true 
)

Copies template permissions and permission of one role to another.

Definition at line 413 of file class.ilRbacAdmin.php.

References copyRoleTemplatePermissions(), grantPermission(), and revokePermission().

Referenced by copyLocalRoles().

419  : void {
420  // Copy template permissions
421  $this->copyRoleTemplatePermissions(
422  $a_source_id,
423  $a_source_parent,
424  $a_dest_parent,
425  $a_dest_id,
426  $a_consider_protected
427  );
428  $ops = $this->rbacreview->getRoleOperationsOnObject($a_source_id, $a_source_parent);
429 
430  $this->revokePermission($a_dest_parent, $a_dest_id);
431  $this->grantPermission($a_dest_id, $ops, $a_dest_parent);
432  }
ilRbacAdmin\grantPermission
grantPermission(int $a_rol_id, array $a_ops, int $a_ref_id)
Grants a permission to an object and a specific role.
Definition: class.ilRbacAdmin.php:259
ilRbacAdmin\copyRoleTemplatePermissions
copyRoleTemplatePermissions(int $a_source_id, int $a_source_parent, int $a_dest_parent, int $a_dest_id, bool $a_consider_protected=true)
Copies template permissions of one role to another.
Definition: class.ilRbacAdmin.php:438
ilRbacAdmin\revokePermission
revokePermission(int $a_ref_id, int $a_rol_id=0, bool $a_keep_protected=true)
Revokes permissions of an object of one role.
Definition: class.ilRbacAdmin.php:301
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ copyRolePermissionSubtract()

ilRbacAdmin::copyRolePermissionSubtract ( int  $a_source_id,
int  $a_source_parent,
int  $a_dest_id,
int  $a_dest_parent 
)

Subtract role permissions.

Definition at line 594 of file class.ilRbacAdmin.php.

References $query, $type, ilLogLevel\DEBUG, ILIAS\Repository\logger(), and SYSTEM_ROLE_ID.

599  : void {
600  if ($a_dest_id == SYSTEM_ROLE_ID) {
601  $this->logger->logStack(ilLogLevel::DEBUG);
602  return;
603  }
604  $s1_ops = $this->rbacreview->getAllOperationsOfRole($a_source_id, $a_source_parent);
605  $d_ops = $this->rbacreview->getAllOperationsOfRole($a_dest_id, $a_dest_parent);
606 
607  foreach ($s1_ops as $type => $ops) {
608  foreach ($ops as $op) {
609  if (isset($d_ops[$type]) && in_array($op, $d_ops[$type])) {
610  $query = 'DELETE FROM rbac_templates ' .
611  'WHERE rol_id = ' . $this->db->quote($a_dest_id, 'integer') . ' ' .
612  'AND type = ' . $this->db->quote($type, 'text') . ' ' .
613  'AND ops_id = ' . $this->db->quote($op, 'integer') . ' ' .
614  'AND parent = ' . $this->db->quote($a_dest_parent, 'integer');
615  $this->db->manipulate($query);
616  }
617  }
618  }
619  }
$type
$type
Definition: proxy_ylocal.php:10
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:29
$query
$query
Definition: proxy_ylocal.php:13
+ Here is the call graph for this function:

◆ copyRolePermissionUnion()

ilRbacAdmin::copyRolePermissionUnion ( int  $a_source1_id,
int  $a_source1_parent,
int  $a_source2_id,
int  $a_source2_parent,
int  $a_dest_id,
int  $a_dest_parent 
)

Definition at line 541 of file class.ilRbacAdmin.php.

References $query, $type, ilLogLevel\DEBUG, deleteRolePermission(), ILIAS\Repository\logger(), and SYSTEM_ROLE_ID.

548  : void {
549 
550  // exclude system role from rbac
551  if ($a_dest_id == SYSTEM_ROLE_ID) {
552  $this->logger->logStack(ilLogLevel::DEBUG);
553  return;
554  }
555  $s1_ops = $this->rbacreview->getAllOperationsOfRole($a_source1_id, $a_source1_parent);
556  $s2_ops = $this->rbacreview->getAllOperationsOfRole($a_source2_id, $a_source2_parent);
557  $this->deleteRolePermission($a_dest_id, $a_dest_parent);
558 
559  foreach ($s1_ops as $type => $ops) {
560  foreach ($ops as $op) {
561  // insert all permission of source 1
562  // #15469
563  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
564  'VALUES( ' .
565  $this->db->quote($a_dest_id, 'integer') . ', ' .
566  $this->db->quote($type, 'text') . ', ' .
567  $this->db->quote($op, 'integer') . ', ' .
568  $this->db->quote($a_dest_parent, 'integer') . ' ' .
569  ')';
570  $this->db->manipulate($query);
571  }
572  }
573 
574  // and the other direction...
575  foreach ($s2_ops as $type => $ops) {
576  foreach ($ops as $op) {
577  if (!isset($s1_ops[$type]) || !in_array($op, $s1_ops[$type])) {
578  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
579  'VALUES( ' .
580  $this->db->quote($a_dest_id, 'integer') . ', ' .
581  $this->db->quote($type, 'text') . ', ' .
582  $this->db->quote($op, 'integer') . ', ' .
583  $this->db->quote($a_dest_parent, 'integer') . ' ' .
584  ')';
585  $this->db->manipulate($query);
586  }
587  }
588  }
589  }
ilRbacAdmin\deleteRolePermission
deleteRolePermission(int $a_rol_id, int $a_ref_id, ?string $a_type=null)
Deletes all entries of a template.
Definition: class.ilRbacAdmin.php:626
$type
$type
Definition: proxy_ylocal.php:10
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:29
$query
$query
Definition: proxy_ylocal.php:13
+ Here is the call graph for this function:

◆ copyRoleTemplatePermissions()

ilRbacAdmin::copyRoleTemplatePermissions ( int  $a_source_id,
int  $a_source_parent,
int  $a_dest_parent,
int  $a_dest_id,
bool  $a_consider_protected = true 
)

Copies template permissions of one role to another.

It's also possible to copy template permissions from/to RoleTemplateObject

Definition at line 438 of file class.ilRbacAdmin.php.

References $query, $res, ilLogLevel\DEBUG, ILIAS\Repository\logger(), setProtected(), and SYSTEM_ROLE_ID.

Referenced by copyRolePermissions(), and ilPermissionGUI\savePermissions().

444  : void {
445  // exclude system role from rbac
446  if ($a_dest_id == SYSTEM_ROLE_ID) {
447  $this->logger->logStack(ilLogLevel::DEBUG);
448  return;
449  }
450 
451  // Read operations
452  $query = 'SELECT * FROM rbac_templates ' .
453  'WHERE rol_id = ' . $this->db->quote($a_source_id, 'integer') . ' ' .
454  'AND parent = ' . $this->db->quote($a_source_parent, 'integer');
455  $res = $this->db->query($query);
456  $operations = [];
457  $rownum = 0;
458  while ($row = $this->db->fetchObject($res)) {
459  $operations[$rownum]['type'] = $row->type;
460  $operations[$rownum]['ops_id'] = $row->ops_id;
461  $rownum++;
462  }
463 
464  // Delete target permissions
465  $query = 'DELETE FROM rbac_templates WHERE rol_id = ' . $this->db->quote($a_dest_id, 'integer') . ' ' .
466  'AND parent = ' . $this->db->quote($a_dest_parent, 'integer');
467  $res = $this->db->manipulate($query);
468 
469  foreach ($operations as $op) {
470  $query = 'INSERT INTO rbac_templates (rol_id,type,ops_id,parent) ' .
471  'VALUES (' .
472  $this->db->quote($a_dest_id, 'integer') . "," .
473  $this->db->quote($op['type'], 'text') . "," .
474  $this->db->quote($op['ops_id'], 'integer') . "," .
475  $this->db->quote($a_dest_parent, 'integer') . ")";
476  $this->db->manipulate($query);
477  }
478 
479  // copy also protection status if applicable
480  if ($a_consider_protected == true) {
481  if ($this->rbacreview->isProtected($a_source_parent, $a_source_id)) {
482  $this->setProtected($a_dest_parent, $a_dest_id, 'y');
483  }
484  }
485  }
$res
$res
Definition: ltiservices.php:69
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:29
$query
$query
Definition: proxy_ylocal.php:13
ilRbacAdmin\setProtected
setProtected(int $a_ref_id, int $a_role_id, string $a_value)
Set protected.
Definition: class.ilRbacAdmin.php:736
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deassignOperationFromObject()

ilRbacAdmin::deassignOperationFromObject ( int  $a_type_id,
int  $a_ops_id 
)

Deassign an existing operation from an object Update of rbac_ta.

Definition at line 725 of file class.ilRbacAdmin.php.

References $query, and $res.

725  : void
726  {
727  $query = "DELETE FROM rbac_ta " .
728  "WHERE typ_id = " . $this->db->quote($a_type_id, 'integer') . " " .
729  "AND ops_id = " . $this->db->quote($a_ops_id, 'integer');
730  $res = $this->db->manipulate($query);
731  }
$res
$res
Definition: ltiservices.php:69
$query
$query
Definition: proxy_ylocal.php:13

◆ deassignUser()

ilRbacAdmin::deassignUser ( int  $a_rol_id,
int  $a_usr_id 
)

Deassigns a user from a role.

Update of table rbac_ua

Definition at line 229 of file class.ilRbacAdmin.php.

References $GLOBALS, $query, $ref_id, $res, $type, ilLDAPRoleGroupMapping\_getInstance(), ilObject\_lookupObjId(), ilObject\_lookupType(), and ilLoggerFactory\getInstance().

Referenced by ilObjCategoryGUI\assignSaveObject(), ilObjBlogGUI\removeContributor(), and removeUser().

229  : void
230  {
231  $query = "DELETE FROM rbac_ua " .
232  "WHERE usr_id = " . $this->db->quote($a_usr_id, 'integer') . " " .
233  "AND rol_id = " . $this->db->quote($a_rol_id, 'integer') . " ";
234  $res = $this->db->manipulate($query);
235 
236  $this->rbacreview->setAssignedCacheEntry($a_rol_id, $a_usr_id, false);
237 
238  $mapping = ilLDAPRoleGroupMapping::_getInstance();
239  $mapping->deassign($a_rol_id, $a_usr_id);
240 
241  if ($res) {
242  $ref_id = $GLOBALS['DIC']['rbacreview']->getObjectReferenceOfRole($a_rol_id);
243  $obj_id = ilObject::_lookupObjId($ref_id);
244  $type = ilObject::_lookupType($obj_id);
245 
246  ilLoggerFactory::getInstance()->getLogger('ac')->debug('Raise event deassign user');
247  $GLOBALS['DIC']['ilAppEventHandler']->raise('Services/AccessControl', 'deassignUser', array(
248  'obj_id' => $obj_id,
249  'usr_id' => $a_usr_id,
250  'role_id' => $a_rol_id,
251  'type' => $type,
252  ));
253  }
254  }
$res
$res
Definition: ltiservices.php:69
$type
$type
Definition: proxy_ylocal.php:10
ilObject\_lookupObjId
static _lookupObjId(int $ref_id)
Definition: class.ilObject.php:930
ilLDAPRoleGroupMapping\_getInstance
static _getInstance()
Get singleton instance of this class.
Definition: class.ilLDAPRoleGroupMapping.php:58
$ref_id
$ref_id
Definition: ltiauth.php:67
$GLOBALS
if(!defined('PATH_SEPARATOR')) $GLOBALS['_PEAR_default_error_mode']
Definition: PEAR.php:64
$query
$query
Definition: proxy_ylocal.php:13
ilObject\_lookupType
static _lookupType(int $id, bool $reference=false)
Definition: class.ilObject.php:1091
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deleteLocalRole()

ilRbacAdmin::deleteLocalRole ( int  $a_rol_id,
int  $a_ref_id = 0 
)

Deletes a local role and entries in rbac_fa and rbac_templates.

Definition at line 118 of file class.ilRbacAdmin.php.

References $query, $res, ILIAS\Repository\logger(), ilLogLevel\NOTICE, and SYSTEM_ROLE_ID.

Referenced by adjustMovedObjectPermissions(), and deleteRole().

118  : void
119  {
120  // exclude system role from rbac
121  if ($a_rol_id == SYSTEM_ROLE_ID) {
122  $this->logger->logStack(ilLogLevel::NOTICE);
123  $this->logger->notice('System administrator role is not deletable.');
124  return;
125  }
126 
127  $clause = '';
128  if ($a_ref_id != 0) {
129  $clause = 'AND parent = ' . $this->db->quote($a_ref_id, 'integer') . ' ';
130  }
131 
132  $query = 'DELETE FROM rbac_fa ' .
133  'WHERE rol_id = ' . $this->db->quote($a_rol_id, 'integer') . ' ' .
134  $clause;
135  $res = $this->db->manipulate($query);
136 
137  $query = 'DELETE FROM rbac_templates ' .
138  'WHERE rol_id = ' . $this->db->quote($a_rol_id, 'integer') . ' ' .
139  $clause;
140  $res = $this->db->manipulate($query);
141  }
$res
$res
Definition: ltiservices.php:69
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:29
$query
$query
Definition: proxy_ylocal.php:13
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deleteRole()

ilRbacAdmin::deleteRole ( int  $a_rol_id,
int  $a_ref_id 
)

Deletes a role and deletes entries in rbac_pa, rbac_templates, rbac_ua, rbac_fa.

Definition at line 74 of file class.ilRbacAdmin.php.

References $query, $res, ilLDAPRoleGroupMapping\_getInstance(), ilLogLevel\DEBUG, deleteLocalRole(), ILIAS\Repository\logger(), and SYSTEM_ROLE_ID.

74  : void
75  {
76  if ($a_rol_id == SYSTEM_ROLE_ID) {
77  $this->logger->logStack(ilLogLevel::DEBUG);
78  throw new DomainException('System administrator role is not deletable.');
79  }
80 
81  $mapping = ilLDAPRoleGroupMapping::_getInstance();
82  $mapping->deleteRole($a_rol_id);
83 
84  // TODO: check assigned users before deletion
85  // This is done in ilObjRole. Should be better moved to this place?
86 
87  // delete user assignements
88  $query = "DELETE FROM rbac_ua " .
89  "WHERE rol_id = " . $this->db->quote($a_rol_id, 'integer');
90  $res = $this->db->manipulate($query);
91 
92  // delete permission assignments
93  $query = "DELETE FROM rbac_pa " .
94  "WHERE rol_id = " . $this->db->quote($a_rol_id, 'integer') . " ";
95  $res = $this->db->manipulate($query);
96 
97  //delete rbac_templates and rbac_fa
98  $this->deleteLocalRole($a_rol_id);
99  }
$res
$res
Definition: ltiservices.php:69
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:29
ilLDAPRoleGroupMapping\_getInstance
static _getInstance()
Get singleton instance of this class.
Definition: class.ilLDAPRoleGroupMapping.php:58
$query
$query
Definition: proxy_ylocal.php:13
ilRbacAdmin\deleteLocalRole
deleteLocalRole(int $a_rol_id, int $a_ref_id=0)
Deletes a local role and entries in rbac_fa and rbac_templates.
Definition: class.ilRbacAdmin.php:118
+ Here is the call graph for this function:

◆ deleteRolePermission()

ilRbacAdmin::deleteRolePermission ( int  $a_rol_id,
int  $a_ref_id,
?string  $a_type = null 
)

Deletes all entries of a template.

If an object type is given for third parameter only the entries for that object type are deleted Update of table rbac_templates.

Definition at line 626 of file class.ilRbacAdmin.php.

References $query, $res, ilLogLevel\DEBUG, ILIAS\Repository\logger(), and SYSTEM_ROLE_ID.

Referenced by copyRolePermissionUnion().

630  : void {
631  if ($a_rol_id == SYSTEM_ROLE_ID) {
632  $this->logger->logStack(ilLogLevel::DEBUG);
633  return;
634  }
635  $and_type = '';
636  if ($a_type !== null) {
637  $and_type = " AND type=" . $this->db->quote($a_type, 'text') . " ";
638  }
639  $query = 'DELETE FROM rbac_templates ' .
640  'WHERE rol_id = ' . $this->db->quote($a_rol_id, 'integer') . ' ' .
641  'AND parent = ' . $this->db->quote($a_ref_id, 'integer') . ' ' .
642  $and_type;
643  $res = $this->db->manipulate($query);
644  }
$res
$res
Definition: ltiservices.php:69
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:29
$query
$query
Definition: proxy_ylocal.php:13
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deleteSubtreeTemplates()

ilRbacAdmin::deleteSubtreeTemplates ( int  $a_ref_id,
int  $a_rol_id 
)

Delete all template permissions of subtree nodes.

Definition at line 377 of file class.ilRbacAdmin.php.

References $GLOBALS, and $query.

377  : void
378  {
379  $query = 'DELETE FROM rbac_templates ' .
380  'WHERE parent IN ( ' .
381  $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
382  'AND rol_id = ' . $this->db->quote($a_rol_id, 'integer');
383 
384  $this->db->manipulate($query);
385 
386  $query = 'DELETE FROM rbac_fa ' .
387  'WHERE parent IN ( ' .
388  $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
389  'AND rol_id = ' . $this->db->quote($a_rol_id, 'integer');
390 
391  $this->db->manipulate($query);
392  }
$GLOBALS
if(!defined('PATH_SEPARATOR')) $GLOBALS['_PEAR_default_error_mode']
Definition: PEAR.php:64
$query
$query
Definition: proxy_ylocal.php:13

◆ deleteTemplate()

ilRbacAdmin::deleteTemplate ( int  $a_obj_id)

Deletes a template from role folder and deletes all entries in rbac_templates, rbac_fa.

Definition at line 104 of file class.ilRbacAdmin.php.

References $query, and $res.

104  : void
105  {
106  $query = 'DELETE FROM rbac_templates ' .
107  'WHERE rol_id = ' . $this->db->quote($a_obj_id, 'integer');
108  $res = $this->db->manipulate($query);
109 
110  $query = 'DELETE FROM rbac_fa ' .
111  'WHERE rol_id = ' . $this->db->quote($a_obj_id, 'integer');
112  $res = $this->db->manipulate($query);
113  }
$res
$res
Definition: ltiservices.php:69
$query
$query
Definition: proxy_ylocal.php:13

◆ grantPermission()

ilRbacAdmin::grantPermission ( int  $a_rol_id,
array  $a_ops,
int  $a_ref_id 
)

Grants a permission to an object and a specific role.

Update of table rbac_pa

Definition at line 259 of file class.ilRbacAdmin.php.

References ILIAS\LTI\ToolProvider\$key, $query, $res, ilLogLevel\DEBUG, ILIAS\Repository\int(), ILIAS\Repository\logger(), and SYSTEM_ROLE_ID.

Referenced by adjustMovedObjectPermissions(), copyRolePermissions(), initIntersectionPermissions(), and ilPermissionGUI\savePermissions().

259  : void
260  {
261  // exclude system role from rbac
262  if ($a_rol_id == SYSTEM_ROLE_ID) {
263  $this->logger->logStack(ilLogLevel::DEBUG);
264  return;
265  }
266 
267  // convert all values to integer
268  foreach ($a_ops as $key => $operation) {
269  $a_ops[$key] = (int) $operation;
270  }
271 
272  $ops_ids = serialize($a_ops);
273 
274  $query = 'DELETE FROM rbac_pa ' .
275  'WHERE rol_id = %s ' .
276  'AND ref_id = %s';
277  $res = $this->db->queryF(
278  $query,
279  array('integer', 'integer'),
280  array($a_rol_id, $a_ref_id)
281  );
282 
283  if ($a_ops === []) {
284  return;
285  }
286 
287  $query = "INSERT INTO rbac_pa (rol_id,ops_id,ref_id) " .
288  "VALUES " .
289  "(" . $this->db->quote($a_rol_id, 'integer') . "," . $this->db->quote(
290  $ops_ids,
291  'text'
292  ) . "," . $this->db->quote($a_ref_id, 'integer') . ")";
293  $res = $this->db->manipulate($query);
294  }
$res
$res
Definition: ltiservices.php:69
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:29
ILIAS\LTI\ToolProvider\$key
string $key
Consumer key/client ID value.
Definition: System.php:193
$query
$query
Definition: proxy_ylocal.php:13
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ initIntersectionPermissions()

ilRbacAdmin::initIntersectionPermissions ( int  $a_ref_id,
int  $a_role_id,
int  $a_role_parent,
int  $a_template_id,
int  $a_template_parent 
)

Definition at line 780 of file class.ilRbacAdmin.php.

References ilObject\_lookupType(), assignRoleToFolder(), copyRolePermissionIntersection(), ilLoggerFactory\getLogger(), grantPermission(), and revokePermission().

Referenced by adjustMovedObjectPermissions().

786  : void {
787  if ($this->rbacreview->isProtected($a_role_parent, $a_role_id)) {
788  // Assign object permissions
789  $new_ops = $this->rbacreview->getOperationsOfRole(
790  $a_role_id,
791  ilObject::_lookupType($a_ref_id, true),
792  $a_role_parent
793  );
794 
795  // set new permissions for object
796  $this->grantPermission(
797  $a_role_id,
798  (array) $new_ops,
799  $a_ref_id
800  );
801  return;
802  }
803  if (!$a_template_id) {
804  ilLoggerFactory::getLogger('ac')->info('No template id given. Aborting.');
805  return;
806  }
807  // create template permission intersection
808  $this->copyRolePermissionIntersection(
809  $a_template_id,
810  $a_template_parent,
811  $a_role_id,
812  $a_role_parent,
813  $a_ref_id,
814  $a_role_id
815  );
816 
817  // assign role to folder
818  $this->assignRoleToFolder(
819  $a_role_id,
820  $a_ref_id,
821  'n'
822  );
823 
824  // Assign object permissions
825  $new_ops = $this->rbacreview->getOperationsOfRole(
826  $a_role_id,
827  ilObject::_lookupType($a_ref_id, true),
828  $a_ref_id
829  );
830 
831  // revoke existing permissions
832  $this->revokePermission($a_ref_id, $a_role_id);
833 
834  // set new permissions for object
835  $this->grantPermission(
836  $a_role_id,
837  (array) $new_ops,
838  $a_ref_id
839  );
840  }
ilRbacAdmin\grantPermission
grantPermission(int $a_rol_id, array $a_ops, int $a_ref_id)
Grants a permission to an object and a specific role.
Definition: class.ilRbacAdmin.php:259
ilLoggerFactory\getLogger
static getLogger(string $a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:89
ilRbacAdmin\revokePermission
revokePermission(int $a_ref_id, int $a_rol_id=0, bool $a_keep_protected=true)
Revokes permissions of an object of one role.
Definition: class.ilRbacAdmin.php:301
ilRbacAdmin\copyRolePermissionIntersection
copyRolePermissionIntersection(int $a_source1_id, int $a_source1_parent, int $a_source2_id, int $a_source2_parent, int $a_dest_parent, int $a_dest_id)
Copies the intersection of the template permissions of two roles to a third role. ...
Definition: class.ilRbacAdmin.php:491
ilRbacAdmin\assignRoleToFolder
assignRoleToFolder(int $a_rol_id, int $a_parent, string $a_assign="y")
Assigns a role to a role folder A role folder is an object to store roles.
Definition: class.ilRbacAdmin.php:677
ilObject\_lookupType
static _lookupType(int $id, bool $reference=false)
Definition: class.ilObject.php:1091
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ removeUser()

ilRbacAdmin::removeUser ( int  $a_usr_id)

deletes a user from rbac_ua all user <-> role relations are deleted

Definition at line 62 of file class.ilRbacAdmin.php.

References $query, $res, and deassignUser().

62  : void
63  {
64  foreach ($this->rbacreview->assignedRoles($a_usr_id) as $role_id) {
65  $this->deassignUser($role_id, $a_usr_id);
66  }
67  $query = "DELETE FROM rbac_ua WHERE usr_id = " . $this->db->quote($a_usr_id, 'integer');
68  $res = $this->db->manipulate($query);
69  }
$res
$res
Definition: ltiservices.php:69
$query
$query
Definition: proxy_ylocal.php:13
ilRbacAdmin\deassignUser
deassignUser(int $a_rol_id, int $a_usr_id)
Deassigns a user from a role.
Definition: class.ilRbacAdmin.php:229
+ Here is the call graph for this function:

◆ revokePermission()

ilRbacAdmin::revokePermission ( int  $a_ref_id,
int  $a_rol_id = 0,
bool  $a_keep_protected = true 
)

Revokes permissions of an object of one role.

Update of table rbac_pa. Revokes all permission for all roles for that object (with this reference). When a role_id is given this applies only to that role

Definition at line 301 of file class.ilRbacAdmin.php.

References $query, $res, ilLogLevel\DEBUG, ILIAS\Repository\logger(), and SYSTEM_ROLE_ID.

Referenced by adjustMovedObjectPermissions(), copyRolePermissions(), ilObject\delete(), initIntersectionPermissions(), ilValidator\restoreDeletedObjects(), ilValidator\restoreMissingObjects(), ilValidator\restoreSubTrees(), and ilPermissionGUI\savePermissions().

301  : void
302  {
303  if ($a_rol_id == SYSTEM_ROLE_ID) {
304  $this->logger->logStack(ilLogLevel::DEBUG);
305  return;
306  }
307 
308  // bypass protected status of roles
309  if ($a_keep_protected != true) {
310  if ($a_rol_id) {
311  $and1 = " AND rol_id = " . $this->db->quote($a_rol_id, 'integer') . " ";
312  } else {
313  $and1 = "";
314  }
315 
316  $query = "DELETE FROM rbac_pa " .
317  "WHERE ref_id = " . $this->db->quote($a_ref_id, 'integer') .
318  $and1;
319  $res = $this->db->manipulate($query);
320  return;
321  }
322 
323  // consider protected status of roles
324 
325  // in any case, get all roles in scope first
326  $roles_in_scope = $this->rbacreview->getParentRoleIds($a_ref_id);
327 
328  if (!$a_rol_id) {
329  $role_ids = [];
330 
331  foreach ($roles_in_scope as $role) {
332  if ($role['protected'] == true) {
333  continue;
334  }
335 
336  $role_ids[] = $role['obj_id'];
337  }
338 
339  // return if no role in array
340  if ($role_ids === []) {
341  return;
342  }
343 
344  $query = 'DELETE FROM rbac_pa ' .
345  'WHERE ' . $this->db->in('rol_id', $role_ids, false, 'integer') . ' ' .
346  'AND ref_id = ' . $this->db->quote($a_ref_id, 'integer');
347  $res = $this->db->manipulate($query);
348  } else {
349  // exclude protected permission settings from revoking
350  if ($roles_in_scope[$a_rol_id]['protected'] == true) {
351  return;
352  }
353 
354  $query = "DELETE FROM rbac_pa " .
355  "WHERE ref_id = " . $this->db->quote($a_ref_id, 'integer') . " " .
356  "AND rol_id = " . $this->db->quote($a_rol_id, 'integer') . " ";
357  $res = $this->db->manipulate($query);
358  }
359  }
$res
$res
Definition: ltiservices.php:69
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:29
$query
$query
Definition: proxy_ylocal.php:13
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ revokePermissionList()

ilRbacAdmin::revokePermissionList ( array  $a_ref_ids,
int  $a_rol_id 
)

Revokes permissions of a LIST of objects of ONE role.

Update of table rbac_pa.

Definition at line 397 of file class.ilRbacAdmin.php.

References $query, $res, ilLogLevel\DEBUG, ILIAS\Repository\logger(), and SYSTEM_ROLE_ID.

397  : void
398  {
399  // exclude system role from rbac
400  if ($a_rol_id == SYSTEM_ROLE_ID) {
401  $this->logger->logStack(ilLogLevel::DEBUG);
402  return;
403  }
404  $query = "DELETE FROM rbac_pa " .
405  "WHERE " . $this->db->in('ref_id', $a_ref_ids, false, 'integer') . ' ' .
406  "AND rol_id = " . $this->db->quote($a_rol_id, 'integer');
407  $res = $this->db->manipulate($query);
408  }
$res
$res
Definition: ltiservices.php:69
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:29
$query
$query
Definition: proxy_ylocal.php:13
+ Here is the call graph for this function:

◆ revokeSubtreePermissions()

ilRbacAdmin::revokeSubtreePermissions ( int  $a_ref_id,
int  $a_role_id 
)

Revoke subtree permissions.

Definition at line 364 of file class.ilRbacAdmin.php.

References $GLOBALS, and $query.

364  : void
365  {
366  $query = 'DELETE FROM rbac_pa ' .
367  'WHERE ref_id IN ' .
368  '( ' . $GLOBALS['DIC']['tree']->getSubTreeQuery($a_ref_id, array('child')) . ' ) ' .
369  'AND rol_id = ' . $this->db->quote($a_role_id, 'integer');
370 
371  $this->db->manipulate($query);
372  }
$GLOBALS
if(!defined('PATH_SEPARATOR')) $GLOBALS['_PEAR_default_error_mode']
Definition: PEAR.php:64
$query
$query
Definition: proxy_ylocal.php:13

◆ setBlockedStatus()

ilRbacAdmin::setBlockedStatus ( int  $a_role_id,
int  $a_ref_id,
bool  $a_blocked_status 
)

Definition at line 49 of file class.ilRbacAdmin.php.

References $query, and ilLoggerFactory\getLogger().

49  : void
50  {
51  ilLoggerFactory::getLogger('crs')->logStack();
52  $query = 'UPDATE rbac_fa set blocked = ' . $this->db->quote($a_blocked_status, 'integer') . ' ' .
53  'WHERE rol_id = ' . $this->db->quote($a_role_id, 'integer') . ' ' .
54  'AND parent = ' . $this->db->quote($a_ref_id, 'integer');
55  $this->db->manipulate($query);
56  }
ilLoggerFactory\getLogger
static getLogger(string $a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:89
$query
$query
Definition: proxy_ylocal.php:13
+ Here is the call graph for this function:

◆ setProtected()

ilRbacAdmin::setProtected ( int  $a_ref_id,
int  $a_role_id,
string  $a_value 
)

Set protected.

Definition at line 736 of file class.ilRbacAdmin.php.

References $query, and $res.

Referenced by copyRoleTemplatePermissions(), and ilPermissionGUI\savePermissions().

736  : void
737  {
738  // ref_id not used yet. protected permission acts 'global' for each role,
739  // regardless of any broken inheritance before
740  $query = 'UPDATE rbac_fa ' .
741  'SET protected = ' . $this->db->quote($a_value, 'text') . ' ' .
742  'WHERE rol_id = ' . $this->db->quote($a_role_id, 'integer');
743  $res = $this->db->manipulate($query);
744  }
$res
$res
Definition: ltiservices.php:69
$query
$query
Definition: proxy_ylocal.php:13
+ Here is the caller graph for this function:

◆ setRolePermission()

ilRbacAdmin::setRolePermission ( int  $a_rol_id,
string  $a_type,
array  $a_ops,
int  $a_ref_id 
)

Inserts template permissions in rbac_templates for an specific object type.

Update of table rbac_templates

Definition at line 650 of file class.ilRbacAdmin.php.

References ILIAS\Repository\logger(), and SYSTEM_ROLE_ID.

650  : void
651  {
652  if ($a_rol_id == SYSTEM_ROLE_ID) {
653  $this->logger->logStack();
654  return;
655  }
656  foreach ($a_ops as $op) {
657  $this->db->replace(
658  'rbac_templates',
659  [
660  'rol_id' => ['integer', $a_rol_id],
661  'type' => ['text', $a_type],
662  'ops_id' => ['integer', $op],
663  'parent' => ['integer', $a_ref_id]
664  ],
665  []
666  );
667  }
668  }
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:29
+ Here is the call graph for this function:

Field Documentation

◆ $db

ilDBInterface ilRbacAdmin::$db
protected

Definition at line 32 of file class.ilRbacAdmin.php.

Referenced by assignUserLimited().

◆ $logger

ilLogger ilRbacAdmin::$logger
protected

Definition at line 34 of file class.ilRbacAdmin.php.

◆ $rbacreview

ilRbacReview ilRbacAdmin::$rbacreview
protected

Definition at line 33 of file class.ilRbacAdmin.php.

The documentation for this class was generated from the following file: