ILIAS  trunk Revision v11.0_alpha-3011-gc6b235a2e85
class.ilIndividualAssessmentAccessHandler.php
Go to the documentation of this file.
1<?php
2
19declare(strict_types=1);
20
24class ilIndividualAssessmentAccessHandler implements IndividualAssessmentAccessHandler
25{
26 public const DEFAULT_ROLE = 'il_iass_member';
27
28 protected ilObjIndividualAssessment $iass;
29 protected ilAccessHandler $handler;
30 protected ilRbacAdmin $admin;
31 protected ilRbacReview $review;
32 protected ilObjUser $usr;
33
34 public function __construct(
35 ilObjIndividualAssessment $iass,
36 ilAccessHandler $handler,
37 ilRbacAdmin $admin,
38 ilRbacReview $review,
39 ilObjUser $usr
40 ) {
41 $this->iass = $iass;
42 $this->handler = $handler;
43 $this->admin = $admin;
44 $this->review = $review;
45 $this->usr = $usr;
46 }
47
51 public function checkRBACAccessToObj(string $operation): bool
52 {
53 if($this->simulateMember()) {
54 return $this->checkMemberRoleForPermission($operation);
55 } else {
56 return $this->isSystemAdmin() ||
57 $this->handler->checkAccessOfUser($this->usr->getId(), $operation, '', $this->iass->getRefId(), 'iass');
58 }
59 }
60
61 public function checkRBACOrPositionAccessToObj(string $operation)
62 {
63 if ($this->isSystemAdmin()) {
64 return true;
65 }
66
67 if ($operation == "read_learning_progress") {
68 return $this->handler->checkRbacOrPositionPermissionAccess(
69 "read_learning_progress",
70 "read_learning_progress",
71 $this->iass->getRefId()
72 );
73 }
74
75 if ($operation == "write_learning_progress") {
76 return $this->handler->checkRbacOrPositionPermissionAccess(
77 // This feels super odd, but this is actually ok because we do not have
78 // a dedicated RBAC permission to write_learning_progress.
79 // See: https://mantis.ilias.de/view.php?id=36056#c89865
80 "read_learning_progress",
81 "write_learning_progress",
82 $this->iass->getRefId()
83 );
84 }
85
86 throw new \LogicException("Unknown rbac/position-operation: $operation");
87 }
88
89 public function simulateMember(): bool
90 {
91 $settings = ilMemberViewSettings::getInstance();
92 return $settings->isActive() &&
93 $settings->getContainer() === $this->iass->getParentContainerIdByType($this->iass->getRefId(), ['crs']);
94 }
95
96 protected function checkMemberRoleForPermission(string $operation): bool
97 {
98 $ref_id = $this->iass->getRefId();
99 $roles = array_filter(
100 $this->review->getParentRoleIds($ref_id),
101 static fn(array $role): bool => str_starts_with($role['title'], 'il_crs_member_')
102 );
103 if($roles === []) {
104 return false;
105 }
106 $role = array_shift($roles);
107 $active_ops = $this->review->getActiveOperationsOfRole($ref_id, $role['rol_id']);
108 foreach($active_ops as $op) {
109 if($this->review->getOperation($op)['operation'] === $operation) {
110 return true;
111 }
112 }
113 return false;
114 }
115
119 public function initDefaultRolesForObject(ilObjIndividualAssessment $iass): void
120 {
121 ilObjRole::createDefaultRole(
122 $this->getRoleTitleByObj($iass),
123 "Admin of iass obj_no." . $iass->getId(),
124 self::DEFAULT_ROLE,
125 $iass->getRefId()
126 );
127 }
128
132 public function assignUserToMemberRole(ilObjUser $usr, ilObjIndividualAssessment $iass): bool
133 {
134 $this->admin->assignUser($this->getMemberRoleIdForObj($iass), $usr->getId());
135 return true;
136 }
137
141 public function deassignUserFromMemberRole(ilObjUser $usr, ilObjIndividualAssessment $iass): bool
142 {
143 $this->admin->deassignUser($this->getMemberRoleIdForObj($iass), $usr->getId());
144 return true;
145 }
146
147 protected function getRoleTitleByObj(ilObjIndividualAssessment $iass): string
148 {
149 return self::DEFAULT_ROLE . '_' . $iass->getRefId();
150 }
151
155 protected function getMemberRoleIdForObj(ilObjIndividualAssessment $iass)
156 {
157 return current($this->review->getLocalRoles($iass->getRefId()));
158 }
159
160 public function mayReadObject(): bool
161 {
162 return $this->checkRBACAccessToObj('read');
163 }
164
165 public function mayEditObject(): bool
166 {
167 return $this->checkRBACAccessToObj('write');
168 }
169
170 public function mayEditPermissions(): bool
171 {
172 return $this->checkRBACAccessToObj('edit_permission');
173 }
174
175 public function mayEditMembers(): bool
176 {
177 return $this->checkRBACAccessToObj('edit_members');
178 }
179
180 public function mayViewAnyUser(): bool
181 {
182 return $this->checkRBACOrPositionAccessToObj('read_learning_progress');
183 }
184
185 public function mayViewAllUsers(): bool
186 {
187 return $this->checkRBACAccessToObj('read_learning_progress');
188 }
189
190 public function mayGradeAnyUser(): bool
191 {
192 return $this->checkRBACOrPositionAccessToObj('write_learning_progress');
193 }
194
195 public function mayGradeUser(int $user_id): bool
196 {
197 return
198 (count(
199 $this->handler->filterUserIdsByRbacOrPositionOfCurrentUser(
200 // This feels super odd, but this is actually ok because we do not have
201 // a dedicated RBAC permission to write_learning_progress.
202 // See: https://mantis.ilias.de/view.php?id=36056#c89865
203 "read_learning_progress",
204 "write_learning_progress",
205 $this->iass->getRefId(),
206 [$user_id]
207 )
208 ) > 0);
209 }
210
211 public function mayViewUser(int $user_id): bool
212 {
213 return
214 $this->mayViewAllUsers() ||
215 (count(
216 $this->handler->filterUserIdsByRbacOrPositionOfCurrentUser(
217 "read_learning_progress",
218 "read_learning_progress",
219 $this->iass->getRefId(),
220 [$user_id]
221 )
222 ) > 0);
223 }
224
225 public function mayAmendAllUsers(): bool
226 {
227 return $this->checkRBACAccessToObj('amend_grading');
228 }
229
230 public function isSystemAdmin(): bool
231 {
232 return $this->review->isAssigned($this->usr->getId(), SYSTEM_ROLE_ID);
233 }
234
235 public function mayEditLearningProgressSettings(): bool
236 {
237 return $this->checkRBACAccessToObj('edit_learning_progress');
238 }
239}
ilIndividualAssessmentAccessHandler\initDefaultRolesForObject
initDefaultRolesForObject(ilObjIndividualAssessment $iass)
Create default roles at an object.
Definition: class.ilIndividualAssessmentAccessHandler.php:119
ilIndividualAssessmentAccessHandler\assignUserToMemberRole
assignUserToMemberRole(ilObjUser $usr, ilObjIndividualAssessment $iass)
Assign a user to the member role at an Individual assessment.
Definition: class.ilIndividualAssessmentAccessHandler.php:132
ilIndividualAssessmentAccessHandler\__construct
__construct(ilObjIndividualAssessment $iass, ilAccessHandler $handler, ilRbacAdmin $admin, ilRbacReview $review, ilObjUser $usr)
Definition: class.ilIndividualAssessmentAccessHandler.php:34
ilIndividualAssessmentAccessHandler\deassignUserFromMemberRole
deassignUserFromMemberRole(ilObjUser $usr, ilObjIndividualAssessment $iass)
Deasign a user from the member role at an Individual assessment.
Definition: class.ilIndividualAssessmentAccessHandler.php:141
ilObjIndividualAssessment
For the purpose of streamlining the grading and learning-process status definition outside of tests,...
Definition: class.ilObjIndividualAssessment.php:30
ilObjRole\createDefaultRole
static createDefaultRole(string $a_title, string $a_description, string $a_tpl_name, int $a_ref_id)
Definition: class.ilObjRole.php:59
ilObjUser
User class.
Definition: class.ilObjUser.php:46
ilRbacAdmin
Class ilRbacAdmin Core functions for role based access control.
Definition: class.ilRbacAdmin.php:32
ilRbacReview
class ilRbacReview Contains Review functions of core Rbac.
Definition: class.ilRbacReview.php:34
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:29
IndividualAssessmentAccessHandler
Mechanic regarding the access control and roles of an objet goes here.
Definition: interface.IndividualAssessmentAccessHandler.php:25
ilAccessHandler
Interface ilAccessHandler This interface combines all available interfaces which can be called via gl...
Definition: interface.ilAccessHandler.php:27
$ref_id
$ref_id
Definition: ltiauth.php:66