ILIAS  trunk Revision v11.0_alpha-1753-gb21ca8c4367
All Data Structures Namespaces Files Functions Variables Enumerations Enumerator Modules Pages
class.ilIndividualAssessmentAccessHandler.php
Go to the documentation of this file.
1 <?php
2 
19 declare(strict_types=1);
20 
24 class ilIndividualAssessmentAccessHandler implements IndividualAssessmentAccessHandler
25 {
26  public const DEFAULT_ROLE = 'il_iass_member';
27 
28  protected ilObjIndividualAssessment $iass;
29  protected ilAccessHandler $handler;
30  protected ilRbacAdmin $admin;
31  protected ilRbacReview $review;
32  protected ilObjUser $usr;
33 
34  public function __construct(
35  ilObjIndividualAssessment $iass,
36  ilAccessHandler $handler,
37  ilRbacAdmin $admin,
38  ilRbacReview $review,
39  ilObjUser $usr
40  ) {
41  $this->iass = $iass;
42  $this->handler = $handler;
43  $this->admin = $admin;
44  $this->review = $review;
45  $this->usr = $usr;
46  }
47 
51  public function checkRBACAccessToObj(string $operation): bool
52  {
53  if($this->simulateMember()) {
54  return $this->checkMemberRoleForPermission($operation);
55  } else {
56  return $this->isSystemAdmin() ||
57  $this->handler->checkAccessOfUser($this->usr->getId(), $operation, '', $this->iass->getRefId(), 'iass');
58  }
59  }
60 
61  public function checkRBACOrPositionAccessToObj(string $operation)
62  {
63  if ($this->isSystemAdmin()) {
64  return true;
65  }
66 
67  if ($operation == "read_learning_progress") {
68  return $this->handler->checkRbacOrPositionPermissionAccess(
69  "read_learning_progress",
70  "read_learning_progress",
71  $this->iass->getRefId()
72  );
73  }
74 
75  if ($operation == "write_learning_progress") {
76  return $this->handler->checkRbacOrPositionPermissionAccess(
77  // This feels super odd, but this is actually ok because we do not have
78  // a dedicated RBAC permission to write_learning_progress.
79  // See: https://mantis.ilias.de/view.php?id=36056#c89865
80  "read_learning_progress",
81  "write_learning_progress",
82  $this->iass->getRefId()
83  );
84  }
85 
86  throw new \LogicException("Unknown rbac/position-operation: $operation");
87  }
88 
89  public function simulateMember(): bool
90  {
91  $settings = ilMemberViewSettings::getInstance();
92  return $settings->isActive() &&
93  $settings->getContainer() === $this->iass->getParentContainerIdByType($this->iass->getRefId(), ['crs']);
94  }
95 
96  protected function checkMemberRoleForPermission(string $operation): bool
97  {
98  $ref_id = $this->iass->getRefId();
99  $roles = array_filter(
100  $this->review->getParentRoleIds($ref_id),
101  static fn(array $role): bool => str_starts_with($role['title'], 'il_crs_member_')
102  );
103  if($roles === []) {
104  return false;
105  }
106  $role = array_shift($roles);
107  $active_ops = $this->review->getActiveOperationsOfRole($ref_id, $role['rol_id']);
108  foreach($active_ops as $op) {
109  if($this->review->getOperation($op)['operation'] === $operation) {
110  return true;
111  }
112  }
113  return false;
114  }
115 
119  public function initDefaultRolesForObject(ilObjIndividualAssessment $iass): void
120  {
121  ilObjRole::createDefaultRole(
122  $this->getRoleTitleByObj($iass),
123  "Admin of iass obj_no." . $iass->getId(),
124  self::DEFAULT_ROLE,
125  $iass->getRefId()
126  );
127  }
128 
132  public function assignUserToMemberRole(ilObjUser $usr, ilObjIndividualAssessment $iass): bool
133  {
134  $this->admin->assignUser($this->getMemberRoleIdForObj($iass), $usr->getId());
135  return true;
136  }
137 
141  public function deassignUserFromMemberRole(ilObjUser $usr, ilObjIndividualAssessment $iass): bool
142  {
143  $this->admin->deassignUser($this->getMemberRoleIdForObj($iass), $usr->getId());
144  return true;
145  }
146 
147  protected function getRoleTitleByObj(ilObjIndividualAssessment $iass): string
148  {
149  return self::DEFAULT_ROLE . '_' . $iass->getRefId();
150  }
151 
155  protected function getMemberRoleIdForObj(ilObjIndividualAssessment $iass)
156  {
157  return current($this->review->getLocalRoles($iass->getRefId()));
158  }
159 
160  public function mayReadObject(): bool
161  {
162  return $this->checkRBACAccessToObj('read');
163  }
164 
165  public function mayEditObject(): bool
166  {
167  return $this->checkRBACAccessToObj('write');
168  }
169 
170  public function mayEditPermissions(): bool
171  {
172  return $this->checkRBACAccessToObj('edit_permission');
173  }
174 
175  public function mayEditMembers(): bool
176  {
177  return $this->checkRBACAccessToObj('edit_members');
178  }
179 
180  public function mayViewAnyUser(): bool
181  {
182  return $this->checkRBACOrPositionAccessToObj('read_learning_progress');
183  }
184 
185  public function mayViewAllUsers(): bool
186  {
187  return $this->checkRBACAccessToObj('read_learning_progress');
188  }
189 
190  public function mayGradeAnyUser(): bool
191  {
192  return $this->checkRBACOrPositionAccessToObj('write_learning_progress');
193  }
194 
195  public function mayGradeUser(int $user_id): bool
196  {
197  return
198  (count(
199  $this->handler->filterUserIdsByRbacOrPositionOfCurrentUser(
200  // This feels super odd, but this is actually ok because we do not have
201  // a dedicated RBAC permission to write_learning_progress.
202  // See: https://mantis.ilias.de/view.php?id=36056#c89865
203  "read_learning_progress",
204  "write_learning_progress",
205  $this->iass->getRefId(),
206  [$user_id]
207  )
208  ) > 0);
209  }
210 
211  public function mayViewUser(int $user_id): bool
212  {
213  return
214  $this->mayViewAllUsers() ||
215  (count(
216  $this->handler->filterUserIdsByRbacOrPositionOfCurrentUser(
217  "read_learning_progress",
218  "read_learning_progress",
219  $this->iass->getRefId(),
220  [$user_id]
221  )
222  ) > 0);
223  }
224 
225  public function mayAmendAllUsers(): bool
226  {
227  return $this->checkRBACAccessToObj('amend_grading');
228  }
229 
230  public function isSystemAdmin(): bool
231  {
232  return $this->review->isAssigned($this->usr->getId(), SYSTEM_ROLE_ID);
233  }
234 
235  public function mayEditLearningProgressSettings(): bool
236  {
237  return $this->checkRBACAccessToObj('edit_learning_progress');
238  }
239 }
ilIndividualAssessmentAccessHandler\assignUserToMemberRole
assignUserToMemberRole(ilObjUser $usr, ilObjIndividualAssessment $iass)
Assign a user to the member role at an Individual assessment.
Definition: class.ilIndividualAssessmentAccessHandler.php:132
ilObjIndividualAssessment
For the purpose of streamlining the grading and learning-process status definition outside of tests...
Definition: class.ilObjIndividualAssessment.php:29
SYSTEM_ROLE_ID
const SYSTEM_ROLE_ID
Definition: constants.php:29
ilObjRole\createDefaultRole
static createDefaultRole(string $a_title, string $a_description, string $a_tpl_name, int $a_ref_id)
Definition: class.ilObjRole.php:59
IndividualAssessmentAccessHandler
Mechanic regarding the access control and roles of an objet goes here.
Definition: interface.IndividualAssessmentAccessHandler.php:24
ilIndividualAssessmentAccessHandler\__construct
__construct(ilObjIndividualAssessment $iass, ilAccessHandler $handler, ilRbacAdmin $admin, ilRbacReview $review, ilObjUser $usr)
Definition: class.ilIndividualAssessmentAccessHandler.php:34
$ref_id
$ref_id
Definition: ltiauth.php:65
ilIndividualAssessmentAccessHandler\initDefaultRolesForObject
initDefaultRolesForObject(ilObjIndividualAssessment $iass)
Create default roles at an object.
Definition: class.ilIndividualAssessmentAccessHandler.php:119
ilIndividualAssessmentAccessHandler\deassignUserFromMemberRole
deassignUserFromMemberRole(ilObjUser $usr, ilObjIndividualAssessment $iass)
Deasign a user from the member role at an Individual assessment.
Definition: class.ilIndividualAssessmentAccessHandler.php:141
ilRbacAdmin
Class ilRbacAdmin Core functions for role based access control.
Definition: class.ilRbacAdmin.php:31