ILIAS  trunk Revision v12.0_alpha-1540-g00f839d5fa1
class.ilPermissionGUI.php
Go to the documentation of this file.
1<?php
2
19declare(strict_types=1);
20
21use ILIAS\AccessControl\Log\Table;
22use ILIAS\HTTP\GlobalHttpState;
23use ILIAS\Refinery\Factory;
24use ILIAS\UI\Factory as UIFactory;
25use ILIAS\UI\Renderer as UIRenderer;
26use ILIAS\Data\Factory as DataFactory;
27
35class ilPermissionGUI
36{
37 public const CMD_SAVE_POSITIONS_PERMISSIONS = 'savePositionsPermissions';
38 private const CMD_PERM_POSITIONS = 'permPositions';
39 private const TAB_POSITION_PERMISSION_SETTINGS = "position_permission_settings";
40
41 private ilObjectGUI $current_obj;
42
43 private ilRecommendedContentManager $recommended_content_manager;
44 private ilOrgUnitPositionDBRepository $positionRepo;
45 private ilOrgUnitPermissionDBRepository $permissionRepo;
46 private ilOrgUnitOperationDBRepository $operationRepo;
47
48 private ilObjectGUI $gui_obj;
49 private ilErrorHandling $ilErr;
50 private ilCtrl $ctrl;
51 private ilLanguage $lng;
52 private ilObjectDefinition $object_definition;
53 private ilGlobalTemplateInterface $tpl;
54 private ilUIService $ui_service;
55 private ilRbacSystem $rbacsystem;
56 private ilRbacReview $rbacreview;
57 private ilRbacAdmin $rbacadmin;
58 private ilObjectDataCache $objectDataCache;
59 private ilTabsGUI $tabs;
60 private GlobalHttpState $http;
61 private Factory $refinery;
62 private ilToolbarGUI $toolbar;
63 private UIFactory $ui_factory;
64 private UIRenderer $ui_renderer;
65 private DataFactory $data_factory;
66 private ilDBInterface $db;
67 private ilObjUser $user;
68 private ilTree $tree;
69
70 public function __construct(ilObjectGUI $a_gui_obj)
71 {
73 global $DIC;
74
75 $this->object_definition = $DIC['objDefinition'];
76 $this->ui_service = $DIC->uiService();
77 $this->objectDataCache = $DIC['ilObjDataCache'];
78 $this->tpl = $DIC['tpl'];
79 $this->lng = $DIC['lng'];
80 $this->ctrl = $DIC['ilCtrl'];
81 $this->rbacsystem = $DIC['rbacsystem'];
82 $this->rbacreview = $DIC['rbacreview'];
83 $this->rbacadmin = $DIC['rbacadmin'];
84 $this->tabs = $DIC['ilTabs'];
85 $this->ilErr = $DIC['ilErr'];
86 $this->http = $DIC['http'];
87 $this->refinery = $DIC['refinery'];
88 $this->toolbar = $DIC['ilToolbar'];
89 $this->ui_factory = $DIC['ui.factory'];
90 $this->ui_renderer = $DIC['ui.renderer'];
91 $this->db = $DIC['ilDB'];
92 $this->user = $DIC['ilUser'];
93 $this->tree = $DIC['tree'];
94
95 $this->data_factory = new DataFactory();
96 $this->recommended_content_manager = new ilRecommendedContentManager();
97
98 $this->lng->loadLanguageModule('rbac');
99 $this->gui_obj = $a_gui_obj;
100 $this->tabs->activateTab('perm_settings');
101 if ($this->tabs->getActiveTab() === '') {
102 $this->tabs->activateTab('id_permissions');
103 }
104 }
105
106 private function getPositionRepo(): ilOrgUnitPositionDBRepository
107 {
108 if (!isset($this->positionRepo)) {
109 $dic = ilOrgUnitLocalDIC::dic();
110 $this->positionRepo = $dic["repo.Positions"];
111 }
112
113 return $this->positionRepo;
114 }
115
116 private function getPermissionRepo(): ilOrgUnitPermissionDBRepository
117 {
118 if (!isset($this->permissionRepo)) {
119 $dic = ilOrgUnitLocalDIC::dic();
120 $this->permissionRepo = $dic["repo.Permissions"];
121 }
122
123 return $this->permissionRepo;
124 }
125
126 private function getOperationRepo(): ilOrgUnitOperationDBRepository
127 {
128 if (!isset($this->operationRepo)) {
129 $dic = ilOrgUnitLocalDIC::dic();
130 $this->operationRepo = $dic["repo.Operations"];
131 }
132
133 return $this->operationRepo;
134 }
135
141 public function executeCommand(): void
142 {
143 // access to all functions in this class are only allowed if edit_permission is granted
144 if (!$this->rbacsystem->checkAccess("edit_permission", $this->gui_obj->getObject()->getRefId())) {
145 $this->tpl->setOnScreenMessage('failure', $this->lng->txt('permission_denied'), true);
146 $this->ctrl->redirect($this->gui_obj);
147 }
148 $next_class = $this->ctrl->getNextClass($this);
149 switch ($next_class) {
150 case "ilobjrolegui":
151
152 $role_id = 0;
153 if ($this->http->wrapper()->query()->has('obj_id')) {
154 $role_id = $this->http->wrapper()->query()->retrieve(
155 'obj_id',
156 $this->refinery->kindlyTo()->int()
157 );
158 }
159 $this->ctrl->setReturn($this, 'perm');
160 $this->gui_obj = new ilObjRoleGUI("", $role_id, false, false);
161 $this->ctrl->forwardCommand($this->gui_obj);
162 break;
163
164 case 'ildidactictemplategui':
165 $this->ctrl->setReturn($this, 'perm');
166 $did = new ilDidacticTemplateGUI($this->gui_obj);
167 $this->ctrl->forwardCommand($did);
168 break;
169
170 case 'ilrepositorysearchgui':
171 // used for owner autocomplete
172 $rep_search = new ilRepositorySearchGUI();
173 $this->ctrl->forwardCommand($rep_search);
174 break;
175
176 case 'ilobjectpermissionstatusgui':
177 $this->__initSubTabs("perminfo");
178 $perm_stat = new ilObjectPermissionStatusGUI($this->gui_obj->getObject());
179 $this->ctrl->forwardCommand($perm_stat);
180 break;
181
182 default:
183 $cmd = $this->ctrl->getCmd();
184 $this->$cmd();
185 break;
186 }
187 }
188
189 public function getCurrentObject(): object
190 {
191 return $this->gui_obj->getObject();
192 }
193
194 public function perm(?ilTable2GUI $table = null): void
195 {
196 $dtpl = new ilDidacticTemplateGUI($this->gui_obj);
197 if ($dtpl->appendToolbarSwitch(
198 $this->toolbar,
199 $this->getCurrentObject()->getType(),
200 $this->getCurrentObject()->getRefId()
201 )) {
202 $this->toolbar->addSeparator();
203 }
204
205 if ($this->object_definition->hasLocalRoles($this->getCurrentObject()->getType()) && !$this->isAdministrationObject()
206 ) {
207 $this->toolbar->setFormAction($this->ctrl->getFormActionByClass(ilDidacticTemplateGUI::class));
208
209 if (!$this->isAdminRoleFolder()) {
210 $this->toolbar->addComponent(
211 $this->ui_factory->link()->standard(
212 $this->lng->txt('rbac_add_new_local_role'),
213 $this->ctrl->getLinkTarget($this, 'displayAddRoleForm')
214 )
215 );
216 }
217 $this->toolbar->addComponent(
218 $this->ui_factory->link()->standard(
219 $this->lng->txt('rbac_import_role'),
220 $this->ctrl->getLinkTarget($this, 'displayImportRoleForm')
221 )
222 );
223 }
224 $this->__initSubTabs("perm");
225
226 if (!$table instanceof ilTable2GUI) {
227 $table = new ilObjectRolePermissionTableGUI($this, 'perm', $this->getCurrentObject()->getRefId());
228 }
229 $table->parse();
230 $this->tpl->setContent($table->getHTML());
231 }
232
233 private function isAdminRoleFolder(): bool
234 {
235 return $this->getCurrentObject()->getRefId() == ROLE_FOLDER_ID;
236 }
237
238 private function isAdministrationObject(): bool
239 {
240 return $this->getCurrentObject()->getType() == 'adm';
241 }
242
246 private function isInAdministration(): bool
247 {
248 return $this->tree->isGrandChild(SYSTEM_FOLDER_ID, $this->getCurrentObject()->getRefId());
249 }
250
251 public function applyFilter(): void
252 {
253 $table = new ilObjectRolePermissionTableGUI($this, 'perm', $this->getCurrentObject()->getRefId());
254 $table->resetOffset();
255 $table->writeFilterToSession();
256 $this->perm($table);
257 }
258
259 public function resetFilter(): void
260 {
261 $table = new ilObjectRolePermissionTableGUI($this, 'perm', $this->getCurrentObject()->getRefId());
262 $table->resetOffset();
263 $table->resetFilter();
264 $this->perm($table);
265 }
266
267 public function applyRoleFilter(array $a_roles, int $a_filter_id): array
268 {
269 // Always delete administrator role from view
270 if (isset($a_roles[SYSTEM_ROLE_ID])) {
271 unset($a_roles[SYSTEM_ROLE_ID]);
272 }
273
274 switch ($a_filter_id) {
275 // all roles in context
276 case ilObjectRolePermissionTableGUI::ROLE_FILTER_ALL:
277 return $a_roles;
278
279 // only global roles
280 case ilObjectRolePermissionTableGUI::ROLE_FILTER_GLOBAL:
281 $arr_global_roles = $this->rbacreview->getGlobalRoles();
282 $arr_remove_roles = array_diff(array_keys($a_roles), $arr_global_roles);
283 foreach ($arr_remove_roles as $role_id) {
284 unset($a_roles[$role_id]);
285 }
286 return $a_roles;
287
288 // only local roles (all local roles in context that are not defined at ROLE_FOLDER_ID)
289 case ilObjectRolePermissionTableGUI::ROLE_FILTER_LOCAL:
290 $arr_global_roles = $this->rbacreview->getGlobalRoles();
291 foreach ($arr_global_roles as $role_id) {
292 unset($a_roles[$role_id]);
293 }
294 return $a_roles;
295
296 // only roles which use a local policy
297 case ilObjectRolePermissionTableGUI::ROLE_FILTER_LOCAL_POLICY:
298 $arr_local_roles = $this->rbacreview->getRolesOfObject($this->getCurrentObject()->getRefId());
299 $arr_remove_roles = array_diff(array_keys($a_roles), $arr_local_roles);
300 foreach ($arr_remove_roles as $role_id) {
301 unset($a_roles[$role_id]);
302 }
303 return $a_roles;
304
305 // only true local role defined at current position
306 case ilObjectRolePermissionTableGUI::ROLE_FILTER_LOCAL_OBJECT:
307 $arr_local_roles = $this->rbacreview->getRolesOfObject($this->getCurrentObject()->getRefId(), true);
308 $arr_remove_roles = array_diff(array_keys($a_roles), $arr_local_roles);
309 foreach ($arr_remove_roles as $role_id) {
310 unset($a_roles[$role_id]);
311 }
312 return $a_roles;
313
314 default:
315 return $a_roles;
316 }
317 }
318
319 protected function savePermissions(): void
320 {
321 $table = new ilObjectRolePermissionTableGUI($this, 'perm', $this->getCurrentObject()->getRefId());
322
323 $roles = $this->applyRoleFilter(
324 $this->rbacreview->getParentRoleIds($this->getCurrentObject()->getRefId()),
325 (int) $table->getFilterItemByPostVar('role')->getValue()
326 );
327
328 // Log history
329 $log_old = ilRbacLog::gatherFaPa($this->getCurrentObject()->getRefId(), array_keys((array) $roles));
330
331 # all possible create permissions
332 $possible_ops_ids = $this->rbacreview->getOperationsByTypeAndClass(
333 $this->getCurrentObject()->getType(),
334 'create'
335 );
336
337 # createable (activated) create permissions
338 $create_types = $this->object_definition->getCreatableSubObjects(
339 $this->getCurrentObject()->getType()
340 );
341 $createable_ops_ids = ilRbacReview::lookupCreateOperationIds(array_keys((array) $create_types));
342
343 $post_perm = $this->http->wrapper()->post()->has('perm')
344 ? $this->http->wrapper()->post()->retrieve(
345 'perm',
346 $this->refinery->kindlyTo()->dictOf(
347 $this->refinery->kindlyTo()->dictOf(
348 $this->refinery->kindlyTo()->int()
349 )
350 )
351 )
352 : [];
353
354 foreach ($roles as $role => $role_data) {
355 if ($role_data['protected']) {
356 continue;
357 }
358
359 $new_ops = array_keys((array) ($post_perm[$role] ?? []));
360 $old_ops = $this->rbacreview->getRoleOperationsOnObject(
361 $role,
362 $this->getCurrentObject()->getRefId()
363 );
364
365 // Add operations which were enabled and are not activated.
366 foreach ($possible_ops_ids as $create_ops_id) {
367 if (in_array($create_ops_id, $createable_ops_ids)) {
368 continue;
369 }
370 if (in_array($create_ops_id, $old_ops)) {
371 $new_ops[] = $create_ops_id;
372 }
373 }
374
375 $this->rbacadmin->revokePermission(
376 $this->getCurrentObject()->getRefId(),
377 $role
378 );
379
380 $this->rbacadmin->grantPermission(
381 $role,
382 array_unique($new_ops),
383 $this->getCurrentObject()->getRefId()
384 );
385 }
386
387 if (ilPermissionGUI::hasContainerCommands($this->getCurrentObject()->getType())) {
388 $inherit_post = $this->http->wrapper()->post()->has('inherit')
389 ? $this->http->wrapper()->post()->retrieve(
390 'inherit',
391 $this->refinery->kindlyTo()->dictOf(
392 $this->refinery->kindlyTo()->bool()
393 )
394 )
395 : [];
396
397 foreach ($roles as $role) {
398 $obj_id = (int) $role['obj_id'];
399 $parent_id = (int) $role['parent'];
400 // No action for local roles
401 if ($parent_id === $this->getCurrentObject()->getRefId() && $role['assign'] === 'y') {
402 continue;
403 }
404 // Nothing for protected roles
405 if ($role['protected']) {
406 continue;
407 }
408 // Stop local policy
409 if (
410 $parent_id === $this->getCurrentObject()->getRefId()
411 && !isset($inherit_post[$obj_id])
412 && !$this->rbacreview->isBlockedAtPosition($obj_id, $this->getCurrentObject()->getRefId())
413 ) {
414 ilLoggerFactory::getLogger('ac')->debug('Stop local policy for: ' . $role['obj_id']);
415 $role_obj = ilObjectFactory::getInstanceByObjId($obj_id);
416 $role_obj->setParent($this->getCurrentObject()->getRefId());
417 $role_obj->delete();
418 continue;
419 }
420 // Add local policy
421 if (
422 $parent_id !== $this->getCurrentObject()->getRefId()
423 && isset($inherit_post[$obj_id])
424 ) {
425 ilLoggerFactory::getLogger('ac')->debug('Create local policy');
426 $this->rbacadmin->copyRoleTemplatePermissions(
427 $obj_id,
428 $parent_id,
429 $this->getCurrentObject()->getRefId(),
430 $obj_id
431 );
432 ilLoggerFactory::getLogger('ac')->debug('Assign role to folder');
433 $this->rbacadmin->assignRoleToFolder($obj_id, $this->getCurrentObject()->getRefId(), 'n');
434 }
435 }
436 }
437
438 // Protect permissions
439 if (ilPermissionGUI::hasContainerCommands($this->getCurrentObject()->getType())) {
440 $protected_post = $this->http->wrapper()->post()->has('protect')
441 ? $this->http->wrapper()->post()->retrieve(
442 'protect',
443 $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
444 )
445 : [];
446 foreach ($roles as $role) {
447 $obj_id = (int) $role['obj_id'];
448 if ($this->rbacreview->isAssignable($obj_id, $this->getCurrentObject()->getRefId())) {
449 if (isset($protected_post[$obj_id]) &&
450 !$this->rbacreview->isProtected($this->getCurrentObject()->getRefId(), $obj_id)) {
451 $this->rbacadmin->setProtected($this->getCurrentObject()->getRefId(), $obj_id, 'y');
452 } elseif (!isset($protected_post[$obj_id]) &&
453 $this->rbacreview->isProtected($this->getCurrentObject()->getRefId(), $obj_id)) {
454 $this->rbacadmin->setProtected($this->getCurrentObject()->getRefId(), $obj_id, 'n');
455 }
456 }
457 }
458 }
459
460 $log_new = ilRbacLog::gatherFaPa($this->getCurrentObject()->getRefId(), array_keys((array) $roles));
461 $log = ilRbacLog::diffFaPa($log_old, $log_new);
462 ilRbacLog::add(ilRbacLog::EDIT_PERMISSIONS, $this->getCurrentObject()->getRefId(), $log);
463
464 $blocked_info = $this->getModifiedBlockedSettings();
465 ilLoggerFactory::getLogger('ac')->debug('Blocked settings: ' . print_r($blocked_info, true));
466 if ($blocked_info['num'] > 0) {
467 $this->showConfirmBlockRole($blocked_info);
468 return;
469 }
470 $this->tpl->setOnScreenMessage('success', $this->lng->txt('settings_saved'), true);
471 $this->ctrl->redirect($this, 'perm');
472 }
473
474 private function showConfirmBlockRole(array $a_blocked_info): void
475 {
476 $info = '';
477 if ($a_blocked_info['new_blocked']) {
478 $info .= $this->lng->txt('role_confirm_block_role_info');
479 if ($a_blocked_info['new_unblocked']) {
480 $info .= '<br /><br />';
481 }
482 }
483 if ($a_blocked_info['new_unblocked']) {
484 $info .= ('<br />' . $this->lng->txt('role_confirm_unblock_role_info'));
485 }
486
487 $this->tpl->setOnScreenMessage('info', $info);
488
489 $confirm = new ilConfirmationGUI();
490 $confirm->setFormAction($this->ctrl->getFormAction($this));
491 $confirm->setHeaderText($this->lng->txt('role_confirm_block_role_header'));
492 $confirm->setConfirm($this->lng->txt('role_confirm_block_role'), 'modifyBlockRoles');
493 $confirm->setCancel($this->lng->txt('cancel'), 'perm');
494
495 foreach ($a_blocked_info['new_blocked'] as $role_id) {
496 $confirm->addItem(
497 'new_block[]',
498 (string) $role_id,
499 ilObjRole::_getTranslation(ilObject::_lookupTitle($role_id)) . ' ' . $this->lng->txt('role_blocked')
500 );
501 }
502 foreach ($a_blocked_info['new_unblocked'] as $role_id) {
503 $confirm->addItem(
504 'new_unblock[]',
505 (string) $role_id,
506 ilObjRole::_getTranslation(ilObject::_lookupTitle($role_id)) . ' ' . $this->lng->txt('role_unblocked')
507 );
508 }
509 $this->tpl->setContent($confirm->getHTML());
510 }
511
512 private function modifyBlockRoles(): void
513 {
514 $this->blockRoles(
515 $this->http->wrapper()->post()->has('new_block')
516 ? $this->http->wrapper()->post()->retrieve(
517 'new_block',
518 $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
519 )
520 : []
521 );
522 $this->unblockRoles($this->http->wrapper()->post()->has('new_unblock')
523 ? $this->http->wrapper()->post()->retrieve(
524 'new_unblock',
525 $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
526 )
527 : []);
528
529 $this->tpl->setOnScreenMessage('info', $this->lng->txt('settings_saved'));
530 $this->ctrl->redirect($this, 'perm');
531 }
532
533 private function unblockRoles(array $roles): void
534 {
535 foreach ($roles as $role) {
536 // delete local policy
537 ilLoggerFactory::getLogger('ac')->debug('Stop local policy for: ' . $role);
538 $role_obj = ilObjectFactory::getInstanceByObjId($role);
539 $role_obj->setParent($this->getCurrentObject()->getRefId());
540 $role_obj->delete();
541
542 $role_obj->changeExistingObjects(
543 $this->getCurrentObject()->getRefId(),
544 ilObjRole::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES,
545 ['all']
546 );
547
548 // finally set blocked status
549 $this->rbacadmin->setBlockedStatus(
550 $role,
551 $this->getCurrentObject()->getRefId(),
552 false
553 );
554 }
555 }
556
557 private function blockRoles(array $roles): void
558 {
559 foreach ($roles as $role) {
560 // Set assign to 'y' only if it is a local role
561 $assign = $this->rbacreview->isAssignable($role, $this->getCurrentObject()->getRefId()) ? 'y' : 'n';
562
563 // Delete permissions
564 $this->rbacadmin->revokeSubtreePermissions($this->getCurrentObject()->getRefId(), $role);
565
566 // Delete template permissions
567 $this->rbacadmin->deleteSubtreeTemplates($this->getCurrentObject()->getRefId(), $role);
568
569 $this->rbacadmin->assignRoleToFolder(
570 $role,
571 $this->getCurrentObject()->getRefId(),
572 $assign
573 );
574
575 // finally set blocked status
576 $this->rbacadmin->setBlockedStatus(
577 $role,
578 $this->getCurrentObject()->getRefId(),
579 true
580 );
581 }
582 }
583
584 public static function hasContainerCommands(string $a_type): bool
585 {
586 global $DIC;
587
588 $objDefinition = $DIC['objDefinition'];
589 return $objDefinition->isContainer($a_type) && $a_type != 'root' && $a_type != 'adm' && $a_type != 'rolf';
590 }
591
592 private function displayImportRoleForm(?ilPropertyFormGUI $form = null): void
593 {
594 $this->tabs->clearTargets();
595
596 if (!$form) {
597 $form = $this->initImportForm();
598 }
599 $this->tpl->setContent($form->getHTML());
600 }
601
602 private function doImportRole(): void
603 {
604 $form = $this->initImportForm();
605 if ($form->checkInput()) {
606 try {
607 // For global roles set import id to parent of current ref_id (adm)
608 $imp = new ilImport($this->getCurrentObject()->getRefId());
609 $imp->getMapping()->addMapping(
610 'components/ILIAS/AccessControl',
611 'rolf',
612 '0',
613 (string) $this->getCurrentObject()->getRefId()
614 );
615
616 $imp->importObject(
617 null,
618 $_FILES["importfile"]["tmp_name"],
619 $_FILES["importfile"]["name"],
620 'role'
621 );
622 $this->tpl->setOnScreenMessage('success', $this->lng->txt('rbac_role_imported'), true);
623 $this->ctrl->redirect($this, 'perm');
624 return;
625 } catch (Exception $e) {
626 $this->tpl->setOnScreenMessage('failure', $e->getMessage());
627 $form->setValuesByPost();
628 $this->displayImportRoleForm($form);
629 return;
630 }
631 }
632 $form->setValuesByPost();
633 $this->tpl->setOnScreenMessage('failure', $this->lng->txt('err_check_input'));
634 $this->displayImportRoleForm($form);
635 }
636
637 private function initImportForm(): ilPropertyFormGUI
638 {
639 $form = new ilPropertyFormGUI();
640 $form->setFormAction($this->ctrl->getFormAction($this));
641 $form->setTitle($this->lng->txt('rbac_import_role'));
642 $form->addCommandButton('doImportRole', $this->lng->txt('import'));
643 $form->addCommandButton('perm', $this->lng->txt('cancel'));
644
645 $zip = new ilFileInputGUI($this->lng->txt('import_file'), 'importfile');
646 $zip->setRequired(true);
647 $zip->setSuffixes(['zip']);
648 $form->addItem($zip);
649
650 return $form;
651 }
652
653 private function initRoleForm(): ilPropertyFormGUI
654 {
655 $form = new ilPropertyFormGUI();
656 $form->setFormAction($this->ctrl->getFormAction($this));
657 $form->setTitle($this->lng->txt('role_new'));
658 $form->addCommandButton('addrole', $this->lng->txt('role_new'));
659 $form->addCommandButton('perm', $this->lng->txt('cancel'));
660
661 $title = new ilTextInputGUI($this->lng->txt('title'), 'title');
662 $title->setValidationRegexp('/^(?!il_).*$/');
663 $title->setValidationFailureMessage($this->lng->txt('msg_role_reserved_prefix'));
664 $title->setSize(40);
665 $title->setMaxLength(70);
666 $title->setRequired(true);
667 $form->addItem($title);
668
669 $desc = new ilTextAreaInputGUI($this->lng->txt('description'), 'desc');
670 $desc->setCols(40);
671 $desc->setRows(3);
672 $form->addItem($desc);
673
674 $pro = new ilCheckboxInputGUI($this->lng->txt('role_protect_permissions'), 'pro');
675 $pro->setInfo($this->lng->txt('role_protect_permissions_desc'));
676 $pro->setValue("1");
677 $form->addItem($pro);
678
679 $pd = new ilCheckboxInputGUI($this->lng->txt('rbac_add_recommended_content'), 'desktop');
680 $pd->setInfo(
681 str_replace(
682 "%1",
683 $this->getCurrentObject()->getTitle(),
684 $this->lng->txt('rbac_add_recommended_content_info')
685 )
686 );
687 $pd->setValue((string) 1);
688 $form->addItem($pd);
689
690 if (!$this->isInAdministration()) {
691 $rights = new ilRadioGroupInputGUI($this->lng->txt("rbac_role_rights_copy"), 'rights');
692 $option = new ilRadioOption($this->lng->txt("rbac_role_rights_copy_empty"), (string) 0);
693 $rights->addOption($option);
694
695 $parent_role_ids = $this->rbacreview->getParentRoleIds($this->gui_obj->getObject()->getRefId(), true);
696 $ids = [];
697 foreach (array_keys($parent_role_ids) as $id) {
698 $ids[] = $id;
699 }
700
701 // Sort ids
702 $sorted_ids = ilUtil::_sortIds($ids, 'object_data', 'type DESC,title', 'obj_id');
703
704 $key = 0;
705 foreach ($sorted_ids as $id) {
706 $par = $parent_role_ids[$id];
707 if ($par["obj_id"] != SYSTEM_ROLE_ID) {
708 $option = new ilRadioOption(
709 ($par["type"] == 'role' ? $this->lng->txt('obj_role') : $this->lng->txt(
710 'obj_rolt'
711 )) . ": " . ilObjRole::_getTranslation($par["title"]),
712 (string) $par["obj_id"]
713 );
714 $option->setInfo($par["desc"] ?? '');
715 $rights->addOption($option);
716 }
717 $key++;
718 }
719 $form->addItem($rights);
720 }
721
722 // Local policy only for containers
723 if ($this->object_definition->isContainer($this->getCurrentObject()->getType())) {
724 $check = new ilCheckboxInputGUI($this->lng->txt("rbac_role_rights_copy_change_existing"), 'existing');
725 $check->setInfo($this->lng->txt('rbac_change_existing_objects_desc_new_role'));
726 $form->addItem($check);
727 }
728 return $form;
729 }
730
731 public function displayAddRoleForm(): void
732 {
733 $this->tabs->clearTargets();
734 $form = $this->initRoleForm();
735 $this->tpl->setContent($form->getHTML());
736 }
737
744 public function addRole(): void
745 {
746 $form = $this->initRoleForm();
747 if ($form->checkInput()) {
748 $new_title = $form->getInput("title");
749
750 $role = new ilObjRole();
751 $role->setTitle($new_title);
752 $role->setDescription($form->getInput('desc'));
753 $role->create();
754
755 $this->rbacadmin->assignRoleToFolder($role->getId(), $this->getCurrentObject()->getRefId());
756
757 // protect
758 $this->rbacadmin->setProtected(
759 $this->getCurrentObject()->getRefId(),
760 $role->getId(),
761 $form->getInput('pro') ? 'y' : 'n'
762 );
763
764 // copy rights
765 $right_id_to_copy = (int) $form->getInput("rights");
766 if ($right_id_to_copy) {
767 $parentRoles = $this->rbacreview->getParentRoleIds($this->getCurrentObject()->getRefId(), true);
768 $this->rbacadmin->copyRoleTemplatePermissions(
769 $right_id_to_copy,
770 $parentRoles[$right_id_to_copy]["parent"],
771 $this->getCurrentObject()->getRefId(),
772 $role->getId(),
773 false
774 );
775
776 if ($form->getInput('existing')) {
777 if ($form->getInput('pro')) {
778 $role->changeExistingObjects(
779 $this->getCurrentObject()->getRefId(),
780 ilObjRole::MODE_PROTECTED_KEEP_LOCAL_POLICIES,
781 ['all']
782 );
783 } else {
784 $role->changeExistingObjects(
785 $this->getCurrentObject()->getRefId(),
786 ilObjRole::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES,
787 ['all']
788 );
789 }
790 }
791 }
792
793 // add to desktop items
794 if ($form->getInput("desktop")) {
795 $this->recommended_content_manager->addRoleRecommendation(
796 $role->getId(),
797 $this->getCurrentObject()->getRefId()
798 );
799 }
800
801 $this->tpl->setOnScreenMessage('success', $this->lng->txt("role_added"), true);
802 $this->ctrl->redirect($this, 'perm');
803 } else {
804 $form->setValuesByPost();
805 $this->tpl->setContent($form->getHTML());
806 }
807 }
808
809 private function getModifiedBlockedSettings(): array
810 {
811 $blocked_info['new_blocked'] = [];
812 $blocked_info['new_unblocked'] = [];
813 $blocked_info['num'] = 0;
814 $visible_block = $this->http->wrapper()->post()->has('visible_block')
815 ? $this->http->wrapper()->post()->retrieve(
816 'visible_block',
817 $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
818 )
819 : [];
820 $block_post = $this->http->wrapper()->post()->has('block')
821 ? $this->http->wrapper()->post()->retrieve(
822 'block',
823 $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
824 )
825 : [];
826
827
828 foreach ($visible_block as $role => $one) {
829 $blocked = $this->rbacreview->isBlockedAtPosition($role, $this->getCurrentObject()->getRefId());
830 if (isset($block_post[$role]) && !$blocked) {
831 $blocked_info['new_blocked'][] = $role;
832 $blocked_info['num']++;
833 }
834 if (!isset($block_post[$role]) && $blocked) {
835 $blocked_info['new_unblocked'][] = $role;
836 $blocked_info['num']++;
837 }
838 }
839 return $blocked_info;
840 }
841
842 public function permPositions(): void
843 {
844 $perm = self::CMD_PERM_POSITIONS;
845 $this->__initSubTabs($perm);
846
847 $ref_id = $this->getCurrentObject()->getRefId();
848 $table = new ilOrgUnitPermissionTableGUI($this, $perm, $ref_id);
849 $table->collectData();
850 $this->tpl->setContent($table->getHTML());
851 }
852
853 public function savePositionsPermissions(): void
854 {
855 $this->__initSubTabs(self::CMD_PERM_POSITIONS);
856
857 $positions = $this->getPositionRepo()->getArray(null, 'id');
858 $ref_id = $this->getCurrentObject()->getRefId();
859
860 $positions_with_local_perms_from_post = $this->http->wrapper()->post()->has('local')
861 ? $this->http->wrapper()->post()->retrieve(
862 'local',
863 $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
864 )
865 : [];
866
867 foreach ($positions as $position_id) {
868 if (isset($positions_with_local_perms_from_post[$position_id])) {
869 $this->getPermissionRepo()->get($ref_id, $position_id);
870 } else {
871 $this->getPermissionRepo()->delete($ref_id, $position_id);
872 }
873 }
874
875 $position_perm_post = $this->http->wrapper()->post()->has('position_perm')
876 ? $this->http->wrapper()->post()->retrieve(
877 'position_perm',
878 $this->refinery->kindlyTo()->dictOf(
879 $this->refinery->kindlyTo()->dictOf(
880 $this->refinery->kindlyTo()->int()
881 )
882 )
883 )
884 : [];
885
886 foreach ($position_perm_post as $position_id => $ops) {
887 if (!isset($positions_with_local_perms_from_post[$position_id])) {
888 continue;
889 }
890 $org_unit_permissions = $this->getPermissionRepo()->getLocalorDefault($ref_id, $position_id);
891 if (!$org_unit_permissions->isTemplate()) {
892 $new_ops = [];
893 foreach ($ops as $op_id => $op) {
894 $new_ops[] = $this->getOperationRepo()->getById($op_id);
895 }
896 $org_unit_permissions = $this->getPermissionRepo()->store(
897 $org_unit_permissions->withOperations($new_ops)
898 );
899 }
900 }
901
902 foreach (array_keys($positions_with_local_perms_from_post) as $position_id_from_post) {
903 if (array_key_exists($position_id_from_post, $position_perm_post)) {
904 continue;
905 }
906 $org_unit_permissions = $this->getPermissionRepo()->find($ref_id, $position_id_from_post);
907 if ($org_unit_permissions !== null && !$org_unit_permissions->isTemplate()) {
908 $this->getPermissionRepo()->store($org_unit_permissions->withOperations([]));
909 }
910 }
911
912 $this->tpl->setOnScreenMessage('success', $this->lng->txt('settings_saved'), true);
913 $this->ctrl->redirect($this, self::CMD_PERM_POSITIONS);
914 }
915
916 public function owner(): void
917 {
918 $this->__initSubTabs('owner');
919
920 $this->tpl->setOnScreenMessage('info', $this->lng->txt('chown_warning'));
921
922 $form = new ilPropertyFormGUI();
923 $form->setFormAction($this->ctrl->getFormAction($this, 'owner'));
924 $form->setTitle($this->lng->txt('info_owner_of_object'));
925
926 $login = new ilTextInputGUI($this->lng->txt('login'), 'owner');
927 $login->setDataSource(
928 $this->ctrl->getLinkTargetByClass(
929 [
930 $this::class,
931 ilRepositorySearchGUI::class
932 ],
933 'doUserAutoComplete',
934 '',
935 true
936 )
937 );
938 $login->setRequired(true);
939 $login->setSize(50);
940 $login->setValue(ilObjUser::_lookupLogin($this->gui_obj->getObject()->getOwner()));
941 $form->addItem($login);
942 $form->addCommandButton("changeOwner", $this->lng->txt("change_owner"));
943 $this->tpl->setContent($form->getHTML());
944 }
945
946 public function changeOwner(): void
947 {
948 $owner = '';
949 if ($this->http->wrapper()->post()->has('owner')) {
950 $owner = $this->http->wrapper()->post()->retrieve(
951 'owner',
952 $this->refinery->kindlyTo()->string()
953 );
954 }
955 if (!$user_id = ilObjUser::_lookupId($owner)) {
956 $this->tpl->setOnScreenMessage('failure', $this->lng->txt('user_not_known'));
957 $this->owner();
958 return;
959 }
960
961 // no need to change?
962 if ($user_id != $this->gui_obj->getObject()->getOwner()) {
963 $this->gui_obj->getObject()->setOwner($user_id);
964 $this->gui_obj->getObject()->updateOwner();
965 $this->objectDataCache->deleteCachedEntry($this->gui_obj->getObject()->getId());
966
967 if (ilRbacLog::isActive()) {
968 ilRbacLog::add(ilRbacLog::CHANGE_OWNER, $this->gui_obj->getObject()->getRefId(), [$user_id]);
969 }
970 }
971
972 $this->tpl->setOnScreenMessage('success', $this->lng->txt('owner_updated'), true);
973
974 if (!$this->rbacsystem->checkAccess("edit_permission", $this->gui_obj->getObject()->getRefId())) {
975 $this->ctrl->redirect($this->gui_obj);
976 return;
977 }
978 $this->ctrl->redirect($this, 'owner');
979 }
980
981 private function __initSubTabs(string $a_cmd): void
982 {
983 $perm = $a_cmd === 'perm';
984 $perm_positions = $a_cmd === ilPermissionGUI::CMD_PERM_POSITIONS;
985 $info = $a_cmd === 'perminfo';
986 $owner = $a_cmd === 'owner';
987 $log = $a_cmd === 'log';
988
989 $this->tabs->addSubTabTarget(
990 "permission_settings",
991 $this->ctrl->getLinkTarget($this, "perm"),
992 "",
993 "",
994 "",
995 $perm
996 );
997
998 if (ilOrgUnitGlobalSettings::getInstance()->isPositionAccessActiveForObject($this->gui_obj->getObject()->getId())) {
999 $this->tabs->addSubTabTarget(
1000 self::TAB_POSITION_PERMISSION_SETTINGS,
1001 $this->ctrl->getLinkTarget($this, ilPermissionGUI::CMD_PERM_POSITIONS),
1002 "",
1003 "",
1004 "",
1005 $perm_positions
1006 );
1007 }
1008
1009 $this->tabs->addSubTabTarget(
1010 "info_status_info",
1011 $this->ctrl->getLinkTargetByClass([get_class($this), "ilobjectpermissionstatusgui"], "perminfo"),
1012 "",
1013 "",
1014 "",
1015 $info
1016 );
1017 $this->tabs->addSubTabTarget(
1018 "owner",
1019 $this->ctrl->getLinkTarget($this, "owner"),
1020 "",
1021 "",
1022 "",
1023 $owner
1024 );
1025
1026 if (ilRbacLog::isActive()) {
1027 $this->tabs->addSubTabTarget(
1028 "rbac_log",
1029 $this->ctrl->getLinkTarget($this, 'log'),
1030 "",
1031 "",
1032 "",
1033 $log
1034 );
1035 }
1036 }
1037
1038 public function log(): void
1039 {
1040 if (!ilRbacLog::isActive()) {
1041 $this->ctrl->redirect($this, 'perm');
1042 }
1043
1044 $this->__initSubTabs('log');
1045
1046 $table = new Table(
1047 new ilRbacLog($this->db),
1048 $this->ui_factory,
1049 $this->data_factory,
1050 $this->lng,
1051 $this->ctrl,
1052 $this->ui_service,
1053 $this->object_definition,
1054 $this->http->request(),
1055 $this->rbacreview,
1056 $this->user,
1057 $this->gui_obj
1058 );
1059 $this->tpl->setContent($this->ui_renderer->render(
1060 $table->getTableAndFilter()
1061 ));
1062 }
1063}
$id
$id
plugin.php for ilComponentBuildPluginInfoObjectiveTest::testAddPlugins
Definition: plugin.php:23
$rights
$rights
Definition: LOMStructure.php:396
$check
$check
Definition: buildRTE.php:81
ILIAS\Data\Color\Factory
Builds a Color from either hex- or rgb values.
Definition: Factory.php:31
ILIAS\Data\Factory
Builds data types.
Definition: Factory.php:36
ilCheckboxInputGUI
This class represents a checkbox property in a property form.
Definition: class.ilCheckboxInputGUI.php:28
ilConfirmationGUI
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilConfirmationGUI.php:27
ilCtrl
Class ilCtrl provides processing control methods.
Definition: class.ilCtrl.php:36
ilDidacticTemplateGUI
GUI class for didactic template settings inside repository objects.
Definition: class.ilDidacticTemplateGUI.php:28
ilErrorHandling
Error Handling & global info handling.
Definition: class.ilErrorHandling.php:38
ilFileInputGUI
This class represents a file property in a property form.
Definition: class.ilFileInputGUI.php:32
ilImport
Import class.
Definition: class.ilImport.php:39
ilLanguage
language handling
Definition: class.ilLanguage.php:43
ilLoggerFactory\getLogger
static getLogger(string $a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:89
ilObjRoleGUI
Class ilObjRoleGUI.
Definition: class.ilObjRoleGUI.php:36
ilObjRole
Class ilObjRole.
Definition: class.ilObjRole.php:27
ilObjRole\MODE_UNPROTECTED_KEEP_LOCAL_POLICIES
const MODE_UNPROTECTED_KEEP_LOCAL_POLICIES
Definition: class.ilObjRole.php:31
ilObjRole\MODE_PROTECTED_KEEP_LOCAL_POLICIES
const MODE_PROTECTED_KEEP_LOCAL_POLICIES
Definition: class.ilObjRole.php:29
ilObjRole\_getTranslation
static _getTranslation(string $a_role_title)
Definition: class.ilObjRole.php:364
ilObjUser
User class.
Definition: class.ilObjUser.php:48
ilObjUser\_lookupId
static _lookupId(string|array $a_user_str)
Definition: class.ilObjUser.php:2821
ilObjUser\_lookupLogin
static _lookupLogin(int $a_user_id)
Definition: class.ilObjUser.php:2634
ilObjectDataCache
class ilObjectDataCache
Definition: class.ilObjectDataCache.php:30
ilObjectDefinition
parses the objects.xml it handles the xml-description of all ilias objects
Definition: class.ilObjectDefinition.php:29
ilObjectFactory\getInstanceByObjId
static getInstanceByObjId(?int $obj_id, bool $stop_on_error=true)
get an instance of an Ilias object by object id
Definition: class.ilObjectFactory.php:84
ilObjectGUI
Class ilObjectGUI Basic methods of all Output classes.
Definition: class.ilObjectGUI.php:49
ilObjectPermissionStatusGUI
This class displays the permission status of a user concerning a specific object.
Definition: class.ilObjectPermissionStatusGUI.php:29
ilObject\_lookupTitle
static _lookupTitle(int $obj_id)
Definition: class.ilObject.php:854
ilOrgUnitPermissionTableGUI
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilOrgUnitPermissionTableGUI.php:24
ilPermissionGUI\hasContainerCommands
static hasContainerCommands(string $a_type)
Definition: class.ilPermissionGUI.php:584
ilPermissionGUI\unblockRoles
unblockRoles(array $roles)
Definition: class.ilPermissionGUI.php:533
ilPermissionGUI\applyRoleFilter
applyRoleFilter(array $a_roles, int $a_filter_id)
Definition: class.ilPermissionGUI.php:267
ilPermissionGUI\$object_definition
ilObjectDefinition $object_definition
Definition: class.ilPermissionGUI.php:52
ilPermissionGUI\$positionRepo
ilOrgUnitPositionDBRepository $positionRepo
Definition: class.ilPermissionGUI.php:44
ilPermissionGUI\$ilErr
ilErrorHandling $ilErr
Definition: class.ilPermissionGUI.php:49
ilPermissionGUI\executeCommand
executeCommand()
Execute command.
Definition: class.ilPermissionGUI.php:141
ilPermissionGUI\__initSubTabs
__initSubTabs(string $a_cmd)
Definition: class.ilPermissionGUI.php:981
ilPermissionGUI\perm
perm(?ilTable2GUI $table=null)
Definition: class.ilPermissionGUI.php:194
ilPermissionGUI\showConfirmBlockRole
showConfirmBlockRole(array $a_blocked_info)
Definition: class.ilPermissionGUI.php:474
ilPermissionGUI\$operationRepo
ilOrgUnitOperationDBRepository $operationRepo
Definition: class.ilPermissionGUI.php:46
ilPermissionGUI\$tpl
ilGlobalTemplateInterface $tpl
Definition: class.ilPermissionGUI.php:53
ilPermissionGUI\$http
GlobalHttpState $http
Definition: class.ilPermissionGUI.php:60
ilPermissionGUI\displayImportRoleForm
displayImportRoleForm(?ilPropertyFormGUI $form=null)
Definition: class.ilPermissionGUI.php:592
ilPermissionGUI\$permissionRepo
ilOrgUnitPermissionDBRepository $permissionRepo
Definition: class.ilPermissionGUI.php:45
ilPermissionGUI\isInAdministration
isInAdministration()
Check if node is subobject of administration folder.
Definition: class.ilPermissionGUI.php:246
ilPermissionGUI\$recommended_content_manager
ilRecommendedContentManager $recommended_content_manager
Definition: class.ilPermissionGUI.php:43
ilPermissionGUI\$objectDataCache
ilObjectDataCache $objectDataCache
Definition: class.ilPermissionGUI.php:58
ilPermissionGUI\addRole
addRole()
adds a local role This method is only called when choose the option 'you may add local roles'.
Definition: class.ilPermissionGUI.php:744
ilPropertyFormGUI
This class represents a property form user interface.
Definition: class.ilPropertyFormGUI.php:32
ilRadioGroupInputGUI
This class represents a property in a property form.
Definition: class.ilRadioGroupInputGUI.php:28
ilRadioOption
This class represents an option in a radio group.
Definition: class.ilRadioOption.php:28
ilRbacAdmin
Class ilRbacAdmin Core functions for role based access control.
Definition: class.ilRbacAdmin.php:32
ilRbacLog
class ilRbacLog Log changes in Rbac-related settings
Definition: class.ilRbacLog.php:31
ilRbacLog\EDIT_PERMISSIONS
const EDIT_PERMISSIONS
Definition: class.ilRbacLog.php:33
ilRbacLog\add
static add(int $action, int $ref_id, array $diff, bool $source_ref_id=false)
Definition: class.ilRbacLog.php:226
ilRbacLog\CHANGE_OWNER
const CHANGE_OWNER
Definition: class.ilRbacLog.php:40
ilRbacLog\gatherFaPa
static gatherFaPa(int $ref_id, array $role_ids, bool $add_action=false)
Definition: class.ilRbacLog.php:127
ilRbacLog\diffFaPa
static diffFaPa(array $old, array $new)
Definition: class.ilRbacLog.php:160
ilRbacLog\isActive
static isActive()
Definition: class.ilRbacLog.php:122
ilRbacReview
class ilRbacReview Contains Review functions of core Rbac.
Definition: class.ilRbacReview.php:34
ilRbacReview\lookupCreateOperationIds
static lookupCreateOperationIds(array $a_type_arr)
Lookup operation ids.
Definition: class.ilRbacReview.php:1017
ilRbacSystem
class ilRbacSystem system function like checkAccess, addActiveRole ... Supporting system functions ar...
Definition: class.ilRbacSystem.php:34
ilRecommendedContentManager
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilRecommendedContentManager.php:26
ilTable2GUI
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilTable2GUI.php:26
ilTabsGUI
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilTabsGUI.php:26
ilTextAreaInputGUI
This class represents a text area property in a property form.
Definition: class.ilTextAreaInputGUI.php:28
ilTextInputGUI
This class represents a text property in a property form.
Definition: class.ilTextInputGUI.php:28
ilToolbarGUI
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilToolbarGUI.php:28
ilTree
Tree class data representation in hierachical trees using the Nested Set Model with Gaps by Joe Celco...
Definition: class.ilTree.php:30
ilUIService
Filter service.
Definition: class.ilUIService.php:29
ilUtil\_sortIds
static _sortIds(array $a_ids, string $a_table, string $a_field, string $a_id_name)
Function that sorts ids by a given table field using WHERE IN E.g: __sort(array(6,...
Definition: class.ilUtil.php:1219
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:29
SYSTEM_FOLDER_ID
const SYSTEM_FOLDER_ID
Definition: constants.php:35
ROLE_FOLDER_ID
const ROLE_FOLDER_ID
Definition: constants.php:34
$info
$info
Definition: entry_point.php:21
ILIAS\HTTP\GlobalHttpState
Interface GlobalHttpState.
Definition: GlobalHttpState.php:43
ILIAS\UI\Renderer
An entity that renders components to a string output.
Definition: Renderer.php:31
ilDBInterface
Interface ilDBInterface.
Definition: ilDBInterface.php:30
$ref_id
$ref_id
Definition: ltiauth.php:66
$log
$log
Definition: ltiresult.php:34
$dic
$dic
Definition: ltiresult.php:33
ILIAS\FileDelivery\http
static http()
Fetches the global http state from ILIAS.
Definition: HttpServiceAware.php:55
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
@inheritDoc
Definition: PluginProviderHelper.php:38
$DIC
global $DIC
Definition: shib_login.php:26