ilRbacSystem Class Reference

class ilRbacSystem system function like checkAccess, addActiveRole ... Supporting system functions are required for session management and in making access control decisions. More...

Collaboration diagram for ilRbacSystem:

Public Member Functions
	checkAccess (string $a_operations, int $a_ref_id, string $a_type="")
	checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this method you check the permissions a use may have due to its roles on an specific object. More...
	checkAccessOfUser (int $a_user_id, string $a_operations, int $a_ref_id, string $a_type="")
	preloadRbacPaCache (array $a_ref_ids, int $a_user_id)
	checkPermission (int $a_ref_id, int $a_rol_id, string $a_operation)
	check if a specific role has the permission '$a_operation' of an object More...
	initMemberView ()
	addTemporaryRole (int $a_usr_id, int $a_role_id)
	resetPACache (int $a_usr_id, int $a_ref_id)

Static Public Member Functions
static	getInstance ()
static	resetCaches ()
	Reset internal caches. More...

Protected Member Functions
	__construct ()
	Constructor. More...
	filterOwnerPermissions (int $a_user_id, string $a_operations, int $a_ref_id)

Protected Attributes
array	$mem_view = []
ilObjUser	$user
ilDBInterface	$db
ilRbacReview	$review
ilObjectDataCache	$objectDataCache
ilTree	$tree
GlobalHttpState	$http
Factory	$refinery

Static Protected Attributes
static ilRbacSystem	$instance = null
static array	$user_role_cache = []

Private Member Functions
	fetchAssignedRoles (int $a_usr_id, int $a_ref_id)
	Fetch assigned roles This method caches the assigned roles per user. More...

Private Attributes
const	MAX_CACHE_ENTRIES = 1000

Static Private Attributes
static array	$_paCache = []
static array	$_checkAccessOfUserCache = []

Detailed Description

class ilRbacSystem system function like checkAccess, addActiveRole ... Supporting system functions are required for session management and in making access control decisions.

This class depends on the session since we offer the possiblility to add or delete active roles during one session.

Author

Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om

Version

$Id$

Definition at line 33 of file class.ilRbacSystem.php.

Constructor & Destructor Documentation

__construct()

ilRbacSystem::__construct ( )

protected

Constructor.

Definition at line 60 of file class.ilRbacSystem.php.

    {
        global $DIC;
 
        $this->user = $DIC->user();
        $this->db = $DIC->database();
        $this->review = $DIC->rbac()->review();
        $this->objectDataCache = $DIC['ilObjDataCache'];
        $this->tree = $DIC->repositoryTree();
        $this->http = $DIC->http();
        $this->refinery = $DIC->refinery();
    }

References $DIC, ILIAS\FileDelivery\http(), ILIAS\Repository\objectDataCache(), ILIAS\Repository\refinery(), and ILIAS\Repository\user().

Here is the call graph for this function:

Member Function Documentation

addTemporaryRole()

ilRbacSystem::addTemporaryRole	(	int	$a_usr_id,
		int	$a_role_id
	)

Definition at line 372 of file class.ilRbacSystem.php.

                                                                   : void
    {
        if (!in_array($a_role_id, self::$user_role_cache[$a_usr_id])) {
            self::$user_role_cache[$a_usr_id][] = $a_role_id;
        }
    }

checkAccess()

ilRbacSystem::checkAccess	(	string	$a_operations,
		int	$a_ref_id,
		string	$a_type = ""
	)

checkAccess represents the main method of the RBAC-system in ILIAS3 developers want to use With this method you check the permissions a use may have due to its roles on an specific object.

The first parameter are the operation(s) the user must have The second & third parameter specifies the object where the operation(s) may apply to The last parameter is only required, if you ask for the 'create' operation. Here you specify the object type which you want to create. example: $rbacSystem->checkAccess("visible,read",23); Here you ask if the user is allowed to see ('visible') and access the object by reading it ('read'). The reference_id is 23 in the tree structure. @access public

Parameters

string	one or more operations, separated by commas (i.e.: visible,read,join)
int	the child_id in tree (usually a reference_id, no object_id !!)
string	the type definition abbreviation (i.e.: frm,grp,crs)

Returns

bool returns true if ALL passed operations are given, otherwise false

Definition at line 108 of file class.ilRbacSystem.php.

                                                                                         : bool
    {
        return $this->checkAccessOfUser($this->user->getId(), $a_operations, $a_ref_id, $a_type);
    }

References checkAccessOfUser(), and ILIAS\Repository\user().

Referenced by ilHTLMEditorGUI\__construct(), ilLMPresentationGUI\__construct(), ilObjSurveyAccess\_checkAccess(), ilObjContentObjectGUI\addTabs(), ilSurveyExecutionGUI\checkAuth(), ilRecommendedContentRoleConfigGUI\checkPushPermission(), ilAdministrationGUI\executeCommand(), ilObjLearningHistorySettingsGUI\executeCommand(), ilObjCommentsSettingsGUI\executeCommand(), ilObjNotesSettingsGUI\executeCommand(), ilObjPersonalWorkspaceSettingsGUI\executeCommand(), ilRepositoryGUI\executeCommand(), ilObjAccessibilitySettingsGUI\getAdminTabs(), ilObjAwarenessAdministrationGUI\getAdminTabs(), ilObjBadgeAdministrationGUI\getAdminTabs(), ilObjLearningHistorySettingsGUI\getAdminTabs(), ilObjLearningResourcesSettingsGUI\getAdminTabs(), ilObjMediaCastSettingsGUI\getAdminTabs(), ilObjCommentsSettingsGUI\getAdminTabs(), ilObjNotesSettingsGUI\getAdminTabs(), ilObjPersonalWorkspaceSettingsGUI\getAdminTabs(), ilObjRepositorySettingsGUI\getAdminTabs(), ilObjSystemFolderGUI\getAdminTabs(), ilObjTaggingSettingsGUI\getAdminTabs(), ilObjTaxonomyAdministrationGUI\getAdminTabs(), ilAdministrationExplorerGUI\getChildsOfNode(), ilRepositoryExplorerGUI\getChildsOfNode(), ilAdminSubItemsTableGUI\getItems(), ilObjFileBasedLMListGUI\getProperties(), ilObjLearningModuleListGUI\getProperties(), ilObjSAHSLearningModuleListGUI\getProperties(), ilObjSurveyListGUI\getProperties(), ilObjExternalToolsSettingsGUI\getTabs(), ilObjFolderGUI\getTabs(), ilObjRootFolderGUI\getTabs(), ilLMPresentationGUI\ilLMSubMenu(), ilPortfolioPageConfig\init(), initMemberView(), ilLocationInputGUI\insert(), ilRepositoryExplorer\isClickable(), ilAdministrationExplorerGUI\isNodeVisible(), ilRecommendedContentRoleConfigGUI\listItems(), ilObjAccessibilitySettingsGUI\saveAccessibilitySettings(), ilObjSystemFolderGUI\saveBasicSettingsObject(), ilObjSystemFolderGUI\saveContactInformationObject(), ilObjSystemFolderGUI\saveHeaderTitlesObject(), ilObjSystemFolderGUI\saveJavaServerObject(), SurveySearch\search(), SurveyQuestionGUI\setQuestionTabsForClass(), ilObjSystemFolderGUI\setServerInfoSubTabs(), ilSolutionExplorer\showChilds(), ilRepositoryExplorer\showChilds(), ilInfoScreenGUI\showLearningProgress(), ilObjSystemFolderGUI\showPHPInfoObject(), ilObjSystemFolderGUI\showServerInstallationStatusObject(), and ilObjSystemFolderGUI\showVcsInformationObject().

Here is the call graph for this function:

Here is the caller graph for this function:

checkAccessOfUser()

ilRbacSystem::checkAccessOfUser	(	int	$a_user_id,
		string	$a_operations,
		int	$a_ref_id,
		string	$a_type = ""
	)

Definition at line 113 of file class.ilRbacSystem.php.

                                                                                                               : bool
    {
        // Create the user cache key
        $cacheKey = $a_user_id . ':' . $a_operations . ':' . $a_ref_id . ':' . $a_type;
 
        // Create the cache if it does not yet exist
        if (!is_array(self::$_checkAccessOfUserCache)) {
            self::$_checkAccessOfUserCache = [];
        }
        // Try to return result from cache
        if (array_key_exists($cacheKey, self::$_checkAccessOfUserCache)) {
            return self::$_checkAccessOfUserCache[$cacheKey];
        }
 
        // Check For owner
        // Owners do always have full access to their objects
        // Excluded are some of the permissions like create, perm, learning progress.
        // This method call return all operations that are NOT granted by the owner status
        if (!$a_operations = $this->filterOwnerPermissions($a_user_id, $a_operations, $a_ref_id)) {
            // Store positive outcome in cache.
            // Note: we only cache up to 1000 results to avoid memory overflows
            if (count(self::$_checkAccessOfUserCache) < self::MAX_CACHE_ENTRIES) {
                self::$_checkAccessOfUserCache[$cacheKey] = true;
            }
            return true;
        }
 
        // get roles using role cache
        $roles = $this->fetchAssignedRoles($a_user_id, $a_ref_id);
 
        // exclude system role from rbac
        if (in_array(SYSTEM_ROLE_ID, $roles)) {
            // Store positive outcome in cache.
            // Note: we only cache up to 1000 results to avoid memory overflows
            if (count(self::$_checkAccessOfUserCache) < self::MAX_CACHE_ENTRIES) {
                self::$_checkAccessOfUserCache[$cacheKey] = true;
            }
            return true;
        }
 
        // Create the PA cache if it does not exist yet
        $paCacheKey = $a_user_id . ':' . $a_ref_id;
        if (!is_array(self::$_paCache)) {
            self::$_paCache = [];
        }
 
        if (array_key_exists($paCacheKey, self::$_paCache)) {
            // Return result from PA cache
            $ops = self::$_paCache[$paCacheKey];
        } else {
            // Data is not in PA cache, perform database query
            $q = "SELECT * FROM rbac_pa " .
                "WHERE ref_id = " . $this->db->quote($a_ref_id, 'integer');
 
            $r = $this->db->query($q);
 
            $ops = [];
            while ($row = $r->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
                if ($row->ops_id === ':') {
                    continue;
                }
                if (in_array((int) $row->rol_id, $roles)) {
                    $ops = array_merge($ops, unserialize(stripslashes($row->ops_id)));
                }
            }
            // Cache up to 1000 entries in the PA cache
            if (count(self::$_paCache) < self::MAX_CACHE_ENTRIES) {
                self::$_paCache[$paCacheKey] = $ops;
            }
        }
 
        $operations = explode(",", $a_operations);
        foreach ($operations as $operation) {
            if ($operation == "create") {
                if (empty($a_type)) {
                    throw new DomainException(
                        'checkAccess(): ' . "Expect a type definition for checking a 'create' permission"
                    );
                }
                $ops_id = ilRbacReview::_getOperationIdByName($operation . "_" . $a_type);
            } else {
                $ops_id = ilRbacReview::_getOperationIdByName($operation);
            }
            if (!in_array($ops_id, (array) $ops)) {
                if (count(self::$_checkAccessOfUserCache) < self::MAX_CACHE_ENTRIES) {
                    self::$_checkAccessOfUserCache[$cacheKey] = false;
                }
                return false;
            }
        }
 
        // Store positive outcome in cache.
        // Note: we only cache up to 1000 results to avoid memory overflows
        if (count(self::$_checkAccessOfUserCache) < self::MAX_CACHE_ENTRIES) {
            //$ilLog->write('PERMISSION: '.$a_ref_id.' -> '.$ops_id.' granted');
            self::$_checkAccessOfUserCache[$cacheKey] = true;
        }
        return true;
    }

References $q, ilRbacReview\_getOperationIdByName(), fetchAssignedRoles(), ilDBConstants\FETCHMODE_OBJECT, filterOwnerPermissions(), and SYSTEM_ROLE_ID.

Referenced by ilObjBookingPoolAccess\_checkAccess(), ilObjExerciseAccess\_checkAccess(), ilObjGlossaryAccess\_checkAccess(), ilObjMediaCastAccess\_checkAccess(), ilObjPortfolioTemplateAccess\_checkAccess(), ilObjSurveyAccess\_checkAccess(), ilObjWikiAccess\_checkAccess(), checkAccess(), ILIAS\Style\Content\Access\StyleAccessManager\checkWrite(), ILIAS\Survey\Settings\SettingsFormGUI\getTutorIdsFromForm(), and ILIAS\Survey\Settings\SettingsFormGUI\getTutorResIdsFromForm().

Here is the call graph for this function:

Here is the caller graph for this function:

checkPermission()

ilRbacSystem::checkPermission	(	int	$a_ref_id,
		int	$a_rol_id,
		string	$a_operation
	)

check if a specific role has the permission '$a_operation' of an object

Definition at line 255 of file class.ilRbacSystem.php.

                                                                                      : bool
    {
        $ops = [];
        $query_rbac_operations = 'SELECT ops_id FROM rbac_operations ' .
            'WHERE operation = ' . $this->db->quote($a_operation, 'text');
        $res_rbac_operations = $this->db->query($query_rbac_operations);
        $ops_id = 0;
        while ($row = $this->db->fetchObject($res_rbac_operations)) {
            $ops_id = (int) $row->ops_id;
        }
 
        $query_rbac_pa = "SELECT * FROM rbac_pa " .
            "WHERE rol_id = " . $this->db->quote($a_rol_id, 'integer') . " " .
            "AND ref_id = " . $this->db->quote($a_ref_id, 'integer') . " ";
        $res_rbac_pa = $this->db->query($query_rbac_pa);
 
        while ($row = $this->db->fetchObject($res_rbac_pa)) {
            if ($row->ops_id === ':') {
                continue;
            }
            $ops = array_merge($ops, unserialize($row->ops_id));
        }
        return in_array($ops_id, $ops);
    }

References ILIAS\Repository\int().

Here is the call graph for this function:

fetchAssignedRoles()

ilRbacSystem::fetchAssignedRoles ( int  $a_usr_id, int  $a_ref_id  )

private

Fetch assigned roles This method caches the assigned roles per user.

Definition at line 317 of file class.ilRbacSystem.php.

                                                                     : array
    {
        // Member view constraints
        if (isset($this->mem_view['active']) && $this->mem_view['active'] && $a_usr_id == $this->user->getId()) {
            // check if current ref_id is subitem of active container
            if (in_array($a_ref_id, $this->mem_view['items']) && $this->mem_view['role']) {
                // Return default member role
                return [$this->mem_view['role']];
            }
        }
 
        if (isset(self::$user_role_cache[$a_usr_id]) and is_array(self::$user_role_cache)) {
            return self::$user_role_cache[$a_usr_id];
        }
        return self::$user_role_cache[$a_usr_id] = $this->review->assignedRoles($a_usr_id);
    }

References ILIAS\Repository\user().

Referenced by checkAccessOfUser(), and preloadRbacPaCache().

Here is the call graph for this function:

Here is the caller graph for this function:

filterOwnerPermissions()

ilRbacSystem::filterOwnerPermissions ( int  $a_user_id, string  $a_operations, int  $a_ref_id  )

protected

Definition at line 280 of file class.ilRbacSystem.php.

                                                                                                  : string
    {
        // member view constraints
        if (($this->mem_view['active'] ?? null) and $a_user_id == $this->user->getId()) {
            if (in_array($a_ref_id, $this->mem_view['items'])) {
                return $a_operations;
            }
        }
 
        if ($a_user_id != $this->objectDataCache->lookupOwner($this->objectDataCache->lookupObjId($a_ref_id))) {
            return $a_operations;
        }
        // Is owner
        $new_ops = '';
        foreach (explode(",", $a_operations) as $operation) {
            if ($operation != 'cat_administrate_users' &&
                $operation != 'edit_permission' &&
                $operation != 'edit_learning_progress' &&
                $operation != 'read_learning_progress' &&
                !preg_match('/^create/', $operation) &&
                $operation != 'read_outcomes'
            ) {
                continue;
            }
            if (!strlen($new_ops)) {
                $new_ops = $operation;
            } else {
                $new_ops .= (',' . $operation);
            }
        }
        return $new_ops;
    }

References ILIAS\Repository\objectDataCache(), and ILIAS\Repository\user().

Referenced by checkAccessOfUser().

Here is the call graph for this function:

Here is the caller graph for this function:

getInstance()

static ilRbacSystem::getInstance ( )

static

Definition at line 73 of file class.ilRbacSystem.php.

                                        : ilRbacSystem
    {
        if (self::$instance === null) {
            self::$instance = new self();
        }
        return self::$instance;
    }

References $instance.

Referenced by ilInitialisation\initAccessHandling(), and ilRBACTest\testConstruct().

Here is the caller graph for this function:

initMemberView()

ilRbacSystem::initMemberView

(

)

Definition at line 334 of file class.ilRbacSystem.php.

                                    : void
    {
        $settings = ilMemberViewSettings::getInstance();
        $member_view_activation = null;
        if ($this->http->wrapper()->query()->has('mv')) {
            $member_view_activation = $this->http->wrapper()->query()->retrieve(
                'mv',
                $this->refinery->kindlyTo()->bool()
            );
        }
        $ref_id = 0;
        if ($this->http->wrapper()->query()->has('ref_id')) {
            $ref_id = $this->http->wrapper()->query()->retrieve(
                'ref_id',
                $this->refinery->kindlyTo()->int()
            );
        }
        if ($member_view_activation === true) {
            if ($this->checkAccess('write', $ref_id)) {
                $settings->toggleActivation($ref_id, true);
                self::resetCaches();
            }
        }
        if ($member_view_activation === false) {
            $settings->toggleActivation($ref_id, false);
        }
        if (!$settings->isActive()) {
            $this->mem_view['active'] = false;
            $this->mem_view['items'] = [];
            $this->mem_view['role'] = 0;
        } else {
            $this->mem_view['active'] = true;
            $this->mem_view['items'] = $this->tree->getSubTreeIds($settings->getContainer());
            $this->mem_view['items'] = array_merge($this->mem_view['items'], [$settings->getContainer()]);
            $this->mem_view['role'] = ilParticipants::getDefaultMemberRole($settings->getContainer());
        }
    }

References $ref_id, checkAccess(), ilParticipants\getDefaultMemberRole(), ilMemberViewSettings\getInstance(), ILIAS\FileDelivery\http(), ILIAS\Repository\refinery(), and resetCaches().

Here is the call graph for this function:

preloadRbacPaCache()

ilRbacSystem::preloadRbacPaCache	(	array	$a_ref_ids,
		int	$a_user_id
	)

Definition at line 213 of file class.ilRbacSystem.php.

                                                                        : void
    {
        $ref_ids = [];
        $roles = $ops = [];
        foreach ($a_ref_ids as $ref_id) {
            if (!isset(self::$_paCache[$a_user_id . ":" . $ref_id])) {
                $roles[$ref_id] = $this->fetchAssignedRoles($a_user_id, $ref_id);
                $ops[$ref_id] = [];
                $ref_ids[] = $ref_id;
            }
        }
 
        if ($ref_ids !== []) {
            // Data is not in PA cache, perform database query
            $q = "SELECT * FROM rbac_pa " .
                "WHERE " . $this->db->in("ref_id", $ref_ids, false, "integer");
 
            $r = $this->db->query($q);
 
            while ($row = $r->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
                if($row->ops_id === ':') {
                    continue;
                }
                if (in_array($row->rol_id, $roles[(int) $row->ref_id])) {
                    $ops[(int) $row->ref_id] = array_merge(
                        $ops[(int) $row->ref_id],
                        unserialize($row->ops_id)
                    );
                }
            }
            foreach ($a_ref_ids as $ref_id) {
                // #11313
                if (!isset(self::$_paCache[$a_user_id . ":" . $ref_id])) {
                    self::$_paCache[$a_user_id . ":" . $ref_id] = $ops[$ref_id];
                }
            }
        }
    }

References $q, $ref_id, fetchAssignedRoles(), ilDBConstants\FETCHMODE_OBJECT, and ILIAS\Repository\int().

Here is the call graph for this function:

resetCaches()

static ilRbacSystem::resetCaches ( )

static

Reset internal caches.

Definition at line 84 of file class.ilRbacSystem.php.

                                        : void
    {
        self::$user_role_cache = [];
        self::$_paCache = [];
        self::$_checkAccessOfUserCache = [];
    }

Referenced by initMemberView(), and ilObjSessionGUI\unregisterObject().

Here is the caller graph for this function:

resetPACache()

ilRbacSystem::resetPACache	(	int	$a_usr_id,
		int	$a_ref_id
	)

Definition at line 379 of file class.ilRbacSystem.php.

                                                              : void
    {
        $paCacheKey = $a_usr_id . ':' . $a_ref_id;
        unset(self::$_paCache[$paCacheKey]);
    }

Field Documentation

$_checkAccessOfUserCache

array ilRbacSystem::$_checkAccessOfUserCache = []

staticprivate

Definition at line 47 of file class.ilRbacSystem.php.

$_paCache

array ilRbacSystem::$_paCache = []

staticprivate

Definition at line 44 of file class.ilRbacSystem.php.

$db

ilDBInterface ilRbacSystem::$db

protected

Definition at line 50 of file class.ilRbacSystem.php.

$http

GlobalHttpState ilRbacSystem::$http

protected

Definition at line 54 of file class.ilRbacSystem.php.

$instance

ilRbacSystem ilRbacSystem::$instance = null

staticprotected

Definition at line 37 of file class.ilRbacSystem.php.

Referenced by getInstance().

$mem_view

array ilRbacSystem::$mem_view = []

protected

Definition at line 39 of file class.ilRbacSystem.php.

$objectDataCache

ilObjectDataCache ilRbacSystem::$objectDataCache

protected

Definition at line 52 of file class.ilRbacSystem.php.

$refinery

Factory ilRbacSystem::$refinery

protected

Definition at line 55 of file class.ilRbacSystem.php.

$review

ilRbacReview ilRbacSystem::$review

protected

Definition at line 51 of file class.ilRbacSystem.php.

$tree

ilTree ilRbacSystem::$tree

protected

Definition at line 53 of file class.ilRbacSystem.php.

$user

ilObjUser ilRbacSystem::$user

protected

Definition at line 49 of file class.ilRbacSystem.php.

$user_role_cache

array ilRbacSystem::$user_role_cache = []

staticprotected

Definition at line 41 of file class.ilRbacSystem.php.

MAX_CACHE_ENTRIES

const ilRbacSystem::MAX_CACHE_ENTRIES = 1000

private

Definition at line 35 of file class.ilRbacSystem.php.

---

The documentation for this class was generated from the following file:

• components/ILIAS/AccessControl/classes/class.ilRbacSystem.php