ILIAS  trunk Revision v11.0_alpha-3011-gc6b235a2e85
class.ilPermissionGUI.php
Go to the documentation of this file.
1<?php
2
19declare(strict_types=1);
20
21use ILIAS\AccessControl\Log\Table;
22use ILIAS\HTTP\GlobalHttpState;
23use ILIAS\Refinery\Factory;
24use ILIAS\UI\Factory as UIFactory;
25use ILIAS\UI\Renderer as UIRenderer;
26use ILIAS\Data\Factory as DataFactory;
27
35class ilPermissionGUI
36{
37 public const CMD_SAVE_POSITIONS_PERMISSIONS = 'savePositionsPermissions';
38 private const CMD_PERM_POSITIONS = 'permPositions';
39 private const TAB_POSITION_PERMISSION_SETTINGS = "position_permission_settings";
40
41 private ilObjectGUI $current_obj;
42
43 private ilRecommendedContentManager $recommended_content_manager;
44 private ilOrgUnitPositionDBRepository $positionRepo;
45 private ilOrgUnitPermissionDBRepository $permissionRepo;
46 private ilOrgUnitOperationDBRepository $operationRepo;
47
48 private ilObjectGUI $gui_obj;
49 private ilErrorHandling $ilErr;
50 private ilCtrl $ctrl;
51 private ilLanguage $lng;
52 private ilObjectDefinition $object_definition;
53 private ilGlobalTemplateInterface $tpl;
54 private ilUIService $ui_service;
55 private ilRbacSystem $rbacsystem;
56 private ilRbacReview $rbacreview;
57 private ilRbacAdmin $rbacadmin;
58 private ilObjectDataCache $objectDataCache;
59 private ilTabsGUI $tabs;
60 private GlobalHttpState $http;
61 private Factory $refinery;
62 private ilToolbarGUI $toolbar;
63 private UIFactory $ui_factory;
64 private UIRenderer $ui_renderer;
65 private DataFactory $data_factory;
66 private ilDBInterface $db;
67 private ilObjUser $user;
68 private ilTree $tree;
69
70 public function __construct(ilObjectGUI $a_gui_obj)
71 {
73 global $DIC;
74
75 $this->object_definition = $DIC['objDefinition'];
76 $this->ui_service = $DIC->uiService();
77 $this->objectDataCache = $DIC['ilObjDataCache'];
78 $this->tpl = $DIC['tpl'];
79 $this->lng = $DIC['lng'];
80 $this->ctrl = $DIC['ilCtrl'];
81 $this->rbacsystem = $DIC['rbacsystem'];
82 $this->rbacreview = $DIC['rbacreview'];
83 $this->rbacadmin = $DIC['rbacadmin'];
84 $this->tabs = $DIC['ilTabs'];
85 $this->ilErr = $DIC['ilErr'];
86 $this->http = $DIC['http'];
87 $this->refinery = $DIC['refinery'];
88 $this->toolbar = $DIC['ilToolbar'];
89 $this->ui_factory = $DIC['ui.factory'];
90 $this->ui_renderer = $DIC['ui.renderer'];
91 $this->db = $DIC['ilDB'];
92 $this->user = $DIC['ilUser'];
93 $this->tree = $DIC['tree'];
94
95 $this->data_factory = new DataFactory();
96 $this->recommended_content_manager = new ilRecommendedContentManager();
97
98 $this->lng->loadLanguageModule('rbac');
99 $this->gui_obj = $a_gui_obj;
100 $this->tabs->activateTab('perm_settings');
101 }
102
103 private function getPositionRepo(): ilOrgUnitPositionDBRepository
104 {
105 if (!isset($this->positionRepo)) {
106 $dic = ilOrgUnitLocalDIC::dic();
107 $this->positionRepo = $dic["repo.Positions"];
108 }
109
110 return $this->positionRepo;
111 }
112
113 private function getPermissionRepo(): ilOrgUnitPermissionDBRepository
114 {
115 if (!isset($this->permissionRepo)) {
116 $dic = ilOrgUnitLocalDIC::dic();
117 $this->permissionRepo = $dic["repo.Permissions"];
118 }
119
120 return $this->permissionRepo;
121 }
122
123 private function getOperationRepo(): ilOrgUnitOperationDBRepository
124 {
125 if (!isset($this->operationRepo)) {
126 $dic = ilOrgUnitLocalDIC::dic();
127 $this->operationRepo = $dic["repo.Operations"];
128 }
129
130 return $this->operationRepo;
131 }
132
138 public function executeCommand(): void
139 {
140 // access to all functions in this class are only allowed if edit_permission is granted
141 if (!$this->rbacsystem->checkAccess("edit_permission", $this->gui_obj->getObject()->getRefId())) {
142 $this->tpl->setOnScreenMessage('failure', $this->lng->txt('permission_denied'), true);
143 $this->ctrl->redirect($this->gui_obj);
144 }
145 $next_class = $this->ctrl->getNextClass($this);
146 switch ($next_class) {
147 case "ilobjrolegui":
148
149 $role_id = 0;
150 if ($this->http->wrapper()->query()->has('obj_id')) {
151 $role_id = $this->http->wrapper()->query()->retrieve(
152 'obj_id',
153 $this->refinery->kindlyTo()->int()
154 );
155 }
156 $this->ctrl->setReturn($this, 'perm');
157 $this->gui_obj = new ilObjRoleGUI("", $role_id, false, false);
158 $this->ctrl->forwardCommand($this->gui_obj);
159 break;
160
161 case 'ildidactictemplategui':
162 $this->ctrl->setReturn($this, 'perm');
163 $did = new ilDidacticTemplateGUI($this->gui_obj);
164 $this->ctrl->forwardCommand($did);
165 break;
166
167 case 'ilrepositorysearchgui':
168 // used for owner autocomplete
169 $rep_search = new ilRepositorySearchGUI();
170 $this->ctrl->forwardCommand($rep_search);
171 break;
172
173 case 'ilobjectpermissionstatusgui':
174 $this->__initSubTabs("perminfo");
175 $perm_stat = new ilObjectPermissionStatusGUI($this->gui_obj->getObject());
176 $this->ctrl->forwardCommand($perm_stat);
177 break;
178
179 default:
180 $cmd = $this->ctrl->getCmd();
181 $this->$cmd();
182 break;
183 }
184 }
185
186 public function getCurrentObject(): object
187 {
188 return $this->gui_obj->getObject();
189 }
190
191 public function perm(?ilTable2GUI $table = null): void
192 {
193 $dtpl = new ilDidacticTemplateGUI($this->gui_obj);
194 if ($dtpl->appendToolbarSwitch(
195 $this->toolbar,
196 $this->getCurrentObject()->getType(),
197 $this->getCurrentObject()->getRefId()
198 )) {
199 $this->toolbar->addSeparator();
200 }
201
202 if ($this->object_definition->hasLocalRoles($this->getCurrentObject()->getType()) && !$this->isAdministrationObject()
203 ) {
204 $this->toolbar->setFormAction($this->ctrl->getFormActionByClass(ilDidacticTemplateGUI::class));
205
206 if (!$this->isAdminRoleFolder()) {
207 $this->toolbar->addComponent(
208 $this->ui_factory->link()->standard(
209 $this->lng->txt('rbac_add_new_local_role'),
210 $this->ctrl->getLinkTarget($this, 'displayAddRoleForm')
211 )
212 );
213 }
214 $this->toolbar->addComponent(
215 $this->ui_factory->link()->standard(
216 $this->lng->txt('rbac_import_role'),
217 $this->ctrl->getLinkTarget($this, 'displayImportRoleForm')
218 )
219 );
220 }
221 $this->__initSubTabs("perm");
222
223 if (!$table instanceof ilTable2GUI) {
224 $table = new ilObjectRolePermissionTableGUI($this, 'perm', $this->getCurrentObject()->getRefId());
225 }
226 $table->parse();
227 $this->tpl->setContent($table->getHTML());
228 }
229
230 private function isAdminRoleFolder(): bool
231 {
232 return $this->getCurrentObject()->getRefId() == ROLE_FOLDER_ID;
233 }
234
235 private function isAdministrationObject(): bool
236 {
237 return $this->getCurrentObject()->getType() == 'adm';
238 }
239
243 private function isInAdministration(): bool
244 {
245 return $this->tree->isGrandChild(SYSTEM_FOLDER_ID, $this->getCurrentObject()->getRefId());
246 }
247
248 public function applyFilter(): void
249 {
250 $table = new ilObjectRolePermissionTableGUI($this, 'perm', $this->getCurrentObject()->getRefId());
251 $table->resetOffset();
252 $table->writeFilterToSession();
253 $this->perm($table);
254 }
255
256 public function resetFilter(): void
257 {
258 $table = new ilObjectRolePermissionTableGUI($this, 'perm', $this->getCurrentObject()->getRefId());
259 $table->resetOffset();
260 $table->resetFilter();
261 $this->perm($table);
262 }
263
264 public function applyRoleFilter(array $a_roles, int $a_filter_id): array
265 {
266 // Always delete administrator role from view
267 if (isset($a_roles[SYSTEM_ROLE_ID])) {
268 unset($a_roles[SYSTEM_ROLE_ID]);
269 }
270
271 switch ($a_filter_id) {
272 // all roles in context
273 case ilObjectRolePermissionTableGUI::ROLE_FILTER_ALL:
274 return $a_roles;
275
276 // only global roles
277 case ilObjectRolePermissionTableGUI::ROLE_FILTER_GLOBAL:
278 $arr_global_roles = $this->rbacreview->getGlobalRoles();
279 $arr_remove_roles = array_diff(array_keys($a_roles), $arr_global_roles);
280 foreach ($arr_remove_roles as $role_id) {
281 unset($a_roles[$role_id]);
282 }
283 return $a_roles;
284
285 // only local roles (all local roles in context that are not defined at ROLE_FOLDER_ID)
286 case ilObjectRolePermissionTableGUI::ROLE_FILTER_LOCAL:
287 $arr_global_roles = $this->rbacreview->getGlobalRoles();
288 foreach ($arr_global_roles as $role_id) {
289 unset($a_roles[$role_id]);
290 }
291 return $a_roles;
292
293 // only roles which use a local policy
294 case ilObjectRolePermissionTableGUI::ROLE_FILTER_LOCAL_POLICY:
295 $arr_local_roles = $this->rbacreview->getRolesOfObject($this->getCurrentObject()->getRefId());
296 $arr_remove_roles = array_diff(array_keys($a_roles), $arr_local_roles);
297 foreach ($arr_remove_roles as $role_id) {
298 unset($a_roles[$role_id]);
299 }
300 return $a_roles;
301
302 // only true local role defined at current position
303 case ilObjectRolePermissionTableGUI::ROLE_FILTER_LOCAL_OBJECT:
304 $arr_local_roles = $this->rbacreview->getRolesOfObject($this->getCurrentObject()->getRefId(), true);
305 $arr_remove_roles = array_diff(array_keys($a_roles), $arr_local_roles);
306 foreach ($arr_remove_roles as $role_id) {
307 unset($a_roles[$role_id]);
308 }
309 return $a_roles;
310
311 default:
312 return $a_roles;
313 }
314 }
315
316 protected function savePermissions(): void
317 {
318 $table = new ilObjectRolePermissionTableGUI($this, 'perm', $this->getCurrentObject()->getRefId());
319
320 $roles = $this->applyRoleFilter(
321 $this->rbacreview->getParentRoleIds($this->getCurrentObject()->getRefId()),
322 (int) $table->getFilterItemByPostVar('role')->getValue()
323 );
324
325 // Log history
326 $log_old = ilRbacLog::gatherFaPa($this->getCurrentObject()->getRefId(), array_keys((array) $roles));
327
328 # all possible create permissions
329 $possible_ops_ids = $this->rbacreview->getOperationsByTypeAndClass(
330 $this->getCurrentObject()->getType(),
331 'create'
332 );
333
334 # createable (activated) create permissions
335 $create_types = $this->object_definition->getCreatableSubObjects(
336 $this->getCurrentObject()->getType()
337 );
338 $createable_ops_ids = ilRbacReview::lookupCreateOperationIds(array_keys((array) $create_types));
339
340 $post_perm = $this->http->wrapper()->post()->has('perm')
341 ? $this->http->wrapper()->post()->retrieve(
342 'perm',
343 $this->refinery->kindlyTo()->dictOf(
344 $this->refinery->kindlyTo()->dictOf(
345 $this->refinery->kindlyTo()->int()
346 )
347 )
348 )
349 : [];
350
351 foreach ($roles as $role => $role_data) {
352 if ($role_data['protected']) {
353 continue;
354 }
355
356 $new_ops = array_keys((array) ($post_perm[$role] ?? []));
357 $old_ops = $this->rbacreview->getRoleOperationsOnObject(
358 $role,
359 $this->getCurrentObject()->getRefId()
360 );
361
362 // Add operations which were enabled and are not activated.
363 foreach ($possible_ops_ids as $create_ops_id) {
364 if (in_array($create_ops_id, $createable_ops_ids)) {
365 continue;
366 }
367 if (in_array($create_ops_id, $old_ops)) {
368 $new_ops[] = $create_ops_id;
369 }
370 }
371
372 $this->rbacadmin->revokePermission(
373 $this->getCurrentObject()->getRefId(),
374 $role
375 );
376
377 $this->rbacadmin->grantPermission(
378 $role,
379 array_unique($new_ops),
380 $this->getCurrentObject()->getRefId()
381 );
382 }
383
384 if (ilPermissionGUI::hasContainerCommands($this->getCurrentObject()->getType())) {
385 $inherit_post = $this->http->wrapper()->post()->has('inherit')
386 ? $this->http->wrapper()->post()->retrieve(
387 'inherit',
388 $this->refinery->kindlyTo()->dictOf(
389 $this->refinery->kindlyTo()->bool()
390 )
391 )
392 : [];
393
394 foreach ($roles as $role) {
395 $obj_id = (int) $role['obj_id'];
396 $parent_id = (int) $role['parent'];
397 // No action for local roles
398 if ($parent_id === $this->getCurrentObject()->getRefId() && $role['assign'] === 'y') {
399 continue;
400 }
401 // Nothing for protected roles
402 if ($role['protected']) {
403 continue;
404 }
405 // Stop local policy
406 if (
407 $parent_id === $this->getCurrentObject()->getRefId()
408 && !isset($inherit_post[$obj_id])
409 && !$this->rbacreview->isBlockedAtPosition($obj_id, $this->getCurrentObject()->getRefId())
410 ) {
411 ilLoggerFactory::getLogger('ac')->debug('Stop local policy for: ' . $role['obj_id']);
412 $role_obj = ilObjectFactory::getInstanceByObjId($obj_id);
413 $role_obj->setParent($this->getCurrentObject()->getRefId());
414 $role_obj->delete();
415 continue;
416 }
417 // Add local policy
418 if (
419 $parent_id !== $this->getCurrentObject()->getRefId()
420 && isset($inherit_post[$obj_id])
421 ) {
422 ilLoggerFactory::getLogger('ac')->debug('Create local policy');
423 $this->rbacadmin->copyRoleTemplatePermissions(
424 $obj_id,
425 $parent_id,
426 $this->getCurrentObject()->getRefId(),
427 $obj_id
428 );
429 ilLoggerFactory::getLogger('ac')->debug('Assign role to folder');
430 $this->rbacadmin->assignRoleToFolder($obj_id, $this->getCurrentObject()->getRefId(), 'n');
431 }
432 }
433 }
434
435 // Protect permissions
436 if (ilPermissionGUI::hasContainerCommands($this->getCurrentObject()->getType())) {
437 $protected_post = $this->http->wrapper()->post()->has('protect')
438 ? $this->http->wrapper()->post()->retrieve(
439 'protect',
440 $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
441 )
442 : [];
443 foreach ($roles as $role) {
444 $obj_id = (int) $role['obj_id'];
445 if ($this->rbacreview->isAssignable($obj_id, $this->getCurrentObject()->getRefId())) {
446 if (isset($protected_post[$obj_id]) &&
447 !$this->rbacreview->isProtected($this->getCurrentObject()->getRefId(), $obj_id)) {
448 $this->rbacadmin->setProtected($this->getCurrentObject()->getRefId(), $obj_id, 'y');
449 } elseif (!isset($protected_post[$obj_id]) &&
450 $this->rbacreview->isProtected($this->getCurrentObject()->getRefId(), $obj_id)) {
451 $this->rbacadmin->setProtected($this->getCurrentObject()->getRefId(), $obj_id, 'n');
452 }
453 }
454 }
455 }
456
457 $log_new = ilRbacLog::gatherFaPa($this->getCurrentObject()->getRefId(), array_keys((array) $roles));
458 $log = ilRbacLog::diffFaPa($log_old, $log_new);
459 ilRbacLog::add(ilRbacLog::EDIT_PERMISSIONS, $this->getCurrentObject()->getRefId(), $log);
460
461 $blocked_info = $this->getModifiedBlockedSettings();
462 ilLoggerFactory::getLogger('ac')->debug('Blocked settings: ' . print_r($blocked_info, true));
463 if ($blocked_info['num'] > 0) {
464 $this->showConfirmBlockRole($blocked_info);
465 return;
466 }
467 $this->tpl->setOnScreenMessage('success', $this->lng->txt('settings_saved'), true);
468 $this->ctrl->redirect($this, 'perm');
469 }
470
471 private function showConfirmBlockRole(array $a_blocked_info): void
472 {
473 $info = '';
474 if ($a_blocked_info['new_blocked']) {
475 $info .= $this->lng->txt('role_confirm_block_role_info');
476 if ($a_blocked_info['new_unblocked']) {
477 $info .= '<br /><br />';
478 }
479 }
480 if ($a_blocked_info['new_unblocked']) {
481 $info .= ('<br />' . $this->lng->txt('role_confirm_unblock_role_info'));
482 }
483
484 $this->tpl->setOnScreenMessage('info', $info);
485
486 $confirm = new ilConfirmationGUI();
487 $confirm->setFormAction($this->ctrl->getFormAction($this));
488 $confirm->setHeaderText($this->lng->txt('role_confirm_block_role_header'));
489 $confirm->setConfirm($this->lng->txt('role_confirm_block_role'), 'modifyBlockRoles');
490 $confirm->setCancel($this->lng->txt('cancel'), 'perm');
491
492 foreach ($a_blocked_info['new_blocked'] as $role_id) {
493 $confirm->addItem(
494 'new_block[]',
495 (string) $role_id,
496 ilObjRole::_getTranslation(ilObject::_lookupTitle($role_id)) . ' ' . $this->lng->txt('role_blocked')
497 );
498 }
499 foreach ($a_blocked_info['new_unblocked'] as $role_id) {
500 $confirm->addItem(
501 'new_unblock[]',
502 (string) $role_id,
503 ilObjRole::_getTranslation(ilObject::_lookupTitle($role_id)) . ' ' . $this->lng->txt('role_unblocked')
504 );
505 }
506 $this->tpl->setContent($confirm->getHTML());
507 }
508
509 private function modifyBlockRoles(): void
510 {
511 $this->blockRoles(
512 $this->http->wrapper()->post()->has('new_block')
513 ? $this->http->wrapper()->post()->retrieve(
514 'new_block',
515 $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
516 )
517 : []
518 );
519 $this->unblockRoles($this->http->wrapper()->post()->has('new_unblock')
520 ? $this->http->wrapper()->post()->retrieve(
521 'new_unblock',
522 $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
523 )
524 : []);
525
526 $this->tpl->setOnScreenMessage('info', $this->lng->txt('settings_saved'));
527 $this->ctrl->redirect($this, 'perm');
528 }
529
530 private function unblockRoles(array $roles): void
531 {
532 foreach ($roles as $role) {
533 // delete local policy
534 ilLoggerFactory::getLogger('ac')->debug('Stop local policy for: ' . $role);
535 $role_obj = ilObjectFactory::getInstanceByObjId($role);
536 $role_obj->setParent($this->getCurrentObject()->getRefId());
537 $role_obj->delete();
538
539 $role_obj->changeExistingObjects(
540 $this->getCurrentObject()->getRefId(),
541 ilObjRole::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES,
542 ['all']
543 );
544
545 // finally set blocked status
546 $this->rbacadmin->setBlockedStatus(
547 $role,
548 $this->getCurrentObject()->getRefId(),
549 false
550 );
551 }
552 }
553
554 private function blockRoles(array $roles): void
555 {
556 foreach ($roles as $role) {
557 // Set assign to 'y' only if it is a local role
558 $assign = $this->rbacreview->isAssignable($role, $this->getCurrentObject()->getRefId()) ? 'y' : 'n';
559
560 // Delete permissions
561 $this->rbacadmin->revokeSubtreePermissions($this->getCurrentObject()->getRefId(), $role);
562
563 // Delete template permissions
564 $this->rbacadmin->deleteSubtreeTemplates($this->getCurrentObject()->getRefId(), $role);
565
566 $this->rbacadmin->assignRoleToFolder(
567 $role,
568 $this->getCurrentObject()->getRefId(),
569 $assign
570 );
571
572 // finally set blocked status
573 $this->rbacadmin->setBlockedStatus(
574 $role,
575 $this->getCurrentObject()->getRefId(),
576 true
577 );
578 }
579 }
580
581 public static function hasContainerCommands(string $a_type): bool
582 {
583 global $DIC;
584
585 $objDefinition = $DIC['objDefinition'];
586 return $objDefinition->isContainer($a_type) && $a_type != 'root' && $a_type != 'adm' && $a_type != 'rolf';
587 }
588
589 private function displayImportRoleForm(?ilPropertyFormGUI $form = null): void
590 {
591 $this->tabs->clearTargets();
592
593 if (!$form) {
594 $form = $this->initImportForm();
595 }
596 $this->tpl->setContent($form->getHTML());
597 }
598
599 private function doImportRole(): void
600 {
601 $form = $this->initImportForm();
602 if ($form->checkInput()) {
603 try {
604 // For global roles set import id to parent of current ref_id (adm)
605 $imp = new ilImport($this->getCurrentObject()->getRefId());
606 $imp->getMapping()->addMapping(
607 'components/ILIAS/AccessControl',
608 'rolf',
609 '0',
610 (string) $this->getCurrentObject()->getRefId()
611 );
612
613 $imp->importObject(
614 null,
615 $_FILES["importfile"]["tmp_name"],
616 $_FILES["importfile"]["name"],
617 'role'
618 );
619 $this->tpl->setOnScreenMessage('success', $this->lng->txt('rbac_role_imported'), true);
620 $this->ctrl->redirect($this, 'perm');
621 return;
622 } catch (Exception $e) {
623 $this->tpl->setOnScreenMessage('failure', $e->getMessage());
624 $form->setValuesByPost();
625 $this->displayImportRoleForm($form);
626 return;
627 }
628 }
629 $form->setValuesByPost();
630 $this->tpl->setOnScreenMessage('failure', $this->lng->txt('err_check_input'));
631 $this->displayImportRoleForm($form);
632 }
633
634 private function initImportForm(): ilPropertyFormGUI
635 {
636 $form = new ilPropertyFormGUI();
637 $form->setFormAction($this->ctrl->getFormAction($this));
638 $form->setTitle($this->lng->txt('rbac_import_role'));
639 $form->addCommandButton('doImportRole', $this->lng->txt('import'));
640 $form->addCommandButton('perm', $this->lng->txt('cancel'));
641
642 $zip = new ilFileInputGUI($this->lng->txt('import_file'), 'importfile');
643 $zip->setRequired(true);
644 $zip->setSuffixes(['zip']);
645 $form->addItem($zip);
646
647 return $form;
648 }
649
650 private function initRoleForm(): ilPropertyFormGUI
651 {
652 $form = new ilPropertyFormGUI();
653 $form->setFormAction($this->ctrl->getFormAction($this));
654 $form->setTitle($this->lng->txt('role_new'));
655 $form->addCommandButton('addrole', $this->lng->txt('role_new'));
656 $form->addCommandButton('perm', $this->lng->txt('cancel'));
657
658 $title = new ilTextInputGUI($this->lng->txt('title'), 'title');
659 $title->setValidationRegexp('/^(?!il_).*$/');
660 $title->setValidationFailureMessage($this->lng->txt('msg_role_reserved_prefix'));
661 $title->setSize(40);
662 $title->setMaxLength(70);
663 $title->setRequired(true);
664 $form->addItem($title);
665
666 $desc = new ilTextAreaInputGUI($this->lng->txt('description'), 'desc');
667 $desc->setCols(40);
668 $desc->setRows(3);
669 $form->addItem($desc);
670
671 $pro = new ilCheckboxInputGUI($this->lng->txt('role_protect_permissions'), 'pro');
672 $pro->setInfo($this->lng->txt('role_protect_permissions_desc'));
673 $pro->setValue("1");
674 $form->addItem($pro);
675
676 $pd = new ilCheckboxInputGUI($this->lng->txt('rbac_add_recommended_content'), 'desktop');
677 $pd->setInfo(
678 str_replace(
679 "%1",
680 $this->getCurrentObject()->getTitle(),
681 $this->lng->txt('rbac_add_recommended_content_info')
682 )
683 );
684 $pd->setValue((string) 1);
685 $form->addItem($pd);
686
687 if (!$this->isInAdministration()) {
688 $rights = new ilRadioGroupInputGUI($this->lng->txt("rbac_role_rights_copy"), 'rights');
689 $option = new ilRadioOption($this->lng->txt("rbac_role_rights_copy_empty"), (string) 0);
690 $rights->addOption($option);
691
692 $parent_role_ids = $this->rbacreview->getParentRoleIds($this->gui_obj->getObject()->getRefId(), true);
693 $ids = [];
694 foreach (array_keys($parent_role_ids) as $id) {
695 $ids[] = $id;
696 }
697
698 // Sort ids
699 $sorted_ids = ilUtil::_sortIds($ids, 'object_data', 'type DESC,title', 'obj_id');
700
701 $key = 0;
702 foreach ($sorted_ids as $id) {
703 $par = $parent_role_ids[$id];
704 if ($par["obj_id"] != SYSTEM_ROLE_ID) {
705 $option = new ilRadioOption(
706 ($par["type"] == 'role' ? $this->lng->txt('obj_role') : $this->lng->txt(
707 'obj_rolt'
708 )) . ": " . ilObjRole::_getTranslation($par["title"]),
709 (string) $par["obj_id"]
710 );
711 $option->setInfo($par["desc"] ?? '');
712 $rights->addOption($option);
713 }
714 $key++;
715 }
716 $form->addItem($rights);
717 }
718
719 // Local policy only for containers
720 if ($this->object_definition->isContainer($this->getCurrentObject()->getType())) {
721 $check = new ilCheckboxInputGUI($this->lng->txt("rbac_role_rights_copy_change_existing"), 'existing');
722 $check->setInfo($this->lng->txt('rbac_change_existing_objects_desc_new_role'));
723 $form->addItem($check);
724 }
725 return $form;
726 }
727
728 public function displayAddRoleForm(): void
729 {
730 $this->tabs->clearTargets();
731 $form = $this->initRoleForm();
732 $this->tpl->setContent($form->getHTML());
733 }
734
741 public function addRole(): void
742 {
743 $form = $this->initRoleForm();
744 if ($form->checkInput()) {
745 $new_title = $form->getInput("title");
746
747 $role = new ilObjRole();
748 $role->setTitle($new_title);
749 $role->setDescription($form->getInput('desc'));
750 $role->create();
751
752 $this->rbacadmin->assignRoleToFolder($role->getId(), $this->getCurrentObject()->getRefId());
753
754 // protect
755 $this->rbacadmin->setProtected(
756 $this->getCurrentObject()->getRefId(),
757 $role->getId(),
758 $form->getInput('pro') ? 'y' : 'n'
759 );
760
761 // copy rights
762 $right_id_to_copy = (int) $form->getInput("rights");
763 if ($right_id_to_copy) {
764 $parentRoles = $this->rbacreview->getParentRoleIds($this->getCurrentObject()->getRefId(), true);
765 $this->rbacadmin->copyRoleTemplatePermissions(
766 $right_id_to_copy,
767 $parentRoles[$right_id_to_copy]["parent"],
768 $this->getCurrentObject()->getRefId(),
769 $role->getId(),
770 false
771 );
772
773 if ($form->getInput('existing')) {
774 if ($form->getInput('pro')) {
775 $role->changeExistingObjects(
776 $this->getCurrentObject()->getRefId(),
777 ilObjRole::MODE_PROTECTED_KEEP_LOCAL_POLICIES,
778 ['all']
779 );
780 } else {
781 $role->changeExistingObjects(
782 $this->getCurrentObject()->getRefId(),
783 ilObjRole::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES,
784 ['all']
785 );
786 }
787 }
788 }
789
790 // add to desktop items
791 if ($form->getInput("desktop")) {
792 $this->recommended_content_manager->addRoleRecommendation(
793 $role->getId(),
794 $this->getCurrentObject()->getRefId()
795 );
796 }
797
798 $this->tpl->setOnScreenMessage('success', $this->lng->txt("role_added"), true);
799 $this->ctrl->redirect($this, 'perm');
800 } else {
801 $form->setValuesByPost();
802 $this->tpl->setContent($form->getHTML());
803 }
804 }
805
806 private function getModifiedBlockedSettings(): array
807 {
808 $blocked_info['new_blocked'] = [];
809 $blocked_info['new_unblocked'] = [];
810 $blocked_info['num'] = 0;
811 $visible_block = $this->http->wrapper()->post()->has('visible_block')
812 ? $this->http->wrapper()->post()->retrieve(
813 'visible_block',
814 $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
815 )
816 : [];
817 $block_post = $this->http->wrapper()->post()->has('block')
818 ? $this->http->wrapper()->post()->retrieve(
819 'block',
820 $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
821 )
822 : [];
823
824
825 foreach ($visible_block as $role => $one) {
826 $blocked = $this->rbacreview->isBlockedAtPosition($role, $this->getCurrentObject()->getRefId());
827 if (isset($block_post[$role]) && !$blocked) {
828 $blocked_info['new_blocked'][] = $role;
829 $blocked_info['num']++;
830 }
831 if (!isset($block_post[$role]) && $blocked) {
832 $blocked_info['new_unblocked'][] = $role;
833 $blocked_info['num']++;
834 }
835 }
836 return $blocked_info;
837 }
838
839 public function permPositions(): void
840 {
841 $perm = self::CMD_PERM_POSITIONS;
842 $this->__initSubTabs($perm);
843
844 $ref_id = $this->getCurrentObject()->getRefId();
845 $table = new ilOrgUnitPermissionTableGUI($this, $perm, $ref_id);
846 $table->collectData();
847 $this->tpl->setContent($table->getHTML());
848 }
849
850 public function savePositionsPermissions(): void
851 {
852 $this->__initSubTabs(self::CMD_PERM_POSITIONS);
853
854 $positions = $this->getPositionRepo()->getArray(null, 'id');
855 $ref_id = $this->getCurrentObject()->getRefId();
856
857 $positions_with_local_perms_from_post = $this->http->wrapper()->post()->has('local')
858 ? $this->http->wrapper()->post()->retrieve(
859 'local',
860 $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
861 )
862 : [];
863
864 foreach ($positions as $position_id) {
865 if (isset($positions_with_local_perms_from_post[$position_id])) {
866 $this->getPermissionRepo()->get($ref_id, $position_id);
867 } else {
868 $this->getPermissionRepo()->delete($ref_id, $position_id);
869 }
870 }
871
872 $position_perm_post = $this->http->wrapper()->post()->has('position_perm')
873 ? $this->http->wrapper()->post()->retrieve(
874 'position_perm',
875 $this->refinery->kindlyTo()->dictOf(
876 $this->refinery->kindlyTo()->dictOf(
877 $this->refinery->kindlyTo()->int()
878 )
879 )
880 )
881 : [];
882
883 foreach ($position_perm_post as $position_id => $ops) {
884 if (!isset($positions_with_local_perms_from_post[$position_id])) {
885 continue;
886 }
887 $org_unit_permissions = $this->getPermissionRepo()->getLocalorDefault($ref_id, $position_id);
888 if (!$org_unit_permissions->isTemplate()) {
889 $new_ops = [];
890 foreach ($ops as $op_id => $op) {
891 $new_ops[] = $this->getOperationRepo()->getById($op_id);
892 }
893 $org_unit_permissions = $this->getPermissionRepo()->store(
894 $org_unit_permissions->withOperations($new_ops)
895 );
896 }
897 }
898
899 foreach (array_keys($positions_with_local_perms_from_post) as $position_id_from_post) {
900 if (array_key_exists($position_id_from_post, $position_perm_post)) {
901 continue;
902 }
903 $org_unit_permissions = $this->getPermissionRepo()->find($ref_id, $position_id_from_post);
904 if ($org_unit_permissions !== null && !$org_unit_permissions->isTemplate()) {
905 $this->getPermissionRepo()->store($org_unit_permissions->withOperations([]));
906 }
907 }
908
909 $this->tpl->setOnScreenMessage('success', $this->lng->txt('settings_saved'), true);
910 $this->ctrl->redirect($this, self::CMD_PERM_POSITIONS);
911 }
912
913 public function owner(): void
914 {
915 $this->__initSubTabs('owner');
916
917 $form = new ilPropertyFormGUI();
918 $form->setFormAction($this->ctrl->getFormAction($this, "owner"));
919 $form->setTitle($this->lng->txt("info_owner_of_object"));
920
921 $login = new ilTextInputGUI($this->lng->txt("login"), "owner");
922 $login->setDataSource($this->ctrl->getLinkTargetByClass([get_class($this),
923 'ilRepositorySearchGUI'
924 ], 'doUserAutoComplete', '', true));
925 $login->setRequired(true);
926 $login->setSize(50);
927 $login->setInfo($this->lng->txt("chown_warning"));
928 $login->setValue(ilObjUser::_lookupLogin($this->gui_obj->getObject()->getOwner()));
929 $form->addItem($login);
930 $form->addCommandButton("changeOwner", $this->lng->txt("change_owner"));
931 $this->tpl->setContent($form->getHTML());
932 }
933
934 public function changeOwner(): void
935 {
936 $owner = '';
937 if ($this->http->wrapper()->post()->has('owner')) {
938 $owner = $this->http->wrapper()->post()->retrieve(
939 'owner',
940 $this->refinery->kindlyTo()->string()
941 );
942 }
943 if (!$user_id = ilObjUser::_lookupId($owner)) {
944 $this->tpl->setOnScreenMessage('failure', $this->lng->txt('user_not_known'));
945 $this->owner();
946 return;
947 }
948
949 // no need to change?
950 if ($user_id != $this->gui_obj->getObject()->getOwner()) {
951 $this->gui_obj->getObject()->setOwner($user_id);
952 $this->gui_obj->getObject()->updateOwner();
953 $this->objectDataCache->deleteCachedEntry($this->gui_obj->getObject()->getId());
954
955 if (ilRbacLog::isActive()) {
956 ilRbacLog::add(ilRbacLog::CHANGE_OWNER, $this->gui_obj->getObject()->getRefId(), [$user_id]);
957 }
958 }
959
960 $this->tpl->setOnScreenMessage('success', $this->lng->txt('owner_updated'), true);
961
962 if (!$this->rbacsystem->checkAccess("edit_permission", $this->gui_obj->getObject()->getRefId())) {
963 $this->ctrl->redirect($this->gui_obj);
964 return;
965 }
966 $this->ctrl->redirect($this, 'owner');
967 }
968
969 private function __initSubTabs(string $a_cmd): void
970 {
971 $perm = $a_cmd === 'perm';
972 $perm_positions = $a_cmd === ilPermissionGUI::CMD_PERM_POSITIONS;
973 $info = $a_cmd === 'perminfo';
974 $owner = $a_cmd === 'owner';
975 $log = $a_cmd === 'log';
976
977 $this->tabs->addSubTabTarget(
978 "permission_settings",
979 $this->ctrl->getLinkTarget($this, "perm"),
980 "",
981 "",
982 "",
983 $perm
984 );
985
986 if (ilOrgUnitGlobalSettings::getInstance()->isPositionAccessActiveForObject($this->gui_obj->getObject()->getId())) {
987 $this->tabs->addSubTabTarget(
988 self::TAB_POSITION_PERMISSION_SETTINGS,
989 $this->ctrl->getLinkTarget($this, ilPermissionGUI::CMD_PERM_POSITIONS),
990 "",
991 "",
992 "",
993 $perm_positions
994 );
995 }
996
997 $this->tabs->addSubTabTarget(
998 "info_status_info",
999 $this->ctrl->getLinkTargetByClass([get_class($this), "ilobjectpermissionstatusgui"], "perminfo"),
1000 "",
1001 "",
1002 "",
1003 $info
1004 );
1005 $this->tabs->addSubTabTarget(
1006 "owner",
1007 $this->ctrl->getLinkTarget($this, "owner"),
1008 "",
1009 "",
1010 "",
1011 $owner
1012 );
1013
1014 if (ilRbacLog::isActive()) {
1015 $this->tabs->addSubTabTarget(
1016 "rbac_log",
1017 $this->ctrl->getLinkTarget($this, 'log'),
1018 "",
1019 "",
1020 "",
1021 $log
1022 );
1023 }
1024 }
1025
1026 public function log(): void
1027 {
1028 if (!ilRbacLog::isActive()) {
1029 $this->ctrl->redirect($this, 'perm');
1030 }
1031
1032 $this->__initSubTabs('log');
1033
1034 $table = new Table(
1035 new ilRbacLog($this->db),
1036 $this->ui_factory,
1037 $this->data_factory,
1038 $this->lng,
1039 $this->ctrl,
1040 $this->ui_service,
1041 $this->object_definition,
1042 $this->http->request(),
1043 $this->rbacreview,
1044 $this->user,
1045 $this->gui_obj
1046 );
1047 $this->tpl->setContent($this->ui_renderer->render(
1048 $table->getTableAndFilter()
1049 ));
1050 }
1051}
$id
$id
plugin.php for ilComponentBuildPluginInfoObjectiveTest::testAddPlugins
Definition: plugin.php:23
$rights
$rights
Definition: LOMStructure.php:396
$check
$check
Definition: buildRTE.php:81
ILIAS\Data\Color\Factory
Builds a Color from either hex- or rgb values.
Definition: Factory.php:31
ILIAS\Data\Factory
Builds data types.
Definition: Factory.php:36
ilCheckboxInputGUI
This class represents a checkbox property in a property form.
Definition: class.ilCheckboxInputGUI.php:28
ilConfirmationGUI
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilConfirmationGUI.php:27
ilCtrl
Class ilCtrl provides processing control methods.
Definition: class.ilCtrl.php:36
ilDidacticTemplateGUI
GUI class for didactic template settings inside repository objects.
Definition: class.ilDidacticTemplateGUI.php:28
ilErrorHandling
Error Handling & global info handling.
Definition: class.ilErrorHandling.php:38
ilFileInputGUI
This class represents a file property in a property form.
Definition: class.ilFileInputGUI.php:32
ilImport
Import class.
Definition: class.ilImport.php:39
ilLanguage
language handling
Definition: class.ilLanguage.php:43
ilLoggerFactory\getLogger
static getLogger(string $a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:89
ilObjRoleGUI
Class ilObjRoleGUI.
Definition: class.ilObjRoleGUI.php:36
ilObjRole
Class ilObjRole.
Definition: class.ilObjRole.php:27
ilObjRole\MODE_UNPROTECTED_KEEP_LOCAL_POLICIES
const MODE_UNPROTECTED_KEEP_LOCAL_POLICIES
Definition: class.ilObjRole.php:31
ilObjRole\MODE_PROTECTED_KEEP_LOCAL_POLICIES
const MODE_PROTECTED_KEEP_LOCAL_POLICIES
Definition: class.ilObjRole.php:29
ilObjRole\_getTranslation
static _getTranslation(string $a_role_title)
Definition: class.ilObjRole.php:364
ilObjUser
User class.
Definition: class.ilObjUser.php:46
ilObjUser\_lookupId
static _lookupId(string|array $a_user_str)
Definition: class.ilObjUser.php:2915
ilObjUser\_lookupLogin
static _lookupLogin(int $a_user_id)
Definition: class.ilObjUser.php:2729
ilObjectDataCache
class ilObjectDataCache
Definition: class.ilObjectDataCache.php:30
ilObjectDefinition
parses the objects.xml it handles the xml-description of all ilias objects
Definition: class.ilObjectDefinition.php:29
ilObjectFactory\getInstanceByObjId
static getInstanceByObjId(?int $obj_id, bool $stop_on_error=true)
get an instance of an Ilias object by object id
Definition: class.ilObjectFactory.php:84
ilObjectGUI
Class ilObjectGUI Basic methods of all Output classes.
Definition: class.ilObjectGUI.php:49
ilObjectPermissionStatusGUI
This class displays the permission status of a user concerning a specific object.
Definition: class.ilObjectPermissionStatusGUI.php:29
ilObject\_lookupTitle
static _lookupTitle(int $obj_id)
Definition: class.ilObject.php:847
ilOrgUnitPermissionTableGUI
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilOrgUnitPermissionTableGUI.php:24
ilPermissionGUI\hasContainerCommands
static hasContainerCommands(string $a_type)
Definition: class.ilPermissionGUI.php:581
ilPermissionGUI\unblockRoles
unblockRoles(array $roles)
Definition: class.ilPermissionGUI.php:530
ilPermissionGUI\applyRoleFilter
applyRoleFilter(array $a_roles, int $a_filter_id)
Definition: class.ilPermissionGUI.php:264
ilPermissionGUI\$object_definition
ilObjectDefinition $object_definition
Definition: class.ilPermissionGUI.php:52
ilPermissionGUI\$positionRepo
ilOrgUnitPositionDBRepository $positionRepo
Definition: class.ilPermissionGUI.php:44
ilPermissionGUI\$ilErr
ilErrorHandling $ilErr
Definition: class.ilPermissionGUI.php:49
ilPermissionGUI\executeCommand
executeCommand()
Execute command.
Definition: class.ilPermissionGUI.php:138
ilPermissionGUI\__initSubTabs
__initSubTabs(string $a_cmd)
Definition: class.ilPermissionGUI.php:969
ilPermissionGUI\perm
perm(?ilTable2GUI $table=null)
Definition: class.ilPermissionGUI.php:191
ilPermissionGUI\showConfirmBlockRole
showConfirmBlockRole(array $a_blocked_info)
Definition: class.ilPermissionGUI.php:471
ilPermissionGUI\$operationRepo
ilOrgUnitOperationDBRepository $operationRepo
Definition: class.ilPermissionGUI.php:46
ilPermissionGUI\$tpl
ilGlobalTemplateInterface $tpl
Definition: class.ilPermissionGUI.php:53
ilPermissionGUI\$http
GlobalHttpState $http
Definition: class.ilPermissionGUI.php:60
ilPermissionGUI\displayImportRoleForm
displayImportRoleForm(?ilPropertyFormGUI $form=null)
Definition: class.ilPermissionGUI.php:589
ilPermissionGUI\$permissionRepo
ilOrgUnitPermissionDBRepository $permissionRepo
Definition: class.ilPermissionGUI.php:45
ilPermissionGUI\isInAdministration
isInAdministration()
Check if node is subobject of administration folder.
Definition: class.ilPermissionGUI.php:243
ilPermissionGUI\$recommended_content_manager
ilRecommendedContentManager $recommended_content_manager
Definition: class.ilPermissionGUI.php:43
ilPermissionGUI\$objectDataCache
ilObjectDataCache $objectDataCache
Definition: class.ilPermissionGUI.php:58
ilPermissionGUI\addRole
addRole()
adds a local role This method is only called when choose the option 'you may add local roles'.
Definition: class.ilPermissionGUI.php:741
ilPropertyFormGUI
This class represents a property form user interface.
Definition: class.ilPropertyFormGUI.php:32
ilRadioGroupInputGUI
This class represents a property in a property form.
Definition: class.ilRadioGroupInputGUI.php:28
ilRadioOption
This class represents an option in a radio group.
Definition: class.ilRadioOption.php:28
ilRbacAdmin
Class ilRbacAdmin Core functions for role based access control.
Definition: class.ilRbacAdmin.php:32
ilRbacLog
class ilRbacLog Log changes in Rbac-related settings
Definition: class.ilRbacLog.php:31
ilRbacLog\EDIT_PERMISSIONS
const EDIT_PERMISSIONS
Definition: class.ilRbacLog.php:33
ilRbacLog\add
static add(int $action, int $ref_id, array $diff, bool $source_ref_id=false)
Definition: class.ilRbacLog.php:226
ilRbacLog\CHANGE_OWNER
const CHANGE_OWNER
Definition: class.ilRbacLog.php:40
ilRbacLog\gatherFaPa
static gatherFaPa(int $ref_id, array $role_ids, bool $add_action=false)
Definition: class.ilRbacLog.php:127
ilRbacLog\diffFaPa
static diffFaPa(array $old, array $new)
Definition: class.ilRbacLog.php:160
ilRbacLog\isActive
static isActive()
Definition: class.ilRbacLog.php:122
ilRbacReview
class ilRbacReview Contains Review functions of core Rbac.
Definition: class.ilRbacReview.php:34
ilRbacReview\lookupCreateOperationIds
static lookupCreateOperationIds(array $a_type_arr)
Lookup operation ids.
Definition: class.ilRbacReview.php:1017
ilRbacSystem
class ilRbacSystem system function like checkAccess, addActiveRole ... Supporting system functions ar...
Definition: class.ilRbacSystem.php:34
ilRecommendedContentManager
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilRecommendedContentManager.php:26
ilTable2GUI
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilTable2GUI.php:26
ilTabsGUI
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilTabsGUI.php:26
ilTextAreaInputGUI
This class represents a text area property in a property form.
Definition: class.ilTextAreaInputGUI.php:28
ilTextInputGUI
This class represents a text property in a property form.
Definition: class.ilTextInputGUI.php:28
ilToolbarGUI
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilToolbarGUI.php:28
ilTree
Tree class data representation in hierachical trees using the Nested Set Model with Gaps by Joe Celco...
Definition: class.ilTree.php:30
ilUIService
Filter service.
Definition: class.ilUIService.php:29
ilUtil\_sortIds
static _sortIds(array $a_ids, string $a_table, string $a_field, string $a_id_name)
Function that sorts ids by a given table field using WHERE IN E.g: __sort(array(6,...
Definition: class.ilUtil.php:1219
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:29
SYSTEM_FOLDER_ID
const SYSTEM_FOLDER_ID
Definition: constants.php:35
ROLE_FOLDER_ID
const ROLE_FOLDER_ID
Definition: constants.php:34
$info
$info
Definition: entry_point.php:21
ILIAS\HTTP\GlobalHttpState
Interface GlobalHttpState.
Definition: GlobalHttpState.php:43
ILIAS\UI\Renderer
An entity that renders components to a string output.
Definition: Renderer.php:31
ilDBInterface
Interface ilDBInterface.
Definition: interface.ilDBInterface.php:30
$ref_id
$ref_id
Definition: ltiauth.php:66
$log
$log
Definition: ltiresult.php:34
$dic
$dic
Definition: ltiresult.php:33
ILIAS\FileDelivery\http
static http()
Fetches the global http state from ILIAS.
Definition: HttpServiceAware.php:55
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
@inheritDoc
Definition: PluginProviderHelper.php:38
$DIC
global $DIC
Definition: shib_login.php:26