protected function checkPrivileges($context, $privileges)
{
require_once 'Services/AccessControl/classes/class.ilRbacSystem.php';
global $ilUser;
$userid = $ilUser->getId();
if (!isset($this->rbacAcl)) {
$this->rbacAcl = ilRbacSystem::getInstance();
}
$this->log(json_encode($context));
$this->log(json_encode($privileges));
$mode = 1;
// 1 = this user
// 2 = other user
// 3 = object
// 4 = other user privs
if (property_exists($context, 'object')) {
$mode = 3;
$objid = $context->object;
}
if (property_exists($context, 'user')) {
$mode += 1;
$privileges = $this->initPrivileges(false);
$userid = $context->user;
}
if (!isset($privileges)) {
$privileges = $this->initPrivileges();
}
if ($mode >= 3) {
// get read privileges
$privileges->personal->readObject = $this->rbacAcl->checkAccessOfUser($userid, 'read', $objid);
$privileges->context->readObject = $privileges->personal->readObject;
// get write privileges
$privileges->personal->writeObject = $this->rbacAcl->checkAccessOfUser($userid, 'write', $objid);
$privileges->context->writeObject = $privileges->personal->writeObject;
// get learning progress teacher's privileges
$priv = 'read_learning_progress';
$privileges->context->readActionStream = $this->rbacAcl->checkAccessOfUser($userid, 'read_learning_progress', $objid);
if (!$privileges->context->readActionStream) {
// if the priv is missing NOW, we need to lookup the parent
global $tree;
$objid = $tree->getParentId($objid);
$privileges->context->readActionStream = $this->rbacAcl->checkAccessOfUser($userid, 'read_learning_progress', $objid);
}
if (!$privileges->context->readActionStream) {
// if the user is lacking privileges now,
// it is also necessary to verify if the current object
// is an organisational unit because in that case there is a
// different privilege.
$privileges->context->readActionStream = $this->rbacAcl->checkAccessOfUser($userid, 'view_learning_progress', $objid);
}
}
if ($mode === 2 || $mode === 4) {
// this is a different part of the ACL!
// get learning progress reading privileges
// get learning progress update privileges
}
return $privileges;
}
/**
* $ilAccess and $rbac... initialisation
*/
protected static function initAccessHandling()
{
self::initGlobal("rbacreview", "ilRbacReview", "./Services/AccessControl/classes/class.ilRbacReview.php");
require_once "./Services/AccessControl/classes/class.ilRbacSystem.php";
$rbacsystem = ilRbacSystem::getInstance();
self::initGlobal("rbacsystem", $rbacsystem);
self::initGlobal("rbacadmin", "ilRbacAdmin", "./Services/AccessControl/classes/class.ilRbacAdmin.php");
self::initGlobal("ilAccess", "ilAccessHandler", "./Services/AccessControl/classes/class.ilAccessHandler.php");
require_once "./Services/AccessControl/classes/class.ilConditionHandler.php";
}
function checkAccessOfUser($a_user_id, $a_operations, $a_ref_id, $a_type = "")
{
global $ilUser, $rbacreview, $ilObjDataCache, $ilDB, $ilLog;
// Create the user cache key
$cacheKey = $a_user_id . ':' . $a_operations . ':' . $a_ref_id . ':' . $a_type;
// Create the cache if it does not yet exist
if (!is_array(self::$_checkAccessOfUserCache)) {
self::$_checkAccessOfUserCache = array();
}
// Try to return result from cache
if (array_key_exists($cacheKey, self::$_checkAccessOfUserCache)) {
return self::$_checkAccessOfUserCache[$cacheKey];
}
#echo ++$counter;
// DISABLED
// Check For owner
// Owners do always have full access to their objects
// Excluded are the permissions create and perm
// This method call return all operations that are NOT granted by the owner status
if (!($a_operations = $this->__filterOwnerPermissions($a_user_id, $a_operations, $a_ref_id))) {
// Store positive outcome in cache.
// Note: we only cache up to 1000 results to avoid memory overflows
if (count(self::$_checkAccessOfUserCache) < 1000) {
self::$_checkAccessOfUserCache[$cacheKey] = true;
}
return true;
}
// get roles using role cache
$roles = $this->fetchAssignedRoles($a_user_id, $a_ref_id);
// exclude system role from rbac
if (in_array(SYSTEM_ROLE_ID, $roles)) {
// Store positive outcome in cache.
// Note: we only cache up to 1000 results to avoid memory overflows
if (count(self::$_checkAccessOfUserCache) < 1000) {
self::$_checkAccessOfUserCache[$cacheKey] = true;
}
return true;
}
if (!isset($a_operations) or !isset($a_ref_id)) {
$GLOBALS['ilLog']->logStack();
$this->ilErr->raiseError(get_class($this) . "::checkAccess(): Missing parameter! " . "ref_id: " . $a_ref_id . " operations: " . $a_operations, $this->ilErr->WARNING);
}
if (!is_string($a_operations)) {
$GLOBALS['ilLog']->logStack();
$this->ilErr->raiseError(get_class($this) . "::checkAccess(): Wrong datatype for operations!", $this->ilErr->WARNING);
}
// Create the PA cache if it does not exist yet
$paCacheKey = $a_user_id . ':' . $a_ref_id;
if (!is_array(self::$_paCache)) {
self::$_paCache = array();
}
if (array_key_exists($paCacheKey, self::$_paCache)) {
// Return result from PA cache
$ops = self::$_paCache[$paCacheKey];
} else {
// Data is not in PA cache, perform database query
$q = "SELECT * FROM rbac_pa " . "WHERE ref_id = " . $ilDB->quote($a_ref_id, 'integer');
$r = $this->ilDB->query($q);
$ops = array();
while ($row = $r->fetchRow(DB_FETCHMODE_OBJECT)) {
if (in_array($row->rol_id, $roles)) {
$ops = array_merge($ops, unserialize(stripslashes($row->ops_id)));
}
}
// Cache up to 1000 entries in the PA cache
if (count(self::$_paCache) < 1000) {
self::$_paCache[$paCacheKey] = $ops;
}
}
$operations = explode(",", $a_operations);
foreach ($operations as $operation) {
if ($operation == "create") {
if (empty($a_type)) {
$this->ilErr->raiseError(get_class($this) . "::CheckAccess(): Expect a type definition for checking a 'create' permission", $this->ilErr->WARNING);
}
$ops_id = ilRbacReview::_getOperationIdByName($operation . "_" . $a_type);
} else {
$ops_id = ilRbacReview::_getOperationIdByName($operation);
}
if (!in_array($ops_id, (array) $ops)) {
//$ilLog->write('PERMISSION: '.$a_ref_id.' -> '.$a_ops_id.' failed');
// Store negative outcome in cache.
// Note: we only cache up to 1000 results to avoid memory overflows
if (count(self::$_checkAccessOfUserCache) < 1000) {
self::$_checkAccessOfUserCache[$cacheKey] = false;
}
return false;
}
}
// Store positive outcome in cache.
// Note: we only cache up to 1000 results to avoid memory overflows
if (count(self::$_checkAccessOfUserCache) < 1000) {
//$ilLog->write('PERMISSION: '.$a_ref_id.' -> '.$ops_id.' granted');
self::$_checkAccessOfUserCache[$cacheKey] = true;
}
return true;
}
protected function isPrivilegedParticipant()
{
return $this->rbacsystem->checkAccess('write', $this->testOBJ->getRefId());
}
