ILIAS  trunk Revision v11.0_alpha-1723-g8e69f309bab
All Data Structures Namespaces Files Functions Variables Enumerations Enumerator Modules Pages
class.ilPermissionGUI.php
Go to the documentation of this file.
1 <?php
18 declare(strict_types=1);
19 
20 use ILIAS\AccessControl\Log\Table;
21 use ILIAS\HTTP\GlobalHttpState;
22 use ILIAS\Refinery\Factory;
23 use ILIAS\UI\Factory as UIFactory;
24 use ILIAS\UI\Renderer as UIRenderer;
25 use ILIAS\Data\Factory as DataFactory;
26 
34 class ilPermissionGUI
35 {
36  public const CMD_SAVE_POSITIONS_PERMISSIONS = 'savePositionsPermissions';
37  private const CMD_PERM_POSITIONS = 'permPositions';
38  private const TAB_POSITION_PERMISSION_SETTINGS = "position_permission_settings";
39 
40  private ilObjectGUI $current_obj;
41 
42  private ilRecommendedContentManager $recommended_content_manager;
43  private ilOrgUnitPositionDBRepository $positionRepo;
44  private ilOrgUnitPermissionDBRepository $permissionRepo;
45  private ilOrgUnitOperationDBRepository $operationRepo;
46 
47  private ilObjectGUI $gui_obj;
48  private ilErrorHandling $ilErr;
49  private ilCtrl $ctrl;
50  private ilLanguage $lng;
51  private ilObjectDefinition $object_definition;
52  private ilGlobalTemplateInterface $tpl;
53  private ilUIService $ui_service;
54  private ilRbacSystem $rbacsystem;
55  private ilRbacReview $rbacreview;
56  private ilRbacAdmin $rbacadmin;
57  private ilObjectDataCache $objectDataCache;
58  private ilTabsGUI $tabs;
59  private GlobalHttpState $http;
60  private Factory $refinery;
61  private ilToolbarGUI $toolbar;
62  private UIFactory $ui_factory;
63  private UIRenderer $ui_renderer;
64  private DataFactory $data_factory;
65  private ilDBInterface $db;
66  private ilObjUser $user;
67  private ilTree $tree;
68 
69  public function __construct(ilObjectGUI $a_gui_obj)
70  {
72  global $DIC;
73 
74  $this->object_definition = $DIC['objDefinition'];
75  $this->ui_service = $DIC->uiService();
76  $this->objectDataCache = $DIC['ilObjDataCache'];
77  $this->tpl = $DIC['tpl'];
78  $this->lng = $DIC['lng'];
79  $this->ctrl = $DIC['ilCtrl'];
80  $this->rbacsystem = $DIC['rbacsystem'];
81  $this->rbacreview = $DIC['rbacreview'];
82  $this->rbacadmin = $DIC['rbacadmin'];
83  $this->tabs = $DIC['ilTabs'];
84  $this->ilErr = $DIC['ilErr'];
85  $this->http = $DIC['http'];
86  $this->refinery = $DIC['refinery'];
87  $this->toolbar = $DIC['ilToolbar'];
88  $this->ui_factory = $DIC['ui.factory'];
89  $this->ui_renderer = $DIC['ui.renderer'];
90  $this->db = $DIC['ilDB'];
91  $this->user = $DIC['ilUser'];
92  $this->tree = $DIC['tree'];
93 
94  $this->data_factory = new DataFactory();
95  $this->recommended_content_manager = new ilRecommendedContentManager();
96 
97  $this->lng->loadLanguageModule('rbac');
98  $this->gui_obj = $a_gui_obj;
99  $this->tabs->activateTab('perm_settings');
100  }
101 
102  private function getPositionRepo(): ilOrgUnitPositionDBRepository
103  {
104  if (!isset($this->positionRepo)) {
105  $dic = ilOrgUnitLocalDIC::dic();
106  $this->positionRepo = $dic["repo.Positions"];
107  }
108 
109  return $this->positionRepo;
110  }
111 
112  private function getPermissionRepo(): ilOrgUnitPermissionDBRepository
113  {
114  if (!isset($this->permissionRepo)) {
115  $dic = ilOrgUnitLocalDIC::dic();
116  $this->permissionRepo = $dic["repo.Permissions"];
117  }
118 
119  return $this->permissionRepo;
120  }
121 
122  private function getOperationRepo(): ilOrgUnitOperationDBRepository
123  {
124  if (!isset($this->operationRepo)) {
125  $dic = ilOrgUnitLocalDIC::dic();
126  $this->operationRepo = $dic["repo.Operations"];
127  }
128 
129  return $this->operationRepo;
130  }
131 
137  public function executeCommand(): void
138  {
139  // access to all functions in this class are only allowed if edit_permission is granted
140  if (!$this->rbacsystem->checkAccess("edit_permission", $this->gui_obj->getObject()->getRefId())) {
141  $this->tpl->setOnScreenMessage('failure', $this->lng->txt('permission_denied'), true);
142  $this->ctrl->redirect($this->gui_obj);
143  }
144  $next_class = $this->ctrl->getNextClass($this);
145  switch ($next_class) {
146  case "ilobjrolegui":
147 
148  $role_id = 0;
149  if ($this->http->wrapper()->query()->has('obj_id')) {
150  $role_id = $this->http->wrapper()->query()->retrieve(
151  'obj_id',
152  $this->refinery->kindlyTo()->int()
153  );
154  }
155  $this->ctrl->setReturn($this, 'perm');
156  $this->gui_obj = new ilObjRoleGUI("", $role_id, false, false);
157  $this->ctrl->forwardCommand($this->gui_obj);
158  break;
159 
160  case 'ildidactictemplategui':
161  $this->ctrl->setReturn($this, 'perm');
162  $did = new ilDidacticTemplateGUI($this->gui_obj);
163  $this->ctrl->forwardCommand($did);
164  break;
165 
166  case 'ilrepositorysearchgui':
167  // used for owner autocomplete
168  $rep_search = new ilRepositorySearchGUI();
169  $this->ctrl->forwardCommand($rep_search);
170  break;
171 
172  case 'ilobjectpermissionstatusgui':
173  $this->__initSubTabs("perminfo");
174  $perm_stat = new ilObjectPermissionStatusGUI($this->gui_obj->getObject());
175  $this->ctrl->forwardCommand($perm_stat);
176  break;
177 
178  default:
179  $cmd = $this->ctrl->getCmd();
180  $this->$cmd();
181  break;
182  }
183  }
184 
185  public function getCurrentObject(): object
186  {
187  return $this->gui_obj->getObject();
188  }
189 
190  public function perm(?ilTable2GUI $table = null): void
191  {
192  $dtpl = new ilDidacticTemplateGUI($this->gui_obj);
193  if ($dtpl->appendToolbarSwitch(
194  $this->toolbar,
195  $this->getCurrentObject()->getType(),
196  $this->getCurrentObject()->getRefId()
197  )) {
198  $this->toolbar->addSeparator();
199  }
200 
201  if ($this->object_definition->hasLocalRoles($this->getCurrentObject()->getType()) && !$this->isAdministrationObject()
202  ) {
203  $this->toolbar->setFormAction($this->ctrl->getFormActionByClass(ilDidacticTemplateGUI::class));
204 
205  if (!$this->isAdminRoleFolder()) {
206  $this->toolbar->addComponent(
207  $this->ui_factory->link()->standard(
208  $this->lng->txt('rbac_add_new_local_role'),
209  $this->ctrl->getLinkTarget($this, 'displayAddRoleForm')
210  )
211  );
212  }
213  $this->toolbar->addComponent(
214  $this->ui_factory->link()->standard(
215  $this->lng->txt('rbac_import_role'),
216  $this->ctrl->getLinkTarget($this, 'displayImportRoleForm')
217  )
218  );
219  }
220  $this->__initSubTabs("perm");
221 
222  if (!$table instanceof ilTable2GUI) {
223  $table = new ilObjectRolePermissionTableGUI($this, 'perm', $this->getCurrentObject()->getRefId());
224  }
225  $table->parse();
226  $this->tpl->setContent($table->getHTML());
227  }
228 
229  private function isAdminRoleFolder(): bool
230  {
231  return $this->getCurrentObject()->getRefId() == ROLE_FOLDER_ID;
232  }
233 
234  private function isAdministrationObject(): bool
235  {
236  return $this->getCurrentObject()->getType() == 'adm';
237  }
238 
242  private function isInAdministration(): bool
243  {
244  return $this->tree->isGrandChild(SYSTEM_FOLDER_ID, $this->getCurrentObject()->getRefId());
245  }
246 
247  public function applyFilter(): void
248  {
249  $table = new ilObjectRolePermissionTableGUI($this, 'perm', $this->getCurrentObject()->getRefId());
250  $table->resetOffset();
251  $table->writeFilterToSession();
252  $this->perm($table);
253  }
254 
255  public function resetFilter(): void
256  {
257  $table = new ilObjectRolePermissionTableGUI($this, 'perm', $this->getCurrentObject()->getRefId());
258  $table->resetOffset();
259  $table->resetFilter();
260  $this->perm($table);
261  }
262 
263  public function applyRoleFilter(array $a_roles, int $a_filter_id): array
264  {
265  // Always delete administrator role from view
266  if (isset($a_roles[SYSTEM_ROLE_ID])) {
267  unset($a_roles[SYSTEM_ROLE_ID]);
268  }
269 
270  switch ($a_filter_id) {
271  // all roles in context
272  case ilObjectRolePermissionTableGUI::ROLE_FILTER_ALL:
273  return $a_roles;
274 
275  // only global roles
276  case ilObjectRolePermissionTableGUI::ROLE_FILTER_GLOBAL:
277  $arr_global_roles = $this->rbacreview->getGlobalRoles();
278  $arr_remove_roles = array_diff(array_keys($a_roles), $arr_global_roles);
279  foreach ($arr_remove_roles as $role_id) {
280  unset($a_roles[$role_id]);
281  }
282  return $a_roles;
283 
284  // only local roles (all local roles in context that are not defined at ROLE_FOLDER_ID)
285  case ilObjectRolePermissionTableGUI::ROLE_FILTER_LOCAL:
286  $arr_global_roles = $this->rbacreview->getGlobalRoles();
287  foreach ($arr_global_roles as $role_id) {
288  unset($a_roles[$role_id]);
289  }
290  return $a_roles;
291 
292  // only roles which use a local policy
293  case ilObjectRolePermissionTableGUI::ROLE_FILTER_LOCAL_POLICY:
294  $arr_local_roles = $this->rbacreview->getRolesOfObject($this->getCurrentObject()->getRefId());
295  $arr_remove_roles = array_diff(array_keys($a_roles), $arr_local_roles);
296  foreach ($arr_remove_roles as $role_id) {
297  unset($a_roles[$role_id]);
298  }
299  return $a_roles;
300 
301  // only true local role defined at current position
302  case ilObjectRolePermissionTableGUI::ROLE_FILTER_LOCAL_OBJECT:
303  $arr_local_roles = $this->rbacreview->getRolesOfObject($this->getCurrentObject()->getRefId(), true);
304  $arr_remove_roles = array_diff(array_keys($a_roles), $arr_local_roles);
305  foreach ($arr_remove_roles as $role_id) {
306  unset($a_roles[$role_id]);
307  }
308  return $a_roles;
309 
310  default:
311  return $a_roles;
312  }
313  }
314 
315  protected function savePermissions(): void
316  {
317  $table = new ilObjectRolePermissionTableGUI($this, 'perm', $this->getCurrentObject()->getRefId());
318 
319  $roles = $this->applyRoleFilter(
320  $this->rbacreview->getParentRoleIds($this->getCurrentObject()->getRefId()),
321  (int) $table->getFilterItemByPostVar('role')->getValue()
322  );
323 
324  // Log history
325  $log_old = ilRbacLog::gatherFaPa($this->getCurrentObject()->getRefId(), array_keys((array) $roles));
326 
327  # all possible create permissions
328  $possible_ops_ids = $this->rbacreview->getOperationsByTypeAndClass(
329  $this->getCurrentObject()->getType(),
330  'create'
331  );
332 
333  # createable (activated) create permissions
334  $create_types = $this->object_definition->getCreatableSubObjects(
335  $this->getCurrentObject()->getType()
336  );
337  $createable_ops_ids = ilRbacReview::lookupCreateOperationIds(array_keys((array) $create_types));
338 
339  $post_perm = $this->http->wrapper()->post()->has('perm')
340  ? $this->http->wrapper()->post()->retrieve(
341  'perm',
342  $this->refinery->kindlyTo()->dictOf(
343  $this->refinery->kindlyTo()->dictOf(
344  $this->refinery->kindlyTo()->int()
345  )
346  )
347  )
348  : [];
349 
350  foreach ($roles as $role => $role_data) {
351  if ($role_data['protected']) {
352  continue;
353  }
354 
355  $new_ops = array_keys((array) ($post_perm[$role] ?? []));
356  $old_ops = $this->rbacreview->getRoleOperationsOnObject(
357  $role,
358  $this->getCurrentObject()->getRefId()
359  );
360 
361  // Add operations which were enabled and are not activated.
362  foreach ($possible_ops_ids as $create_ops_id) {
363  if (in_array($create_ops_id, $createable_ops_ids)) {
364  continue;
365  }
366  if (in_array($create_ops_id, $old_ops)) {
367  $new_ops[] = $create_ops_id;
368  }
369  }
370 
371  $this->rbacadmin->revokePermission(
372  $this->getCurrentObject()->getRefId(),
373  $role
374  );
375 
376  $this->rbacadmin->grantPermission(
377  $role,
378  array_unique($new_ops),
379  $this->getCurrentObject()->getRefId()
380  );
381  }
382 
383  if (ilPermissionGUI::hasContainerCommands($this->getCurrentObject()->getType())) {
384  $inherit_post = $this->http->wrapper()->post()->has('inherit')
385  ? $this->http->wrapper()->post()->retrieve(
386  'inherit',
387  $this->refinery->kindlyTo()->dictOf(
388  $this->refinery->kindlyTo()->bool()
389  )
390  )
391  : [];
392 
393  foreach ($roles as $role) {
394  $obj_id = (int) $role['obj_id'];
395  $parent_id = (int) $role['parent'];
396  // No action for local roles
397  if ($parent_id === $this->getCurrentObject()->getRefId() && $role['assign'] === 'y') {
398  continue;
399  }
400  // Nothing for protected roles
401  if ($role['protected']) {
402  continue;
403  }
404  // Stop local policy
405  if (
406  $parent_id === $this->getCurrentObject()->getRefId()
407  && !isset($inherit_post[$obj_id])
408  && !$this->rbacreview->isBlockedAtPosition($obj_id, $this->getCurrentObject()->getRefId())
409  ) {
410  ilLoggerFactory::getLogger('ac')->debug('Stop local policy for: ' . $role['obj_id']);
411  $role_obj = ilObjectFactory::getInstanceByObjId($obj_id);
412  $role_obj->setParent($this->getCurrentObject()->getRefId());
413  $role_obj->delete();
414  continue;
415  }
416  // Add local policy
417  if (
418  $parent_id !== $this->getCurrentObject()->getRefId()
419  && isset($inherit_post[$obj_id])
420  ) {
421  ilLoggerFactory::getLogger('ac')->debug('Create local policy');
422  $this->rbacadmin->copyRoleTemplatePermissions(
423  $obj_id,
424  $parent_id,
425  $this->getCurrentObject()->getRefId(),
426  $obj_id
427  );
428  ilLoggerFactory::getLogger('ac')->debug('Assign role to folder');
429  $this->rbacadmin->assignRoleToFolder($obj_id, $this->getCurrentObject()->getRefId(), 'n');
430  }
431  }
432  }
433 
434  // Protect permissions
435  if (ilPermissionGUI::hasContainerCommands($this->getCurrentObject()->getType())) {
436  $protected_post = $this->http->wrapper()->post()->has('protect')
437  ? $this->http->wrapper()->post()->retrieve(
438  'protect',
439  $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
440  )
441  : [];
442  foreach ($roles as $role) {
443  $obj_id = (int) $role['obj_id'];
444  if ($this->rbacreview->isAssignable($obj_id, $this->getCurrentObject()->getRefId())) {
445  if (isset($protected_post[$obj_id]) &&
446  !$this->rbacreview->isProtected($this->getCurrentObject()->getRefId(), $obj_id)) {
447  $this->rbacadmin->setProtected($this->getCurrentObject()->getRefId(), $obj_id, 'y');
448  } elseif (!isset($protected_post[$obj_id]) &&
449  $this->rbacreview->isProtected($this->getCurrentObject()->getRefId(), $obj_id)) {
450  $this->rbacadmin->setProtected($this->getCurrentObject()->getRefId(), $obj_id, 'n');
451  }
452  }
453  }
454  }
455 
456  $log_new = ilRbacLog::gatherFaPa($this->getCurrentObject()->getRefId(), array_keys((array) $roles));
457  $log = ilRbacLog::diffFaPa($log_old, $log_new);
458  ilRbacLog::add(ilRbacLog::EDIT_PERMISSIONS, $this->getCurrentObject()->getRefId(), $log);
459 
460  $blocked_info = $this->getModifiedBlockedSettings();
461  ilLoggerFactory::getLogger('ac')->debug('Blocked settings: ' . print_r($blocked_info, true));
462  if ($blocked_info['num'] > 0) {
463  $this->showConfirmBlockRole($blocked_info);
464  return;
465  }
466  $this->tpl->setOnScreenMessage('success', $this->lng->txt('settings_saved'), true);
467  $this->ctrl->redirect($this, 'perm');
468  }
469 
470  private function showConfirmBlockRole(array $a_blocked_info): void
471  {
472  $info = '';
473  if ($a_blocked_info['new_blocked']) {
474  $info .= $this->lng->txt('role_confirm_block_role_info');
475  if ($a_blocked_info['new_unblocked']) {
476  $info .= '<br /><br />';
477  }
478  }
479  if ($a_blocked_info['new_unblocked']) {
480  $info .= ('<br />' . $this->lng->txt('role_confirm_unblock_role_info'));
481  }
482 
483  $this->tpl->setOnScreenMessage('info', $info);
484 
485  $confirm = new ilConfirmationGUI();
486  $confirm->setFormAction($this->ctrl->getFormAction($this));
487  $confirm->setHeaderText($this->lng->txt('role_confirm_block_role_header'));
488  $confirm->setConfirm($this->lng->txt('role_confirm_block_role'), 'modifyBlockRoles');
489  $confirm->setCancel($this->lng->txt('cancel'), 'perm');
490 
491  foreach ($a_blocked_info['new_blocked'] as $role_id) {
492  $confirm->addItem(
493  'new_block[]',
494  (string) $role_id,
495  ilObjRole::_getTranslation(ilObject::_lookupTitle($role_id)) . ' ' . $this->lng->txt('role_blocked')
496  );
497  }
498  foreach ($a_blocked_info['new_unblocked'] as $role_id) {
499  $confirm->addItem(
500  'new_unblock[]',
501  (string) $role_id,
502  ilObjRole::_getTranslation(ilObject::_lookupTitle($role_id)) . ' ' . $this->lng->txt('role_unblocked')
503  );
504  }
505  $this->tpl->setContent($confirm->getHTML());
506  }
507 
508  private function modifyBlockRoles(): void
509  {
510  $this->blockRoles(
511  $this->http->wrapper()->post()->has('new_block')
512  ? $this->http->wrapper()->post()->retrieve(
513  'new_block',
514  $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
515  )
516  : []
517  );
518  $this->unblockRoles($this->http->wrapper()->post()->has('new_unblock')
519  ? $this->http->wrapper()->post()->retrieve(
520  'new_unblock',
521  $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
522  )
523  : []);
524 
525  $this->tpl->setOnScreenMessage('info', $this->lng->txt('settings_saved'));
526  $this->ctrl->redirect($this, 'perm');
527  }
528 
529  private function unblockRoles(array $roles): void
530  {
531  foreach ($roles as $role) {
532  // delete local policy
533  ilLoggerFactory::getLogger('ac')->debug('Stop local policy for: ' . $role);
534  $role_obj = ilObjectFactory::getInstanceByObjId($role);
535  $role_obj->setParent($this->getCurrentObject()->getRefId());
536  $role_obj->delete();
537 
538  $role_obj->changeExistingObjects(
539  $this->getCurrentObject()->getRefId(),
540  ilObjRole::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES,
541  ['all']
542  );
543 
544  // finally set blocked status
545  $this->rbacadmin->setBlockedStatus(
546  $role,
547  $this->getCurrentObject()->getRefId(),
548  false
549  );
550  }
551  }
552 
553  private function blockRoles(array $roles): void
554  {
555  foreach ($roles as $role) {
556  // Set assign to 'y' only if it is a local role
557  $assign = $this->rbacreview->isAssignable($role, $this->getCurrentObject()->getRefId()) ? 'y' : 'n';
558 
559  // Delete permissions
560  $this->rbacadmin->revokeSubtreePermissions($this->getCurrentObject()->getRefId(), $role);
561 
562  // Delete template permissions
563  $this->rbacadmin->deleteSubtreeTemplates($this->getCurrentObject()->getRefId(), $role);
564 
565  $this->rbacadmin->assignRoleToFolder(
566  $role,
567  $this->getCurrentObject()->getRefId(),
568  $assign
569  );
570 
571  // finally set blocked status
572  $this->rbacadmin->setBlockedStatus(
573  $role,
574  $this->getCurrentObject()->getRefId(),
575  true
576  );
577  }
578  }
579 
580  public static function hasContainerCommands(string $a_type): bool
581  {
582  global $DIC;
583 
584  $objDefinition = $DIC['objDefinition'];
585  return $objDefinition->isContainer($a_type) && $a_type != 'root' && $a_type != 'adm' && $a_type != 'rolf';
586  }
587 
588  private function displayImportRoleForm(?ilPropertyFormGUI $form = null): void
589  {
590  $this->tabs->clearTargets();
591 
592  if (!$form) {
593  $form = $this->initImportForm();
594  }
595  $this->tpl->setContent($form->getHTML());
596  }
597 
598  private function doImportRole(): void
599  {
600  $form = $this->initImportForm();
601  if ($form->checkInput()) {
602  try {
603  // For global roles set import id to parent of current ref_id (adm)
604  $imp = new ilImport($this->getCurrentObject()->getRefId());
605  $imp->getMapping()->addMapping(
606  'components/ILIAS/AccessControl',
607  'rolf',
608  '0',
609  (string) $this->getCurrentObject()->getRefId()
610  );
611 
612  $imp->importObject(
613  null,
614  $_FILES["importfile"]["tmp_name"],
615  $_FILES["importfile"]["name"],
616  'role'
617  );
618  $this->tpl->setOnScreenMessage('success', $this->lng->txt('rbac_role_imported'), true);
619  $this->ctrl->redirect($this, 'perm');
620  return;
621  } catch (Exception $e) {
622  $this->tpl->setOnScreenMessage('failure', $e->getMessage());
623  $form->setValuesByPost();
624  $this->displayImportRoleForm($form);
625  return;
626  }
627  }
628  $form->setValuesByPost();
629  $this->tpl->setOnScreenMessage('failure', $this->lng->txt('err_check_input'));
630  $this->displayImportRoleForm($form);
631  }
632 
633  private function initImportForm(): ilPropertyFormGUI
634  {
635  $form = new ilPropertyFormGUI();
636  $form->setFormAction($this->ctrl->getFormAction($this));
637  $form->setTitle($this->lng->txt('rbac_import_role'));
638  $form->addCommandButton('doImportRole', $this->lng->txt('import'));
639  $form->addCommandButton('perm', $this->lng->txt('cancel'));
640 
641  $zip = new ilFileInputGUI($this->lng->txt('import_file'), 'importfile');
642  $zip->setRequired(true);
643  $zip->setSuffixes(['zip']);
644  $form->addItem($zip);
645 
646  return $form;
647  }
648 
649  private function initRoleForm(): ilPropertyFormGUI
650  {
651  $form = new ilPropertyFormGUI();
652  $form->setFormAction($this->ctrl->getFormAction($this));
653  $form->setTitle($this->lng->txt('role_new'));
654  $form->addCommandButton('addrole', $this->lng->txt('role_new'));
655  $form->addCommandButton('perm', $this->lng->txt('cancel'));
656 
657  $title = new ilTextInputGUI($this->lng->txt('title'), 'title');
658  $title->setValidationRegexp('/^(?!il_).*$/');
659  $title->setValidationFailureMessage($this->lng->txt('msg_role_reserved_prefix'));
660  $title->setSize(40);
661  $title->setMaxLength(70);
662  $title->setRequired(true);
663  $form->addItem($title);
664 
665  $desc = new ilTextAreaInputGUI($this->lng->txt('description'), 'desc');
666  $desc->setCols(40);
667  $desc->setRows(3);
668  $form->addItem($desc);
669 
670  $pro = new ilCheckboxInputGUI($this->lng->txt('role_protect_permissions'), 'pro');
671  $pro->setInfo($this->lng->txt('role_protect_permissions_desc'));
672  $pro->setValue("1");
673  $form->addItem($pro);
674 
675  $pd = new ilCheckboxInputGUI($this->lng->txt('rbac_add_recommended_content'), 'desktop');
676  $pd->setInfo(
677  str_replace(
678  "%1",
679  $this->getCurrentObject()->getTitle(),
680  $this->lng->txt('rbac_add_recommended_content_info')
681  )
682  );
683  $pd->setValue((string) 1);
684  $form->addItem($pd);
685 
686  if (!$this->isInAdministration()) {
687  $rights = new ilRadioGroupInputGUI($this->lng->txt("rbac_role_rights_copy"), 'rights');
688  $option = new ilRadioOption($this->lng->txt("rbac_role_rights_copy_empty"), (string) 0);
689  $rights->addOption($option);
690 
691  $parent_role_ids = $this->rbacreview->getParentRoleIds($this->gui_obj->getObject()->getRefId(), true);
692  $ids = [];
693  foreach (array_keys($parent_role_ids) as $id) {
694  $ids[] = $id;
695  }
696 
697  // Sort ids
698  $sorted_ids = ilUtil::_sortIds($ids, 'object_data', 'type DESC,title', 'obj_id');
699 
700  $key = 0;
701  foreach ($sorted_ids as $id) {
702  $par = $parent_role_ids[$id];
703  if ($par["obj_id"] != SYSTEM_ROLE_ID) {
704  $option = new ilRadioOption(
705  ($par["type"] == 'role' ? $this->lng->txt('obj_role') : $this->lng->txt(
706  'obj_rolt'
707  )) . ": " . ilObjRole::_getTranslation($par["title"]),
708  (string) $par["obj_id"]
709  );
710  $option->setInfo($par["desc"] ?? '');
711  $rights->addOption($option);
712  }
713  $key++;
714  }
715  $form->addItem($rights);
716  }
717 
718  // Local policy only for containers
719  if ($this->object_definition->isContainer($this->getCurrentObject()->getType())) {
720  $check = new ilCheckboxInputGUI($this->lng->txt("rbac_role_rights_copy_change_existing"), 'existing');
721  $check->setInfo($this->lng->txt('rbac_change_existing_objects_desc_new_role'));
722  $form->addItem($check);
723  }
724  return $form;
725  }
726 
727  public function displayAddRoleForm(): void
728  {
729  $this->tabs->clearTargets();
730  $form = $this->initRoleForm();
731  $this->tpl->setContent($form->getHTML());
732  }
733 
740  public function addRole(): void
741  {
742  $form = $this->initRoleForm();
743  if ($form->checkInput()) {
744  $new_title = $form->getInput("title");
745 
746  $role = new ilObjRole();
747  $role->setTitle($new_title);
748  $role->setDescription($form->getInput('desc'));
749  $role->create();
750 
751  $this->rbacadmin->assignRoleToFolder($role->getId(), $this->getCurrentObject()->getRefId());
752 
753  // protect
754  $this->rbacadmin->setProtected(
755  $this->getCurrentObject()->getRefId(),
756  $role->getId(),
757  $form->getInput('pro') ? 'y' : 'n'
758  );
759 
760  // copy rights
761  $right_id_to_copy = (int) $form->getInput("rights");
762  if ($right_id_to_copy) {
763  $parentRoles = $this->rbacreview->getParentRoleIds($this->getCurrentObject()->getRefId(), true);
764  $this->rbacadmin->copyRoleTemplatePermissions(
765  $right_id_to_copy,
766  $parentRoles[$right_id_to_copy]["parent"],
767  $this->getCurrentObject()->getRefId(),
768  $role->getId(),
769  false
770  );
771 
772  if ($form->getInput('existing')) {
773  if ($form->getInput('pro')) {
774  $role->changeExistingObjects(
775  $this->getCurrentObject()->getRefId(),
776  ilObjRole::MODE_PROTECTED_KEEP_LOCAL_POLICIES,
777  ['all']
778  );
779  } else {
780  $role->changeExistingObjects(
781  $this->getCurrentObject()->getRefId(),
782  ilObjRole::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES,
783  ['all']
784  );
785  }
786  }
787  }
788 
789  // add to desktop items
790  if ($form->getInput("desktop")) {
791  $this->recommended_content_manager->addRoleRecommendation(
792  $role->getId(),
793  $this->getCurrentObject()->getRefId()
794  );
795  }
796 
797  $this->tpl->setOnScreenMessage('success', $this->lng->txt("role_added"), true);
798  $this->ctrl->redirect($this, 'perm');
799  } else {
800  $form->setValuesByPost();
801  $this->tpl->setContent($form->getHTML());
802  }
803  }
804 
805  private function getModifiedBlockedSettings(): array
806  {
807  $blocked_info['new_blocked'] = [];
808  $blocked_info['new_unblocked'] = [];
809  $blocked_info['num'] = 0;
810  $visible_block = $this->http->wrapper()->post()->has('visible_block')
811  ? $this->http->wrapper()->post()->retrieve(
812  'visible_block',
813  $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
814  )
815  : [];
816  $block_post = $this->http->wrapper()->post()->has('block')
817  ? $this->http->wrapper()->post()->retrieve(
818  'block',
819  $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
820  )
821  : [];
822 
823 
824  foreach ($visible_block as $role => $one) {
825  $blocked = $this->rbacreview->isBlockedAtPosition($role, $this->getCurrentObject()->getRefId());
826  if (isset($block_post[$role]) && !$blocked) {
827  $blocked_info['new_blocked'][] = $role;
828  $blocked_info['num']++;
829  }
830  if (!isset($block_post[$role]) && $blocked) {
831  $blocked_info['new_unblocked'][] = $role;
832  $blocked_info['num']++;
833  }
834  }
835  return $blocked_info;
836  }
837 
838  public function permPositions(): void
839  {
840  $perm = self::CMD_PERM_POSITIONS;
841  $this->__initSubTabs($perm);
842 
843  $ref_id = $this->getCurrentObject()->getRefId();
844  $table = new ilOrgUnitPermissionTableGUI($this, $perm, $ref_id);
845  $table->collectData();
846  $this->tpl->setContent($table->getHTML());
847  }
848 
849  public function savePositionsPermissions(): void
850  {
851  $this->__initSubTabs(self::CMD_PERM_POSITIONS);
852 
853  $positions = $this->getPositionRepo()->getArray(null, 'id');
854  $ref_id = $this->getCurrentObject()->getRefId();
855 
856  // handle local sets
857  $local_post = $this->http->wrapper()->post()->has('local')
858  ? $this->http->wrapper()->post()->retrieve(
859  'local',
860  $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
861  )
862  : [];
863 
864  foreach ($positions as $position_id) {
865  if (isset($local_post[$position_id])) {
866  $this->getPermissionRepo()->get($ref_id, $position_id);
867  } else {
868  $this->getPermissionRepo()->delete($ref_id, $position_id);
869  }
870  }
871 
872  $position_perm_post = $this->http->wrapper()->post()->has('position_perm')
873  ? $this->http->wrapper()->post()->retrieve(
874  'position_perm',
875  $this->refinery->kindlyTo()->dictOf(
876  $this->refinery->kindlyTo()->dictOf(
877  $this->refinery->kindlyTo()->int()
878  )
879  )
880  )
881  : [];
882 
883  if ($position_perm_post) { // TODO: saving an empty (enabled) set is not working, as the POST variable is empty for that set
884  foreach ($position_perm_post as $position_id => $ops) {
885  if (!isset($local_post[$position_id])) {
886  continue;
887  }
888  $ilOrgUnitPermission = $this->getPermissionRepo()->getLocalorDefault($ref_id, $position_id);
889  if (!$ilOrgUnitPermission->isTemplate()) {
890  $new_ops = [];
891  foreach ($ops as $op_id => $op) {
892  $new_ops[] = $this->getOperationRepo()->getById($op_id);
893  }
894  $ilOrgUnitPermission = $ilOrgUnitPermission->withOperations($new_ops);
895  $ilOrgUnitPermission = $this->getPermissionRepo()->store($ilOrgUnitPermission);
896  }
897  }
898  }
899  $this->tpl->setOnScreenMessage('success', $this->lng->txt('settings_saved'), true);
900  $this->ctrl->redirect($this, self::CMD_PERM_POSITIONS);
901  }
902 
903  public function owner(): void
904  {
905  $this->__initSubTabs('owner');
906 
907  $form = new ilPropertyFormGUI();
908  $form->setFormAction($this->ctrl->getFormAction($this, "owner"));
909  $form->setTitle($this->lng->txt("info_owner_of_object"));
910 
911  $login = new ilTextInputGUI($this->lng->txt("login"), "owner");
912  $login->setDataSource($this->ctrl->getLinkTargetByClass([get_class($this),
913  'ilRepositorySearchGUI'
914  ], 'doUserAutoComplete', '', true));
915  $login->setRequired(true);
916  $login->setSize(50);
917  $login->setInfo($this->lng->txt("chown_warning"));
918  $login->setValue(ilObjUser::_lookupLogin($this->gui_obj->getObject()->getOwner()));
919  $form->addItem($login);
920  $form->addCommandButton("changeOwner", $this->lng->txt("change_owner"));
921  $this->tpl->setContent($form->getHTML());
922  }
923 
924  public function changeOwner(): void
925  {
926  $owner = '';
927  if ($this->http->wrapper()->post()->has('owner')) {
928  $owner = $this->http->wrapper()->post()->retrieve(
929  'owner',
930  $this->refinery->kindlyTo()->string()
931  );
932  }
933  if (!$user_id = ilObjUser::_lookupId($owner)) {
934  $this->tpl->setOnScreenMessage('failure', $this->lng->txt('user_not_known'));
935  $this->owner();
936  return;
937  }
938 
939  // no need to change?
940  if ($user_id != $this->gui_obj->getObject()->getOwner()) {
941  $this->gui_obj->getObject()->setOwner($user_id);
942  $this->gui_obj->getObject()->updateOwner();
943  $this->objectDataCache->deleteCachedEntry($this->gui_obj->getObject()->getId());
944 
945  if (ilRbacLog::isActive()) {
946  ilRbacLog::add(ilRbacLog::CHANGE_OWNER, $this->gui_obj->getObject()->getRefId(), [$user_id]);
947  }
948  }
949 
950  $this->tpl->setOnScreenMessage('success', $this->lng->txt('owner_updated'), true);
951 
952  if (!$this->rbacsystem->checkAccess("edit_permission", $this->gui_obj->getObject()->getRefId())) {
953  $this->ctrl->redirect($this->gui_obj);
954  return;
955  }
956  $this->ctrl->redirect($this, 'owner');
957  }
958 
959  private function __initSubTabs(string $a_cmd): void
960  {
961  $perm = $a_cmd === 'perm';
962  $perm_positions = $a_cmd === ilPermissionGUI::CMD_PERM_POSITIONS;
963  $info = $a_cmd === 'perminfo';
964  $owner = $a_cmd === 'owner';
965  $log = $a_cmd === 'log';
966 
967  $this->tabs->addSubTabTarget(
968  "permission_settings",
969  $this->ctrl->getLinkTarget($this, "perm"),
970  "",
971  "",
972  "",
973  $perm
974  );
975 
976  if (ilOrgUnitGlobalSettings::getInstance()->isPositionAccessActiveForObject($this->gui_obj->getObject()->getId())) {
977  $this->tabs->addSubTabTarget(
978  self::TAB_POSITION_PERMISSION_SETTINGS,
979  $this->ctrl->getLinkTarget($this, ilPermissionGUI::CMD_PERM_POSITIONS),
980  "",
981  "",
982  "",
983  $perm_positions
984  );
985  }
986 
987  $this->tabs->addSubTabTarget(
988  "info_status_info",
989  $this->ctrl->getLinkTargetByClass([get_class($this), "ilobjectpermissionstatusgui"], "perminfo"),
990  "",
991  "",
992  "",
993  $info
994  );
995  $this->tabs->addSubTabTarget(
996  "owner",
997  $this->ctrl->getLinkTarget($this, "owner"),
998  "",
999  "",
1000  "",
1001  $owner
1002  );
1003 
1004  if (ilRbacLog::isActive()) {
1005  $this->tabs->addSubTabTarget(
1006  "rbac_log",
1007  $this->ctrl->getLinkTarget($this, 'log'),
1008  "",
1009  "",
1010  "",
1011  $log
1012  );
1013  }
1014  }
1015 
1016  public function log(): void
1017  {
1018  if (!ilRbacLog::isActive()) {
1019  $this->ctrl->redirect($this, 'perm');
1020  }
1021 
1022  $this->__initSubTabs('log');
1023 
1024  $table = new Table(
1025  new ilRbacLog($this->db),
1026  $this->ui_factory,
1027  $this->data_factory,
1028  $this->lng,
1029  $this->ctrl,
1030  $this->ui_service,
1031  $this->object_definition,
1032  $this->http->request(),
1033  $this->rbacreview,
1034  $this->user,
1035  $this->gui_obj
1036  );
1037  $this->tpl->setContent($this->ui_renderer->render(
1038  $table->getTableAndFilter()
1039  ));
1040  }
1041 }
ilPermissionGUI\displayImportRoleForm
displayImportRoleForm(?ilPropertyFormGUI $form=null)
Definition: class.ilPermissionGUI.php:588
ilObjRole
Class ilObjRole.
Definition: class.ilObjRole.php:26
ilRadioOption
This class represents an option in a radio group.
Definition: class.ilRadioOption.php:26
ilOrgUnitPermissionTableGUI
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilOrgUnitPermissionTableGUI.php:23
ilPermissionGUI\$object_definition
ilObjectDefinition $object_definition
Definition: class.ilPermissionGUI.php:51
ilLoggerFactory\getLogger
static getLogger(string $a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:89
ilTabsGUI
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilTabsGUI.php:25
ilPermissionGUI\perm
perm(?ilTable2GUI $table=null)
Definition: class.ilPermissionGUI.php:190
ilFileInputGUI
This class represents a file property in a property form.
Definition: class.ilFileInputGUI.php:30
ilPermissionGUI\addRole
addRole()
adds a local role This method is only called when choose the option &#39;you may add local roles&#39;...
Definition: class.ilPermissionGUI.php:740
ilPermissionGUI\__initSubTabs
__initSubTabs(string $a_cmd)
Definition: class.ilPermissionGUI.php:959
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:29
ilPermissionGUI\$positionRepo
ilOrgUnitPositionDBRepository $positionRepo
Definition: class.ilPermissionGUI.php:43
ilRbacLog\CHANGE_OWNER
const CHANGE_OWNER
Definition: class.ilRbacLog.php:40
ilPermissionGUI\isInAdministration
isInAdministration()
Check if node is subobject of administration folder.
Definition: class.ilPermissionGUI.php:242
ilPermissionGUI\showConfirmBlockRole
showConfirmBlockRole(array $a_blocked_info)
Definition: class.ilPermissionGUI.php:470
ilImport
Import class.
Definition: class.ilImport.php:38
ilObjUser\_lookupId
static _lookupId($a_user_str)
Definition: class.ilObjUser.php:692
ilPermissionGUI\$operationRepo
ilOrgUnitOperationDBRepository $operationRepo
Definition: class.ilPermissionGUI.php:45
ilRbacLog\isActive
static isActive()
Definition: class.ilRbacLog.php:122
SYSTEM_FOLDER_ID
const SYSTEM_FOLDER_ID
Definition: constants.php:35
ilObjRole\MODE_PROTECTED_KEEP_LOCAL_POLICIES
const MODE_PROTECTED_KEEP_LOCAL_POLICIES
Definition: class.ilObjRole.php:29
ilPermissionGUI\$permissionRepo
ilOrgUnitPermissionDBRepository $permissionRepo
Definition: class.ilPermissionGUI.php:44
ilPermissionGUI\$recommended_content_manager
ilRecommendedContentManager $recommended_content_manager
Definition: class.ilPermissionGUI.php:42
null
while($session_entry=$r->fetchRow(ilDBConstants::FETCHMODE_ASSOC)) return null
Definition: shib_logout.php:142
ilRbacLog\EDIT_PERMISSIONS
const EDIT_PERMISSIONS
Definition: class.ilRbacLog.php:33
ilRbacReview\lookupCreateOperationIds
static lookupCreateOperationIds(array $a_type_arr)
Lookup operation ids.
Definition: class.ilRbacReview.php:1016
ilRbacLog\gatherFaPa
static gatherFaPa(int $ref_id, array $role_ids, bool $add_action=false)
Definition: class.ilRbacLog.php:127
ilPermissionGUI\$objectDataCache
ilObjectDataCache $objectDataCache
Definition: class.ilPermissionGUI.php:57
$ref_id
$ref_id
Definition: ltiauth.php:65
ILIAS\FileDelivery\http
static http()
Fetches the global http state from ILIAS.
Definition: HttpServiceAware.php:55
ilRadioGroupInputGUI
This class represents a property in a property form.
Definition: class.ilRadioGroupInputGUI.php:26
ilPermissionGUI\$ilErr
ilErrorHandling $ilErr
Definition: class.ilPermissionGUI.php:48
ilObject\_lookupTitle
static _lookupTitle(int $obj_id)
Definition: class.ilObject.php:830
$log
$log
Definition: result.php:32
Factory
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
ilObjRole\_getTranslation
static _getTranslation(string $a_role_title)
Definition: class.ilObjRole.php:364
ilObjectGUI
Class ilObjectGUI Basic methods of all Output classes.
Definition: class.ilObjectGUI.php:46
ilPermissionGUI\hasContainerCommands
static hasContainerCommands(string $a_type)
Definition: class.ilPermissionGUI.php:580
$DIC
global $DIC
Definition: shib_login.php:22
ilPermissionGUI\$http
GlobalHttpState $http
Definition: class.ilPermissionGUI.php:59
ilFormPropertyGUI\setRequired
setRequired(bool $a_required)
Definition: class.ilFormPropertyGUI.php:155
ROLE_FOLDER_ID
const ROLE_FOLDER_ID
Definition: constants.php:34
ilPermissionGUI\unblockRoles
unblockRoles(array $roles)
Definition: class.ilPermissionGUI.php:529
ilUtil\_sortIds
static _sortIds(array $a_ids, string $a_table, string $a_field, string $a_id_name)
Function that sorts ids by a given table field using WHERE IN E.g: __sort(array(6,7),&#39;usr_data&#39;,&#39;lastname&#39;,&#39;usr_id&#39;) => sorts by lastname.
Definition: class.ilUtil.php:1212
ilRbacLog\add
static add(int $action, int $ref_id, array $diff, bool $source_ref_id=false)
Definition: class.ilRbacLog.php:226
ilObjectFactory\getInstanceByObjId
static getInstanceByObjId(?int $obj_id, bool $stop_on_error=true)
get an instance of an Ilias object by object id
Definition: class.ilObjectFactory.php:84
ilRbacLog\diffFaPa
static diffFaPa(array $old, array $new)
Definition: class.ilRbacLog.php:160
$rights
$rights
Definition: LOMStructure.php:396
$id
$id
plugin.php for ilComponentBuildPluginInfoObjectiveTest::testAddPlugins
Definition: plugin.php:23
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
Definition: PluginProviderHelper.php:37
ilTextAreaInputGUI
This class represents a text area property in a property form.
Definition: class.ilTextAreaInputGUI.php:26
ilObjRole\MODE_UNPROTECTED_KEEP_LOCAL_POLICIES
const MODE_UNPROTECTED_KEEP_LOCAL_POLICIES
Definition: class.ilObjRole.php:31
ilPermissionGUI\executeCommand
executeCommand()
Execute command.
Definition: class.ilPermissionGUI.php:137
$dic
$dic
Definition: result.php:31
$check
$check
Definition: buildRTE.php:81
ilPermissionGUI\$tpl
ilGlobalTemplateInterface $tpl
Definition: class.ilPermissionGUI.php:52
ilPermissionGUI\applyRoleFilter
applyRoleFilter(array $a_roles, int $a_filter_id)
Definition: class.ilPermissionGUI.php:263
ilRbacAdmin
Class ilRbacAdmin Core functions for role based access control.
Definition: class.ilRbacAdmin.php:31
ilRbacLog
class ilRbacLog Log changes in Rbac-related settings
Definition: class.ilRbacLog.php:30
ilObjectPermissionStatusGUI
This class displays the permission status of a user concerning a specific object. ...
Definition: class.ilObjectPermissionStatusGUI.php:28
ilObjRoleGUI
Class ilObjRoleGUI.
Definition: class.ilObjRoleGUI.php:36
ilRecommendedContentManager
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilRecommendedContentManager.php:25
ilObjUser\_lookupLogin
static _lookupLogin(int $a_user_id)
Definition: class.ilObjUser.php:678