ILIAS  trunk Revision v11.0_alpha-2638-g80c1d007f79
class.ilPermissionGUI.php
Go to the documentation of this file.
1 <?php
2 
19 declare(strict_types=1);
20 
21 use ILIAS\AccessControl\Log\Table;
22 use ILIAS\HTTP\GlobalHttpState;
23 use ILIAS\Refinery\Factory;
24 use ILIAS\UI\Factory as UIFactory;
25 use ILIAS\UI\Renderer as UIRenderer;
26 use ILIAS\Data\Factory as DataFactory;
27 
35 class ilPermissionGUI
36 {
37  public const CMD_SAVE_POSITIONS_PERMISSIONS = 'savePositionsPermissions';
38  private const CMD_PERM_POSITIONS = 'permPositions';
39  private const TAB_POSITION_PERMISSION_SETTINGS = "position_permission_settings";
40 
41  private ilObjectGUI $current_obj;
42 
43  private ilRecommendedContentManager $recommended_content_manager;
44  private ilOrgUnitPositionDBRepository $positionRepo;
45  private ilOrgUnitPermissionDBRepository $permissionRepo;
46  private ilOrgUnitOperationDBRepository $operationRepo;
47 
48  private ilObjectGUI $gui_obj;
49  private ilErrorHandling $ilErr;
50  private ilCtrl $ctrl;
51  private ilLanguage $lng;
52  private ilObjectDefinition $object_definition;
53  private ilGlobalTemplateInterface $tpl;
54  private ilUIService $ui_service;
55  private ilRbacSystem $rbacsystem;
56  private ilRbacReview $rbacreview;
57  private ilRbacAdmin $rbacadmin;
58  private ilObjectDataCache $objectDataCache;
59  private ilTabsGUI $tabs;
60  private GlobalHttpState $http;
61  private Factory $refinery;
62  private ilToolbarGUI $toolbar;
63  private UIFactory $ui_factory;
64  private UIRenderer $ui_renderer;
65  private DataFactory $data_factory;
66  private ilDBInterface $db;
67  private ilObjUser $user;
68  private ilTree $tree;
69 
70  public function __construct(ilObjectGUI $a_gui_obj)
71  {
73  global $DIC;
74 
75  $this->object_definition = $DIC['objDefinition'];
76  $this->ui_service = $DIC->uiService();
77  $this->objectDataCache = $DIC['ilObjDataCache'];
78  $this->tpl = $DIC['tpl'];
79  $this->lng = $DIC['lng'];
80  $this->ctrl = $DIC['ilCtrl'];
81  $this->rbacsystem = $DIC['rbacsystem'];
82  $this->rbacreview = $DIC['rbacreview'];
83  $this->rbacadmin = $DIC['rbacadmin'];
84  $this->tabs = $DIC['ilTabs'];
85  $this->ilErr = $DIC['ilErr'];
86  $this->http = $DIC['http'];
87  $this->refinery = $DIC['refinery'];
88  $this->toolbar = $DIC['ilToolbar'];
89  $this->ui_factory = $DIC['ui.factory'];
90  $this->ui_renderer = $DIC['ui.renderer'];
91  $this->db = $DIC['ilDB'];
92  $this->user = $DIC['ilUser'];
93  $this->tree = $DIC['tree'];
94 
95  $this->data_factory = new DataFactory();
96  $this->recommended_content_manager = new ilRecommendedContentManager();
97 
98  $this->lng->loadLanguageModule('rbac');
99  $this->gui_obj = $a_gui_obj;
100  $this->tabs->activateTab('perm_settings');
101  }
102 
103  private function getPositionRepo(): ilOrgUnitPositionDBRepository
104  {
105  if (!isset($this->positionRepo)) {
106  $dic = ilOrgUnitLocalDIC::dic();
107  $this->positionRepo = $dic["repo.Positions"];
108  }
109 
110  return $this->positionRepo;
111  }
112 
113  private function getPermissionRepo(): ilOrgUnitPermissionDBRepository
114  {
115  if (!isset($this->permissionRepo)) {
116  $dic = ilOrgUnitLocalDIC::dic();
117  $this->permissionRepo = $dic["repo.Permissions"];
118  }
119 
120  return $this->permissionRepo;
121  }
122 
123  private function getOperationRepo(): ilOrgUnitOperationDBRepository
124  {
125  if (!isset($this->operationRepo)) {
126  $dic = ilOrgUnitLocalDIC::dic();
127  $this->operationRepo = $dic["repo.Operations"];
128  }
129 
130  return $this->operationRepo;
131  }
132 
138  public function executeCommand(): void
139  {
140  // access to all functions in this class are only allowed if edit_permission is granted
141  if (!$this->rbacsystem->checkAccess("edit_permission", $this->gui_obj->getObject()->getRefId())) {
142  $this->tpl->setOnScreenMessage('failure', $this->lng->txt('permission_denied'), true);
143  $this->ctrl->redirect($this->gui_obj);
144  }
145  $next_class = $this->ctrl->getNextClass($this);
146  switch ($next_class) {
147  case "ilobjrolegui":
148 
149  $role_id = 0;
150  if ($this->http->wrapper()->query()->has('obj_id')) {
151  $role_id = $this->http->wrapper()->query()->retrieve(
152  'obj_id',
153  $this->refinery->kindlyTo()->int()
154  );
155  }
156  $this->ctrl->setReturn($this, 'perm');
157  $this->gui_obj = new ilObjRoleGUI("", $role_id, false, false);
158  $this->ctrl->forwardCommand($this->gui_obj);
159  break;
160 
161  case 'ildidactictemplategui':
162  $this->ctrl->setReturn($this, 'perm');
163  $did = new ilDidacticTemplateGUI($this->gui_obj);
164  $this->ctrl->forwardCommand($did);
165  break;
166 
167  case 'ilrepositorysearchgui':
168  // used for owner autocomplete
169  $rep_search = new ilRepositorySearchGUI();
170  $this->ctrl->forwardCommand($rep_search);
171  break;
172 
173  case 'ilobjectpermissionstatusgui':
174  $this->__initSubTabs("perminfo");
175  $perm_stat = new ilObjectPermissionStatusGUI($this->gui_obj->getObject());
176  $this->ctrl->forwardCommand($perm_stat);
177  break;
178 
179  default:
180  $cmd = $this->ctrl->getCmd();
181  $this->$cmd();
182  break;
183  }
184  }
185 
186  public function getCurrentObject(): object
187  {
188  return $this->gui_obj->getObject();
189  }
190 
191  public function perm(?ilTable2GUI $table = null): void
192  {
193  $dtpl = new ilDidacticTemplateGUI($this->gui_obj);
194  if ($dtpl->appendToolbarSwitch(
195  $this->toolbar,
196  $this->getCurrentObject()->getType(),
197  $this->getCurrentObject()->getRefId()
198  )) {
199  $this->toolbar->addSeparator();
200  }
201 
202  if ($this->object_definition->hasLocalRoles($this->getCurrentObject()->getType()) && !$this->isAdministrationObject()
203  ) {
204  $this->toolbar->setFormAction($this->ctrl->getFormActionByClass(ilDidacticTemplateGUI::class));
205 
206  if (!$this->isAdminRoleFolder()) {
207  $this->toolbar->addComponent(
208  $this->ui_factory->link()->standard(
209  $this->lng->txt('rbac_add_new_local_role'),
210  $this->ctrl->getLinkTarget($this, 'displayAddRoleForm')
211  )
212  );
213  }
214  $this->toolbar->addComponent(
215  $this->ui_factory->link()->standard(
216  $this->lng->txt('rbac_import_role'),
217  $this->ctrl->getLinkTarget($this, 'displayImportRoleForm')
218  )
219  );
220  }
221  $this->__initSubTabs("perm");
222 
223  if (!$table instanceof ilTable2GUI) {
224  $table = new ilObjectRolePermissionTableGUI($this, 'perm', $this->getCurrentObject()->getRefId());
225  }
226  $table->parse();
227  $this->tpl->setContent($table->getHTML());
228  }
229 
230  private function isAdminRoleFolder(): bool
231  {
232  return $this->getCurrentObject()->getRefId() == ROLE_FOLDER_ID;
233  }
234 
235  private function isAdministrationObject(): bool
236  {
237  return $this->getCurrentObject()->getType() == 'adm';
238  }
239 
243  private function isInAdministration(): bool
244  {
245  return $this->tree->isGrandChild(SYSTEM_FOLDER_ID, $this->getCurrentObject()->getRefId());
246  }
247 
248  public function applyFilter(): void
249  {
250  $table = new ilObjectRolePermissionTableGUI($this, 'perm', $this->getCurrentObject()->getRefId());
251  $table->resetOffset();
252  $table->writeFilterToSession();
253  $this->perm($table);
254  }
255 
256  public function resetFilter(): void
257  {
258  $table = new ilObjectRolePermissionTableGUI($this, 'perm', $this->getCurrentObject()->getRefId());
259  $table->resetOffset();
260  $table->resetFilter();
261  $this->perm($table);
262  }
263 
264  public function applyRoleFilter(array $a_roles, int $a_filter_id): array
265  {
266  // Always delete administrator role from view
267  if (isset($a_roles[SYSTEM_ROLE_ID])) {
268  unset($a_roles[SYSTEM_ROLE_ID]);
269  }
270 
271  switch ($a_filter_id) {
272  // all roles in context
273  case ilObjectRolePermissionTableGUI::ROLE_FILTER_ALL:
274  return $a_roles;
275 
276  // only global roles
277  case ilObjectRolePermissionTableGUI::ROLE_FILTER_GLOBAL:
278  $arr_global_roles = $this->rbacreview->getGlobalRoles();
279  $arr_remove_roles = array_diff(array_keys($a_roles), $arr_global_roles);
280  foreach ($arr_remove_roles as $role_id) {
281  unset($a_roles[$role_id]);
282  }
283  return $a_roles;
284 
285  // only local roles (all local roles in context that are not defined at ROLE_FOLDER_ID)
286  case ilObjectRolePermissionTableGUI::ROLE_FILTER_LOCAL:
287  $arr_global_roles = $this->rbacreview->getGlobalRoles();
288  foreach ($arr_global_roles as $role_id) {
289  unset($a_roles[$role_id]);
290  }
291  return $a_roles;
292 
293  // only roles which use a local policy
294  case ilObjectRolePermissionTableGUI::ROLE_FILTER_LOCAL_POLICY:
295  $arr_local_roles = $this->rbacreview->getRolesOfObject($this->getCurrentObject()->getRefId());
296  $arr_remove_roles = array_diff(array_keys($a_roles), $arr_local_roles);
297  foreach ($arr_remove_roles as $role_id) {
298  unset($a_roles[$role_id]);
299  }
300  return $a_roles;
301 
302  // only true local role defined at current position
303  case ilObjectRolePermissionTableGUI::ROLE_FILTER_LOCAL_OBJECT:
304  $arr_local_roles = $this->rbacreview->getRolesOfObject($this->getCurrentObject()->getRefId(), true);
305  $arr_remove_roles = array_diff(array_keys($a_roles), $arr_local_roles);
306  foreach ($arr_remove_roles as $role_id) {
307  unset($a_roles[$role_id]);
308  }
309  return $a_roles;
310 
311  default:
312  return $a_roles;
313  }
314  }
315 
316  protected function savePermissions(): void
317  {
318  $table = new ilObjectRolePermissionTableGUI($this, 'perm', $this->getCurrentObject()->getRefId());
319 
320  $roles = $this->applyRoleFilter(
321  $this->rbacreview->getParentRoleIds($this->getCurrentObject()->getRefId()),
322  (int) $table->getFilterItemByPostVar('role')->getValue()
323  );
324 
325  // Log history
326  $log_old = ilRbacLog::gatherFaPa($this->getCurrentObject()->getRefId(), array_keys((array) $roles));
327 
328  # all possible create permissions
329  $possible_ops_ids = $this->rbacreview->getOperationsByTypeAndClass(
330  $this->getCurrentObject()->getType(),
331  'create'
332  );
333 
334  # createable (activated) create permissions
335  $create_types = $this->object_definition->getCreatableSubObjects(
336  $this->getCurrentObject()->getType()
337  );
338  $createable_ops_ids = ilRbacReview::lookupCreateOperationIds(array_keys((array) $create_types));
339 
340  $post_perm = $this->http->wrapper()->post()->has('perm')
341  ? $this->http->wrapper()->post()->retrieve(
342  'perm',
343  $this->refinery->kindlyTo()->dictOf(
344  $this->refinery->kindlyTo()->dictOf(
345  $this->refinery->kindlyTo()->int()
346  )
347  )
348  )
349  : [];
350 
351  foreach ($roles as $role => $role_data) {
352  if ($role_data['protected']) {
353  continue;
354  }
355 
356  $new_ops = array_keys((array) ($post_perm[$role] ?? []));
357  $old_ops = $this->rbacreview->getRoleOperationsOnObject(
358  $role,
359  $this->getCurrentObject()->getRefId()
360  );
361 
362  // Add operations which were enabled and are not activated.
363  foreach ($possible_ops_ids as $create_ops_id) {
364  if (in_array($create_ops_id, $createable_ops_ids)) {
365  continue;
366  }
367  if (in_array($create_ops_id, $old_ops)) {
368  $new_ops[] = $create_ops_id;
369  }
370  }
371 
372  $this->rbacadmin->revokePermission(
373  $this->getCurrentObject()->getRefId(),
374  $role
375  );
376 
377  $this->rbacadmin->grantPermission(
378  $role,
379  array_unique($new_ops),
380  $this->getCurrentObject()->getRefId()
381  );
382  }
383 
384  if (ilPermissionGUI::hasContainerCommands($this->getCurrentObject()->getType())) {
385  $inherit_post = $this->http->wrapper()->post()->has('inherit')
386  ? $this->http->wrapper()->post()->retrieve(
387  'inherit',
388  $this->refinery->kindlyTo()->dictOf(
389  $this->refinery->kindlyTo()->bool()
390  )
391  )
392  : [];
393 
394  foreach ($roles as $role) {
395  $obj_id = (int) $role['obj_id'];
396  $parent_id = (int) $role['parent'];
397  // No action for local roles
398  if ($parent_id === $this->getCurrentObject()->getRefId() && $role['assign'] === 'y') {
399  continue;
400  }
401  // Nothing for protected roles
402  if ($role['protected']) {
403  continue;
404  }
405  // Stop local policy
406  if (
407  $parent_id === $this->getCurrentObject()->getRefId()
408  && !isset($inherit_post[$obj_id])
409  && !$this->rbacreview->isBlockedAtPosition($obj_id, $this->getCurrentObject()->getRefId())
410  ) {
411  ilLoggerFactory::getLogger('ac')->debug('Stop local policy for: ' . $role['obj_id']);
412  $role_obj = ilObjectFactory::getInstanceByObjId($obj_id);
413  $role_obj->setParent($this->getCurrentObject()->getRefId());
414  $role_obj->delete();
415  continue;
416  }
417  // Add local policy
418  if (
419  $parent_id !== $this->getCurrentObject()->getRefId()
420  && isset($inherit_post[$obj_id])
421  ) {
422  ilLoggerFactory::getLogger('ac')->debug('Create local policy');
423  $this->rbacadmin->copyRoleTemplatePermissions(
424  $obj_id,
425  $parent_id,
426  $this->getCurrentObject()->getRefId(),
427  $obj_id
428  );
429  ilLoggerFactory::getLogger('ac')->debug('Assign role to folder');
430  $this->rbacadmin->assignRoleToFolder($obj_id, $this->getCurrentObject()->getRefId(), 'n');
431  }
432  }
433  }
434 
435  // Protect permissions
436  if (ilPermissionGUI::hasContainerCommands($this->getCurrentObject()->getType())) {
437  $protected_post = $this->http->wrapper()->post()->has('protect')
438  ? $this->http->wrapper()->post()->retrieve(
439  'protect',
440  $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
441  )
442  : [];
443  foreach ($roles as $role) {
444  $obj_id = (int) $role['obj_id'];
445  if ($this->rbacreview->isAssignable($obj_id, $this->getCurrentObject()->getRefId())) {
446  if (isset($protected_post[$obj_id]) &&
447  !$this->rbacreview->isProtected($this->getCurrentObject()->getRefId(), $obj_id)) {
448  $this->rbacadmin->setProtected($this->getCurrentObject()->getRefId(), $obj_id, 'y');
449  } elseif (!isset($protected_post[$obj_id]) &&
450  $this->rbacreview->isProtected($this->getCurrentObject()->getRefId(), $obj_id)) {
451  $this->rbacadmin->setProtected($this->getCurrentObject()->getRefId(), $obj_id, 'n');
452  }
453  }
454  }
455  }
456 
457  $log_new = ilRbacLog::gatherFaPa($this->getCurrentObject()->getRefId(), array_keys((array) $roles));
458  $log = ilRbacLog::diffFaPa($log_old, $log_new);
459  ilRbacLog::add(ilRbacLog::EDIT_PERMISSIONS, $this->getCurrentObject()->getRefId(), $log);
460 
461  $blocked_info = $this->getModifiedBlockedSettings();
462  ilLoggerFactory::getLogger('ac')->debug('Blocked settings: ' . print_r($blocked_info, true));
463  if ($blocked_info['num'] > 0) {
464  $this->showConfirmBlockRole($blocked_info);
465  return;
466  }
467  $this->tpl->setOnScreenMessage('success', $this->lng->txt('settings_saved'), true);
468  $this->ctrl->redirect($this, 'perm');
469  }
470 
471  private function showConfirmBlockRole(array $a_blocked_info): void
472  {
473  $info = '';
474  if ($a_blocked_info['new_blocked']) {
475  $info .= $this->lng->txt('role_confirm_block_role_info');
476  if ($a_blocked_info['new_unblocked']) {
477  $info .= '<br /><br />';
478  }
479  }
480  if ($a_blocked_info['new_unblocked']) {
481  $info .= ('<br />' . $this->lng->txt('role_confirm_unblock_role_info'));
482  }
483 
484  $this->tpl->setOnScreenMessage('info', $info);
485 
486  $confirm = new ilConfirmationGUI();
487  $confirm->setFormAction($this->ctrl->getFormAction($this));
488  $confirm->setHeaderText($this->lng->txt('role_confirm_block_role_header'));
489  $confirm->setConfirm($this->lng->txt('role_confirm_block_role'), 'modifyBlockRoles');
490  $confirm->setCancel($this->lng->txt('cancel'), 'perm');
491 
492  foreach ($a_blocked_info['new_blocked'] as $role_id) {
493  $confirm->addItem(
494  'new_block[]',
495  (string) $role_id,
496  ilObjRole::_getTranslation(ilObject::_lookupTitle($role_id)) . ' ' . $this->lng->txt('role_blocked')
497  );
498  }
499  foreach ($a_blocked_info['new_unblocked'] as $role_id) {
500  $confirm->addItem(
501  'new_unblock[]',
502  (string) $role_id,
503  ilObjRole::_getTranslation(ilObject::_lookupTitle($role_id)) . ' ' . $this->lng->txt('role_unblocked')
504  );
505  }
506  $this->tpl->setContent($confirm->getHTML());
507  }
508 
509  private function modifyBlockRoles(): void
510  {
511  $this->blockRoles(
512  $this->http->wrapper()->post()->has('new_block')
513  ? $this->http->wrapper()->post()->retrieve(
514  'new_block',
515  $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
516  )
517  : []
518  );
519  $this->unblockRoles($this->http->wrapper()->post()->has('new_unblock')
520  ? $this->http->wrapper()->post()->retrieve(
521  'new_unblock',
522  $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
523  )
524  : []);
525 
526  $this->tpl->setOnScreenMessage('info', $this->lng->txt('settings_saved'));
527  $this->ctrl->redirect($this, 'perm');
528  }
529 
530  private function unblockRoles(array $roles): void
531  {
532  foreach ($roles as $role) {
533  // delete local policy
534  ilLoggerFactory::getLogger('ac')->debug('Stop local policy for: ' . $role);
535  $role_obj = ilObjectFactory::getInstanceByObjId($role);
536  $role_obj->setParent($this->getCurrentObject()->getRefId());
537  $role_obj->delete();
538 
539  $role_obj->changeExistingObjects(
540  $this->getCurrentObject()->getRefId(),
541  ilObjRole::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES,
542  ['all']
543  );
544 
545  // finally set blocked status
546  $this->rbacadmin->setBlockedStatus(
547  $role,
548  $this->getCurrentObject()->getRefId(),
549  false
550  );
551  }
552  }
553 
554  private function blockRoles(array $roles): void
555  {
556  foreach ($roles as $role) {
557  // Set assign to 'y' only if it is a local role
558  $assign = $this->rbacreview->isAssignable($role, $this->getCurrentObject()->getRefId()) ? 'y' : 'n';
559 
560  // Delete permissions
561  $this->rbacadmin->revokeSubtreePermissions($this->getCurrentObject()->getRefId(), $role);
562 
563  // Delete template permissions
564  $this->rbacadmin->deleteSubtreeTemplates($this->getCurrentObject()->getRefId(), $role);
565 
566  $this->rbacadmin->assignRoleToFolder(
567  $role,
568  $this->getCurrentObject()->getRefId(),
569  $assign
570  );
571 
572  // finally set blocked status
573  $this->rbacadmin->setBlockedStatus(
574  $role,
575  $this->getCurrentObject()->getRefId(),
576  true
577  );
578  }
579  }
580 
581  public static function hasContainerCommands(string $a_type): bool
582  {
583  global $DIC;
584 
585  $objDefinition = $DIC['objDefinition'];
586  return $objDefinition->isContainer($a_type) && $a_type != 'root' && $a_type != 'adm' && $a_type != 'rolf';
587  }
588 
589  private function displayImportRoleForm(?ilPropertyFormGUI $form = null): void
590  {
591  $this->tabs->clearTargets();
592 
593  if (!$form) {
594  $form = $this->initImportForm();
595  }
596  $this->tpl->setContent($form->getHTML());
597  }
598 
599  private function doImportRole(): void
600  {
601  $form = $this->initImportForm();
602  if ($form->checkInput()) {
603  try {
604  // For global roles set import id to parent of current ref_id (adm)
605  $imp = new ilImport($this->getCurrentObject()->getRefId());
606  $imp->getMapping()->addMapping(
607  'components/ILIAS/AccessControl',
608  'rolf',
609  '0',
610  (string) $this->getCurrentObject()->getRefId()
611  );
612 
613  $imp->importObject(
614  null,
615  $_FILES["importfile"]["tmp_name"],
616  $_FILES["importfile"]["name"],
617  'role'
618  );
619  $this->tpl->setOnScreenMessage('success', $this->lng->txt('rbac_role_imported'), true);
620  $this->ctrl->redirect($this, 'perm');
621  return;
622  } catch (Exception $e) {
623  $this->tpl->setOnScreenMessage('failure', $e->getMessage());
624  $form->setValuesByPost();
625  $this->displayImportRoleForm($form);
626  return;
627  }
628  }
629  $form->setValuesByPost();
630  $this->tpl->setOnScreenMessage('failure', $this->lng->txt('err_check_input'));
631  $this->displayImportRoleForm($form);
632  }
633 
634  private function initImportForm(): ilPropertyFormGUI
635  {
636  $form = new ilPropertyFormGUI();
637  $form->setFormAction($this->ctrl->getFormAction($this));
638  $form->setTitle($this->lng->txt('rbac_import_role'));
639  $form->addCommandButton('doImportRole', $this->lng->txt('import'));
640  $form->addCommandButton('perm', $this->lng->txt('cancel'));
641 
642  $zip = new ilFileInputGUI($this->lng->txt('import_file'), 'importfile');
643  $zip->setRequired(true);
644  $zip->setSuffixes(['zip']);
645  $form->addItem($zip);
646 
647  return $form;
648  }
649 
650  private function initRoleForm(): ilPropertyFormGUI
651  {
652  $form = new ilPropertyFormGUI();
653  $form->setFormAction($this->ctrl->getFormAction($this));
654  $form->setTitle($this->lng->txt('role_new'));
655  $form->addCommandButton('addrole', $this->lng->txt('role_new'));
656  $form->addCommandButton('perm', $this->lng->txt('cancel'));
657 
658  $title = new ilTextInputGUI($this->lng->txt('title'), 'title');
659  $title->setValidationRegexp('/^(?!il_).*$/');
660  $title->setValidationFailureMessage($this->lng->txt('msg_role_reserved_prefix'));
661  $title->setSize(40);
662  $title->setMaxLength(70);
663  $title->setRequired(true);
664  $form->addItem($title);
665 
666  $desc = new ilTextAreaInputGUI($this->lng->txt('description'), 'desc');
667  $desc->setCols(40);
668  $desc->setRows(3);
669  $form->addItem($desc);
670 
671  $pro = new ilCheckboxInputGUI($this->lng->txt('role_protect_permissions'), 'pro');
672  $pro->setInfo($this->lng->txt('role_protect_permissions_desc'));
673  $pro->setValue("1");
674  $form->addItem($pro);
675 
676  $pd = new ilCheckboxInputGUI($this->lng->txt('rbac_add_recommended_content'), 'desktop');
677  $pd->setInfo(
678  str_replace(
679  "%1",
680  $this->getCurrentObject()->getTitle(),
681  $this->lng->txt('rbac_add_recommended_content_info')
682  )
683  );
684  $pd->setValue((string) 1);
685  $form->addItem($pd);
686 
687  if (!$this->isInAdministration()) {
688  $rights = new ilRadioGroupInputGUI($this->lng->txt("rbac_role_rights_copy"), 'rights');
689  $option = new ilRadioOption($this->lng->txt("rbac_role_rights_copy_empty"), (string) 0);
690  $rights->addOption($option);
691 
692  $parent_role_ids = $this->rbacreview->getParentRoleIds($this->gui_obj->getObject()->getRefId(), true);
693  $ids = [];
694  foreach (array_keys($parent_role_ids) as $id) {
695  $ids[] = $id;
696  }
697 
698  // Sort ids
699  $sorted_ids = ilUtil::_sortIds($ids, 'object_data', 'type DESC,title', 'obj_id');
700 
701  $key = 0;
702  foreach ($sorted_ids as $id) {
703  $par = $parent_role_ids[$id];
704  if ($par["obj_id"] != SYSTEM_ROLE_ID) {
705  $option = new ilRadioOption(
706  ($par["type"] == 'role' ? $this->lng->txt('obj_role') : $this->lng->txt(
707  'obj_rolt'
708  )) . ": " . ilObjRole::_getTranslation($par["title"]),
709  (string) $par["obj_id"]
710  );
711  $option->setInfo($par["desc"] ?? '');
712  $rights->addOption($option);
713  }
714  $key++;
715  }
716  $form->addItem($rights);
717  }
718 
719  // Local policy only for containers
720  if ($this->object_definition->isContainer($this->getCurrentObject()->getType())) {
721  $check = new ilCheckboxInputGUI($this->lng->txt("rbac_role_rights_copy_change_existing"), 'existing');
722  $check->setInfo($this->lng->txt('rbac_change_existing_objects_desc_new_role'));
723  $form->addItem($check);
724  }
725  return $form;
726  }
727 
728  public function displayAddRoleForm(): void
729  {
730  $this->tabs->clearTargets();
731  $form = $this->initRoleForm();
732  $this->tpl->setContent($form->getHTML());
733  }
734 
741  public function addRole(): void
742  {
743  $form = $this->initRoleForm();
744  if ($form->checkInput()) {
745  $new_title = $form->getInput("title");
746 
747  $role = new ilObjRole();
748  $role->setTitle($new_title);
749  $role->setDescription($form->getInput('desc'));
750  $role->create();
751 
752  $this->rbacadmin->assignRoleToFolder($role->getId(), $this->getCurrentObject()->getRefId());
753 
754  // protect
755  $this->rbacadmin->setProtected(
756  $this->getCurrentObject()->getRefId(),
757  $role->getId(),
758  $form->getInput('pro') ? 'y' : 'n'
759  );
760 
761  // copy rights
762  $right_id_to_copy = (int) $form->getInput("rights");
763  if ($right_id_to_copy) {
764  $parentRoles = $this->rbacreview->getParentRoleIds($this->getCurrentObject()->getRefId(), true);
765  $this->rbacadmin->copyRoleTemplatePermissions(
766  $right_id_to_copy,
767  $parentRoles[$right_id_to_copy]["parent"],
768  $this->getCurrentObject()->getRefId(),
769  $role->getId(),
770  false
771  );
772 
773  if ($form->getInput('existing')) {
774  if ($form->getInput('pro')) {
775  $role->changeExistingObjects(
776  $this->getCurrentObject()->getRefId(),
777  ilObjRole::MODE_PROTECTED_KEEP_LOCAL_POLICIES,
778  ['all']
779  );
780  } else {
781  $role->changeExistingObjects(
782  $this->getCurrentObject()->getRefId(),
783  ilObjRole::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES,
784  ['all']
785  );
786  }
787  }
788  }
789 
790  // add to desktop items
791  if ($form->getInput("desktop")) {
792  $this->recommended_content_manager->addRoleRecommendation(
793  $role->getId(),
794  $this->getCurrentObject()->getRefId()
795  );
796  }
797 
798  $this->tpl->setOnScreenMessage('success', $this->lng->txt("role_added"), true);
799  $this->ctrl->redirect($this, 'perm');
800  } else {
801  $form->setValuesByPost();
802  $this->tpl->setContent($form->getHTML());
803  }
804  }
805 
806  private function getModifiedBlockedSettings(): array
807  {
808  $blocked_info['new_blocked'] = [];
809  $blocked_info['new_unblocked'] = [];
810  $blocked_info['num'] = 0;
811  $visible_block = $this->http->wrapper()->post()->has('visible_block')
812  ? $this->http->wrapper()->post()->retrieve(
813  'visible_block',
814  $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
815  )
816  : [];
817  $block_post = $this->http->wrapper()->post()->has('block')
818  ? $this->http->wrapper()->post()->retrieve(
819  'block',
820  $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
821  )
822  : [];
823 
824 
825  foreach ($visible_block as $role => $one) {
826  $blocked = $this->rbacreview->isBlockedAtPosition($role, $this->getCurrentObject()->getRefId());
827  if (isset($block_post[$role]) && !$blocked) {
828  $blocked_info['new_blocked'][] = $role;
829  $blocked_info['num']++;
830  }
831  if (!isset($block_post[$role]) && $blocked) {
832  $blocked_info['new_unblocked'][] = $role;
833  $blocked_info['num']++;
834  }
835  }
836  return $blocked_info;
837  }
838 
839  public function permPositions(): void
840  {
841  $perm = self::CMD_PERM_POSITIONS;
842  $this->__initSubTabs($perm);
843 
844  $ref_id = $this->getCurrentObject()->getRefId();
845  $table = new ilOrgUnitPermissionTableGUI($this, $perm, $ref_id);
846  $table->collectData();
847  $this->tpl->setContent($table->getHTML());
848  }
849 
850  public function savePositionsPermissions(): void
851  {
852  $this->__initSubTabs(self::CMD_PERM_POSITIONS);
853 
854  $positions = $this->getPositionRepo()->getArray(null, 'id');
855  $ref_id = $this->getCurrentObject()->getRefId();
856 
857  $positions_with_local_perms_from_post = $this->http->wrapper()->post()->has('local')
858  ? $this->http->wrapper()->post()->retrieve(
859  'local',
860  $this->refinery->kindlyTo()->dictOf($this->refinery->kindlyTo()->int())
861  )
862  : [];
863 
864  foreach ($positions as $position_id) {
865  if (isset($positions_with_local_perms_from_post[$position_id])) {
866  $this->getPermissionRepo()->get($ref_id, $position_id);
867  } else {
868  $this->getPermissionRepo()->delete($ref_id, $position_id);
869  }
870  }
871 
872  $position_perm_post = $this->http->wrapper()->post()->has('position_perm')
873  ? $this->http->wrapper()->post()->retrieve(
874  'position_perm',
875  $this->refinery->kindlyTo()->dictOf(
876  $this->refinery->kindlyTo()->dictOf(
877  $this->refinery->kindlyTo()->int()
878  )
879  )
880  )
881  : [];
882 
883  foreach ($position_perm_post as $position_id => $ops) {
884  if (!isset($positions_with_local_perms_from_post[$position_id])) {
885  continue;
886  }
887  $org_unit_permissions = $this->getPermissionRepo()->getLocalorDefault($ref_id, $position_id);
888  if (!$org_unit_permissions->isTemplate()) {
889  $new_ops = [];
890  foreach ($ops as $op_id => $op) {
891  $new_ops[] = $this->getOperationRepo()->getById($op_id);
892  }
893  $org_unit_permissions = $this->getPermissionRepo()->store(
894  $org_unit_permissions->withOperations($new_ops)
895  );
896  }
897  }
898 
899  foreach (array_keys($positions_with_local_perms_from_post) as $position_id_from_post) {
900  if (array_key_exists($position_id_from_post, $position_perm_post)) {
901  continue;
902  }
903  $org_unit_permissions = $this->getPermissionRepo()->find($ref_id, $position_id_from_post);
904  if ($org_unit_permissions !== null && !$org_unit_permissions->isTemplate()) {
905  $this->getPermissionRepo()->store($org_unit_permissions->withOperations([]));
906  }
907  }
908 
909  $this->tpl->setOnScreenMessage('success', $this->lng->txt('settings_saved'), true);
910  $this->ctrl->redirect($this, self::CMD_PERM_POSITIONS);
911  }
912 
913  public function owner(): void
914  {
915  $this->__initSubTabs('owner');
916 
917  $form = new ilPropertyFormGUI();
918  $form->setFormAction($this->ctrl->getFormAction($this, "owner"));
919  $form->setTitle($this->lng->txt("info_owner_of_object"));
920 
921  $login = new ilTextInputGUI($this->lng->txt("login"), "owner");
922  $login->setDataSource($this->ctrl->getLinkTargetByClass([get_class($this),
923  'ilRepositorySearchGUI'
924  ], 'doUserAutoComplete', '', true));
925  $login->setRequired(true);
926  $login->setSize(50);
927  $login->setInfo($this->lng->txt("chown_warning"));
928  $login->setValue(ilObjUser::_lookupLogin($this->gui_obj->getObject()->getOwner()));
929  $form->addItem($login);
930  $form->addCommandButton("changeOwner", $this->lng->txt("change_owner"));
931  $this->tpl->setContent($form->getHTML());
932  }
933 
934  public function changeOwner(): void
935  {
936  $owner = '';
937  if ($this->http->wrapper()->post()->has('owner')) {
938  $owner = $this->http->wrapper()->post()->retrieve(
939  'owner',
940  $this->refinery->kindlyTo()->string()
941  );
942  }
943  if (!$user_id = ilObjUser::_lookupId($owner)) {
944  $this->tpl->setOnScreenMessage('failure', $this->lng->txt('user_not_known'));
945  $this->owner();
946  return;
947  }
948 
949  // no need to change?
950  if ($user_id != $this->gui_obj->getObject()->getOwner()) {
951  $this->gui_obj->getObject()->setOwner($user_id);
952  $this->gui_obj->getObject()->updateOwner();
953  $this->objectDataCache->deleteCachedEntry($this->gui_obj->getObject()->getId());
954 
955  if (ilRbacLog::isActive()) {
956  ilRbacLog::add(ilRbacLog::CHANGE_OWNER, $this->gui_obj->getObject()->getRefId(), [$user_id]);
957  }
958  }
959 
960  $this->tpl->setOnScreenMessage('success', $this->lng->txt('owner_updated'), true);
961 
962  if (!$this->rbacsystem->checkAccess("edit_permission", $this->gui_obj->getObject()->getRefId())) {
963  $this->ctrl->redirect($this->gui_obj);
964  return;
965  }
966  $this->ctrl->redirect($this, 'owner');
967  }
968 
969  private function __initSubTabs(string $a_cmd): void
970  {
971  $perm = $a_cmd === 'perm';
972  $perm_positions = $a_cmd === ilPermissionGUI::CMD_PERM_POSITIONS;
973  $info = $a_cmd === 'perminfo';
974  $owner = $a_cmd === 'owner';
975  $log = $a_cmd === 'log';
976 
977  $this->tabs->addSubTabTarget(
978  "permission_settings",
979  $this->ctrl->getLinkTarget($this, "perm"),
980  "",
981  "",
982  "",
983  $perm
984  );
985 
986  if (ilOrgUnitGlobalSettings::getInstance()->isPositionAccessActiveForObject($this->gui_obj->getObject()->getId())) {
987  $this->tabs->addSubTabTarget(
988  self::TAB_POSITION_PERMISSION_SETTINGS,
989  $this->ctrl->getLinkTarget($this, ilPermissionGUI::CMD_PERM_POSITIONS),
990  "",
991  "",
992  "",
993  $perm_positions
994  );
995  }
996 
997  $this->tabs->addSubTabTarget(
998  "info_status_info",
999  $this->ctrl->getLinkTargetByClass([get_class($this), "ilobjectpermissionstatusgui"], "perminfo"),
1000  "",
1001  "",
1002  "",
1003  $info
1004  );
1005  $this->tabs->addSubTabTarget(
1006  "owner",
1007  $this->ctrl->getLinkTarget($this, "owner"),
1008  "",
1009  "",
1010  "",
1011  $owner
1012  );
1013 
1014  if (ilRbacLog::isActive()) {
1015  $this->tabs->addSubTabTarget(
1016  "rbac_log",
1017  $this->ctrl->getLinkTarget($this, 'log'),
1018  "",
1019  "",
1020  "",
1021  $log
1022  );
1023  }
1024  }
1025 
1026  public function log(): void
1027  {
1028  if (!ilRbacLog::isActive()) {
1029  $this->ctrl->redirect($this, 'perm');
1030  }
1031 
1032  $this->__initSubTabs('log');
1033 
1034  $table = new Table(
1035  new ilRbacLog($this->db),
1036  $this->ui_factory,
1037  $this->data_factory,
1038  $this->lng,
1039  $this->ctrl,
1040  $this->ui_service,
1041  $this->object_definition,
1042  $this->http->request(),
1043  $this->rbacreview,
1044  $this->user,
1045  $this->gui_obj
1046  );
1047  $this->tpl->setContent($this->ui_renderer->render(
1048  $table->getTableAndFilter()
1049  ));
1050  }
1051 }
ilPermissionGUI\displayImportRoleForm
displayImportRoleForm(?ilPropertyFormGUI $form=null)
Definition: class.ilPermissionGUI.php:589
ilObjRole
Class ilObjRole.
Definition: class.ilObjRole.php:26
ilRadioOption
This class represents an option in a radio group.
Definition: class.ilRadioOption.php:27
ilOrgUnitPermissionTableGUI
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilOrgUnitPermissionTableGUI.php:23
ilPermissionGUI\$object_definition
ilObjectDefinition $object_definition
Definition: class.ilPermissionGUI.php:52
ilLoggerFactory\getLogger
static getLogger(string $a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:89
ilTabsGUI
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilTabsGUI.php:25
ilPermissionGUI\perm
perm(?ilTable2GUI $table=null)
Definition: class.ilPermissionGUI.php:191
ilFileInputGUI
This class represents a file property in a property form.
Definition: class.ilFileInputGUI.php:31
ilPermissionGUI\addRole
addRole()
adds a local role This method is only called when choose the option &#39;you may add local roles&#39;...
Definition: class.ilPermissionGUI.php:741
ilPermissionGUI\__initSubTabs
__initSubTabs(string $a_cmd)
Definition: class.ilPermissionGUI.php:969
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:29
ilPermissionGUI\$positionRepo
ilOrgUnitPositionDBRepository $positionRepo
Definition: class.ilPermissionGUI.php:44
ilRbacLog\CHANGE_OWNER
const CHANGE_OWNER
Definition: class.ilRbacLog.php:40
ilPermissionGUI\isInAdministration
isInAdministration()
Check if node is subobject of administration folder.
Definition: class.ilPermissionGUI.php:243
ilPermissionGUI\showConfirmBlockRole
showConfirmBlockRole(array $a_blocked_info)
Definition: class.ilPermissionGUI.php:471
ilImport
Import class.
Definition: class.ilImport.php:38
ilObjUser\_lookupId
static _lookupId($a_user_str)
Definition: class.ilObjUser.php:694
ilPermissionGUI\$operationRepo
ilOrgUnitOperationDBRepository $operationRepo
Definition: class.ilPermissionGUI.php:46
ilRbacLog\isActive
static isActive()
Definition: class.ilRbacLog.php:122
SYSTEM_FOLDER_ID
const SYSTEM_FOLDER_ID
Definition: constants.php:35
ilObjRole\MODE_PROTECTED_KEEP_LOCAL_POLICIES
const MODE_PROTECTED_KEEP_LOCAL_POLICIES
Definition: class.ilObjRole.php:29
ilPermissionGUI\$permissionRepo
ilOrgUnitPermissionDBRepository $permissionRepo
Definition: class.ilPermissionGUI.php:45
ilPermissionGUI\$recommended_content_manager
ilRecommendedContentManager $recommended_content_manager
Definition: class.ilPermissionGUI.php:43
null
while($session_entry=$r->fetchRow(ilDBConstants::FETCHMODE_ASSOC)) return null
Definition: shib_logout.php:144
ilRbacLog\EDIT_PERMISSIONS
const EDIT_PERMISSIONS
Definition: class.ilRbacLog.php:33
ilRbacReview\lookupCreateOperationIds
static lookupCreateOperationIds(array $a_type_arr)
Lookup operation ids.
Definition: class.ilRbacReview.php:1016
ilRbacLog\gatherFaPa
static gatherFaPa(int $ref_id, array $role_ids, bool $add_action=false)
Definition: class.ilRbacLog.php:127
ilPermissionGUI\$objectDataCache
ilObjectDataCache $objectDataCache
Definition: class.ilPermissionGUI.php:58
$ref_id
$ref_id
Definition: ltiauth.php:65
ILIAS\FileDelivery\http
static http()
Fetches the global http state from ILIAS.
Definition: HttpServiceAware.php:55
ilRadioGroupInputGUI
This class represents a property in a property form.
Definition: class.ilRadioGroupInputGUI.php:27
ilPermissionGUI\$ilErr
ilErrorHandling $ilErr
Definition: class.ilPermissionGUI.php:49
ilObject\_lookupTitle
static _lookupTitle(int $obj_id)
Definition: class.ilObject.php:838
$log
$log
Definition: result.php:32
Factory
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
ilObjRole\_getTranslation
static _getTranslation(string $a_role_title)
Definition: class.ilObjRole.php:364
ilObjectGUI
Class ilObjectGUI Basic methods of all Output classes.
Definition: class.ilObjectGUI.php:48
ilPermissionGUI\hasContainerCommands
static hasContainerCommands(string $a_type)
Definition: class.ilPermissionGUI.php:581
$DIC
global $DIC
Definition: shib_login.php:26
ilPermissionGUI\$http
GlobalHttpState $http
Definition: class.ilPermissionGUI.php:60
ilFormPropertyGUI\setRequired
setRequired(bool $a_required)
Definition: class.ilFormPropertyGUI.php:156
ROLE_FOLDER_ID
const ROLE_FOLDER_ID
Definition: constants.php:34
ilPermissionGUI\unblockRoles
unblockRoles(array $roles)
Definition: class.ilPermissionGUI.php:530
ilUtil\_sortIds
static _sortIds(array $a_ids, string $a_table, string $a_field, string $a_id_name)
Function that sorts ids by a given table field using WHERE IN E.g: __sort(array(6,7),&#39;usr_data&#39;,&#39;lastname&#39;,&#39;usr_id&#39;) => sorts by lastname.
Definition: class.ilUtil.php:1214
ilRbacLog\add
static add(int $action, int $ref_id, array $diff, bool $source_ref_id=false)
Definition: class.ilRbacLog.php:226
ilObjectFactory\getInstanceByObjId
static getInstanceByObjId(?int $obj_id, bool $stop_on_error=true)
get an instance of an Ilias object by object id
Definition: class.ilObjectFactory.php:84
ilRbacLog\diffFaPa
static diffFaPa(array $old, array $new)
Definition: class.ilRbacLog.php:160
$rights
$rights
Definition: LOMStructure.php:396
$id
$id
plugin.php for ilComponentBuildPluginInfoObjectiveTest::testAddPlugins
Definition: plugin.php:23
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
Definition: PluginProviderHelper.php:37
ilTextAreaInputGUI
This class represents a text area property in a property form.
Definition: class.ilTextAreaInputGUI.php:27
ilObjRole\MODE_UNPROTECTED_KEEP_LOCAL_POLICIES
const MODE_UNPROTECTED_KEEP_LOCAL_POLICIES
Definition: class.ilObjRole.php:31
ilPermissionGUI\executeCommand
executeCommand()
Execute command.
Definition: class.ilPermissionGUI.php:138
$dic
$dic
Definition: result.php:31
$check
$check
Definition: buildRTE.php:81
$info
$info
Definition: entry_point.php:21
ilPermissionGUI\$tpl
ilGlobalTemplateInterface $tpl
Definition: class.ilPermissionGUI.php:53
ilPermissionGUI\applyRoleFilter
applyRoleFilter(array $a_roles, int $a_filter_id)
Definition: class.ilPermissionGUI.php:264
ilRbacAdmin
Class ilRbacAdmin Core functions for role based access control.
Definition: class.ilRbacAdmin.php:31
ilRbacLog
class ilRbacLog Log changes in Rbac-related settings
Definition: class.ilRbacLog.php:30
ilObjectPermissionStatusGUI
This class displays the permission status of a user concerning a specific object. ...
Definition: class.ilObjectPermissionStatusGUI.php:28
ilObjRoleGUI
Class ilObjRoleGUI.
Definition: class.ilObjRoleGUI.php:35
ilRecommendedContentManager
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilRecommendedContentManager.php:25
ilObjUser\_lookupLogin
static _lookupLogin(int $a_user_id)
Definition: class.ilObjUser.php:680